Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 14, 2023, 7:24 p.m.	June 14, 2023, 7:28 p.m.

Size	3.7MB
Type	MS-DOS executable, MZ for MS-DOS
MD5	`325cedfb3e4d23ddf1062ad55b6f6b6e`
SHA256	`38d7fbdc314f881b461c766742a26d3df72c553d25c8f1c20da1adcdbea1afef`
CRC32	`E13113FC`
ssdeep	`98304:uSWz0m6iijzsGupvTo9GDd1HwAOiU0KIX6ksJc:Tfti2Ys9GDd1HjpU0pX6m`
Yara	UPX_Zero - UPX packed file MPRESS_Zero - MPRESS packed file PE_Header_Zero - PE File Signature IsPE32 - (no description)

Amday.exe "C:\Users\test22\AppData\Local\Temp\Amday.exe"
1676
- oneetx.exe "C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe"
  2096
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe" /F
    2196
  - cmd.exe "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y|CACLS "..\9b11736588" /P "test22:N"&&CACLS "..\9b11736588" /P "test22:R" /E&&Exit
    2252
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2328
    - cacls.exe CACLS "oneetx.exe" /P "test22:N"
      2368
    - cacls.exe CACLS "oneetx.exe" /P "test22:R" /E
      2424
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo Y"
      2472
    - cacls.exe CACLS "..\9b11736588" /P "test22:N"
      2508
    - cacls.exe CACLS "..\9b11736588" /P "test22:R" /E
      2564
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\1000006061\64.dll, rundll
    2756
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\1000006061\64.dll, rundll
      2800
  - YoutubeAdvert.exe "C:\Users\test22\AppData\Local\Temp\1000011051\YoutubeAdvert.exe"
    2952
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
    2592
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main
      2092
  - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main
    2772
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
haisatatakarya.com	A 5.181.216.116	5.181.216.116
africatechs.com	A 172.67.140.104 A 104.21.46.153	172.67.140.104

IP Address	Status	Action
104.21.46.153	Active	Moloch
164.124.101.2	Active	Moloch
5.181.216.116	Active	Moloch
62.182.156.152	Active	Moloch
95.143.190.57	Active	Moloch
77.91.68.63	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49173 -> 62.182.156.152:80	2027700	ET MALWARE Amadey CnC Check-In	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 62.182.156.152:80	2045751	ET MALWARE Win32/Amadey Bot Activity (POST) M2	A Network Trojan was detected
TCP 5.181.216.116:80 -> 192.168.56.103:49174	2014819	ET INFO Packed Executable Download	Misc activity
TCP 5.181.216.116:80 -> 192.168.56.103:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.181.216.116:80 -> 192.168.56.103:49174	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 95.143.190.57:15647 -> 192.168.56.103:49181	2029217	ET MALWARE Arechclient2 Backdoor CnC Init	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 62.182.156.152:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 62.182.156.152:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49179 -> 104.21.46.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 62.182.156.152:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 62.182.156.152:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 62.182.156.152:80 -> 192.168.56.103:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 62.182.156.152:80 -> 192.168.56.103:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 62.182.156.152:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49179 104.21.46.153:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	b4:d4:31:ca:e7:af:db:25:ee:bd:ac:39:b6:7f:82:90:e4:8c:6e:11

Queries for the computername (26 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 14, 2023, 7:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 14, 2023, 7:25 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 14, 2023, 7:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 7:24 p.m.			0	0
IsDebuggerPresent June 14, 2023, 7:25 p.m.			0	0
IsDebuggerPresent June 14, 2023, 7:25 p.m.			0	0

Command line console output was observed (50 out of 79 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 14, 2023, 7:24 p.m.	buffer: SUCCESS: The scheduled task "oneetx.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: Y console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: N console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW June 14, 2023, 7:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: f console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleW June 14, 2023, 7:24 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: A console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA June 14, 2023, 7:24 p.m.	buffer: r console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d16ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d16ad0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d16990 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d17250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d17250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d171d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d17250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d17250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d171d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d17250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d17290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d17290 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d17410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d17410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 14, 2023, 7:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00d17450 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 14, 2023, 7:24 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	.MPRESS1
section	.MPRESS2

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

WAV

One or more processes crashed (50 out of 65545 events)

Time & API	Arguments	Status
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d @ 0x7fefdbfa49d rundll+0x318050 64+0x319070 @ 0x7fef34d9070 rundll+0x31801b 64+0x31903b @ 0x7fef34d903b HeapWalk-0x1ce0 kernel32+0x0 @ 0x76fc0000 0xef038 0xef038 0xef038 exception.instruction_r: 48 81 c4 c8 00 00 00 c3 48 85 f6 74 08 83 3b 00 exception.symbol: RaiseException+0x3d FreeEnvironmentStringsW-0x373 kernelbase+0xa49d exception.instruction: add rsp, 0xc8 exception.module: KERNELBASE.dll exception.exception_code: 0xc000008e exception.offset: 42141 exception.address: 0x7fefdbfa49d registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x0 registers.r14: 2 registers.r15: 0 registers.rcx: 977200 registers.rsi: 2004499152 registers.r10: 0 registers.rbx: 0 registers.rsp: 979008 registers.r11: 514 registers.r8: 0 registers.r9: 0 registers.rdx: 0 registers.r12: 8791583852698 registers.rbp: 979032 registers.rdi: 8791581822976 registers.rax: 2003871062 registers.r13: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (7 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://62.182.156.152/so57Nst/index.php?scr=1
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://62.182.156.152/so57Nst/index.php
suspicious_features	GET method with no useragent header	suspicious_request	GET http://haisatatakarya.com/64.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET http://africatechs.com/YoutubeAdvert.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.182.156.152/so57Nst/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://62.182.156.152/so57Nst/Plugins/clip64.dll
suspicious_features	GET method with no useragent header	suspicious_request	GET https://africatechs.com/YoutubeAdvert.exe

Performs some HTTP requests (7 events)

request	POST http://62.182.156.152/so57Nst/index.php?scr=1
request	POST http://62.182.156.152/so57Nst/index.php
request	GET http://haisatatakarya.com/64.dll
request	GET http://africatechs.com/YoutubeAdvert.exe
request	GET http://62.182.156.152/so57Nst/Plugins/cred64.dll
request	GET http://62.182.156.152/so57Nst/Plugins/clip64.dll
request	GET https://africatechs.com/YoutubeAdvert.exe

Sends data using the HTTP POST Method (2 events)

request	POST http://62.182.156.152/so57Nst/index.php?scr=1
request	POST http://62.182.156.152/so57Nst/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 193 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ab000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ab000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559d000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7580c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f3000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75443000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7581c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559b000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f5000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7586f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755ff000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75608000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x757f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 14, 2023, 7:24 p.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7559b000 process_handle: 0xffffffff	1

Steals private information from local Internet browsers (8 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ckpaelocniggkheibcacecnmmlmeodfa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn

Foreign language identified in PE resource (2 events)

name

WAV

language

LANG_PORTUGUESE

filetype

empty

sublanguage

SUBLANG_PORTUGUESE

offset

0x005cf598

size

0x0001f934

name

RT_VERSION

language

LANG_PORTUGUESE

filetype

COM executable for DOS

sublanguage

SUBLANG_PORTUGUESE

offset

0x007959a0

size

0x000003b8

Creates executable files on the filesystem (4 events)

file	C:\Users\test22\AppData\Local\Temp\1000011051\YoutubeAdvert.exe
file	C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll
file	C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\1000006061\64.dll

Creates a suspicious process (4 events)

cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe" /F
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\9b11736588" /P "test22:N"&&CACLS "..\9b11736588" /P "test22:R" /E&&Exit
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe" /F

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\1000011051\YoutubeAdvert.exe

A process created a hidden window (7 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 14, 2023, 7:24 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe	1	1
ShellExecuteExW June 14, 2023, 7:24 p.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW June 14, 2023, 7:24 p.m.	show_type: 0 filepath_r: cmd parameters: /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\9b11736588" /P "test22:N"&&CACLS "..\9b11736588" /P "test22:R" /E&&Exit filepath: cmd	1	1
ShellExecuteExW June 14, 2023, 7:24 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Local\Temp\1000006061\64.dll, rundll filepath: rundll32.exe	1	1
ShellExecuteExW June 14, 2023, 7:24 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000011051\YoutubeAdvert.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000011051\YoutubeAdvert.exe	1	1
ShellExecuteExW June 14, 2023, 7:25 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\cred64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW June 14, 2023, 7:25 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\80c6bf70bf3f8f\clip64.dll, Main filepath: rundll32.exe	1	1

An executable file was downloaded by the process oneetx.exe (4 events)

Time & API	Arguments	Status	Return
InternetReadFile June 14, 2023, 7:24 p.m.	buffer: MZÿÿ¸@Øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¨ë@ìíìíìíË+þáíìíÀíìíííííííRichìíPEd½ dð" .Ð8B9@pE«ô`É8¼`8È - ` U @@@ SP@À °`@@.edatap@@.idata@À.themida@8@8 `à+½+Á½+½+Ëõú©Á×ÍVj_ËZ°>É!ª¿S»¥ÄDv7ôRÔ{Å¤;ñ=l¼¹QÜ-&Å»VÕSÐÌz´¹¡ýïÉË§ÆÈ7b3½U ë(©×èª!-üæàÈõiÎ~¼f£&REsVOµÏª¡OðSôP¬÷Ê{ïÞ`:òçàÇ`Í(/DäÐPLPãº°:è¯+uÍGº äVð½ÿ}Ä»öÉ.ÄÛ¿{HåÃ¢ I CêÿyÖ÷÷Ek9Ë0ª@ï±Þ;ãY¾·e0Õ8Vg5êð¹C¸xç½÷µ^!å§¦¡]ÈFN_øÙÀV¸~GcGÇ³&2+9®x7i¿%èdÅìRÏQ`ò ÆOoÇs£ íEÎ ei÷duÁ>x?,pøz3S½ëV¼på¤òs%1TJ¢A\ M9òFbÁôSþ« õì¯¨HÚ¤ÿ>=YÅùÌÿ¦qä"·(ÝoQzqv£ngñ¨¶»v\|ò5Qu4ÚDô§©ämåä<²@;Ð÷¸\»æ y3ÅÛFÏþJe{&·Ë§È¥#´ÚOuN.:Ý§¤w´±·cTiLrOV!?×Æ27â$Ò£·}.H«^á¥9ôÖê«¼Ñîñq¬Èª3Ç¨·X®Ïu2Ó ~Îéñ8\øÁ~_1ê£Jc¡K~ÖC4oÏ¶Ä?Åe?%Ã$j\|è¹ýÚ 4/\í$>ü`¯ýIº[a48ÊÐs³/s¨ß»ºúÀ(yærÖ÷w>Q/©LfpEétqÜAbz#ö}Tý¿o±ðÇ¦ÚÓpÜ¦Á3 ªÖV¨×ñ5ÓÄºû×ó] mµùÑ¾M¶Po0û¤Êh×/}/ÇÔÄ<=âºJÆê^oCwç±ó@Ó_Fc'ÀóH4QRºnAjäËÖ³%tæ¸RBî ÒÄ-T\`#ÅWÔSJ9 {ÚáN/·P^" r'1îQ!÷·jÃýü Ä<â5^!½¬Ãt¡a,^áa»Á;c¦§"Ð¹ô1 0¿¶#¸íÇ_9Î÷ h.Bu×òAÐi2ewaÕ]Ñà÷LöíÉÂµ³w{8 îã¥ä[Lìb7lÐ ]´Ç\|>0> ¤§2ÿÛû¢iyþ¥àí9Ï¬rTÙÐç¦éç¸Qa¥×ºO2bÌùxPûÜeÏÈ6æf\|E,"ñ [[±¤ðVJÔo"C$zLqÁêÞ2@]º ÓVâÄ²ãÎZ)Gxlþ+g+¦¿;T þ³¾8"ü 8½¼´¤ÅäMºpaN)n©ÄõE=õ:ãCòÖ~>¯ç ðPÏ6Oá~ iz?Ex(ÉYÏ>3¥fh?1U l~I ¤\81ºà^ÅüÖ{ó¥?°ZQÉXtÍMøÄ ÃJ\|óñ¢Äu§¾I]á´ý°"µÏéáÁ·s)+Æ6®¦6ïÓéÙYkò_²íÈ~ùy]ö\ãKt±A·ÒåópÁ£¦ ?Ê;ã{äNW-Ý&¦;QûÛß$æ×ÙÏ·¬Uß)GU ÏÈ9?qMÙã¾>==g`¡ÑDËÛÄXCùõG.Âêñ!?6º^§·{gclZ@¿ Éàee<ó4Ä¾²©ÿü[Xìº7tVl,P0$\³Èi,Ào£òôh¥}sO¤Ó¾>Zkq ØòåWëÊYûøboKÂ:e¼§Ò.Ò»´2ñÍ'É9ÝC¶l¾=ì²RÐ({"ï§{ç7YßsÔZi=tµve{S¸L7<ÍL_§cãbùvéA<ïJ±yÞÓlÅÃøÞ©íC÷¢c¨½¶cé7Q»äàj ?À&pN;cd'î¼ÞÿxEÍjèyÛ×~õêÀ®ÔïÍÝ÷gieMÆ¯Û,(ª® ¾?±âwÀAàhp°Þ¢ð"ËgaÙ»°´¢ówHv{¬ÄE'&O©ý¶üßëîLs°ÉFPöAhµ[øÿNÔNíñAXÆ¸´ ópsàÖlô;cÂ=mW!fè¾Ã.,#ËÕÇt9#D¢¨ð"lÎ}89ßv:Ê? ¤¡OØ>P«áô0y÷p¬¥oã~cX#ª<:½¶rÃÈ¯×TÙÙ% X7$öøÅ¾Ùú 5kùïù¹0~%p_O5d"'Í\¯tÞmßû\zÊËlôÕó^ CP"xDlÖÿ>¾ ^¬Ê¾ãD${ôigdÉÞÖãíjå8ß8ð@HX¦lùöÌØcCËjåYZ#WÈê»/].ïºró$·!Ú¨%ïE ·pUB§n¹ùÉIâÛÈÿ_ï«öÃ7Aû/Üà¸qÝ¡A5&èö¥lK¸Ñ\|ïªaªæ!±oÔÎBSlopû!ó<FLÎ{lóA%GWs4l×Ù¸¼Ûþ£à<TjìKâF^ªA<ßõÃú ß/ÙÔÁN¨ª@ßÓÑWÏ+z©i;÷øÉTzH É¯ºN'Ê·ÖPN£sloòÁ¬ÄËß~ãÃ_ÀjrPå¹c¾ð-ÇOÞ¾ ¢3IVnéüT·}ó¹y6)?"pYÔ«äõ¬;°oº2äë}/^Nyñj<OP7ö{C vÜâúõYS ÿ¸¯íK/Ä0§à¾Z~jKêñäæ"uóu ÉGì~Îë®M-)®ê1å-Ë9/zëÊg;NSÇÞ¢hÀû¾U=£áXÜjÂoSIÊË,òEóL¶pß g ß5[ ð"ÍÂy\ÏbRcHºßEÓÎÁRÅlâà\|Z©diç÷s¯(ãá]r±Afñ/6e3È= q6OÞÞÒ¤¶×ndÊá.ÕeTë¨kcKÇ ¡ü©yÔ·Õ)?¦¡Ó7Â¯U¨2]¯ ´Ù=F8<zßþ¯ÉT¡U.e]$ª9®vÃÆp>Â'$x-ùß^¿2mÏªP/DÑkéî`Ym»e NPÍÐP3ªÃU¦ÛDöÒW©áwÀwñ]mèÓ'ðác¯xÝo·¬2Kª9V.°ØÇ[µ'nvNH«IËÃ]¶7ÐSÁz?2×é} &¸A\e^\X8%IÉç«ß}Ëõ}á¡¤âÜÚX-PK¿s¦lÆí¦ÐC[¡4Hì6ë\y-ºÖÖ¢Ñ"4w'Ûa=ÊýLv+ú,K§ $·ÖÅLÖlkÿhq¹¾<û½¾â[\%Lé6X¨vÕ]Ñßª5øt§Ãa$k6uéÍI/ä÷¼lÛ"ÜX;ÖpÁsßß§]IT}+ôBkÑY#jCchZú?á°äÒ!àPóf@:dÖù=Z±¡¶eñs1å£ g(] ;£H³ö.=¼O¸ËqÔ%&DTÔ£ñezUüMÌ@&M xüT{÷ËÛ4lægN>Z7pP)sp><l- z%Pgk×)bÝÏKþmÁ¥L >ó³)Ðæü1ÂÉ»Êu^· request_handle: 0x00cc000c	1	1
InternetReadFile June 14, 2023, 7:24 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELòdà^PX @ ÀxÃn5:@P`Û ` 4 ` \|8@@ Ò@B.idata @Ô@À.rsrcÜ`ÜÖ@@.themida@8@ ²`à.boot6 X6 ²``¥>Ñ5²î²MÏè'ÒeÜZË³ë»·`@G5ábË[¶PÜîµ¬»eMRÎè®cå¦£ÖÂ«òXÂÚiÕÌDôá²=£[ÕÑØ·AÎË!®i6ÃÒj?8ÄÂàøÉ(,°#D)cÞ9,¤[W?EÂxX×k²7´OA!C½ÛùEÉÍj¦EnÂÖ4ÏGWÕIÊÉìeøÌ£½ÛãI85;ìïeª[ô2>/ËiJL¤8ÍzÏåà^/§l ÈÍEÒÈ¥£LâiT V§kCåvf1álõ§#k³GÏëÎ+2£ilFee_ #¡ó+Tó.ªr3Æ´=Ô87Otü¤!ç=©ÄìñÒ»»<k"c³ÂïFäT;ü:B¯JÌµÅ¼©-Ûz#üãAõýR=Óh»DÚü¦'ìÍwÖÉ+ó&tå¥ÇF¯FI&¤ »\|"ëNf#òMì3È¤{0ÜéNhhØ~3Öød¶Ö²¹²ö©?à·Æ^û,õ~\¯Ã\WÙ¥¶G«/é!õ^ÿNZæëSËZu®âvÍo0sÓüÃêW÷ÏßäðFÐP &¡pwÓ"2Õøn¼HH¡\Ö2ÿiûwÔãDçíJÓïWÞ},« µo7'P 'Í¶ÈWpdÅvÞZS9¿ôS]¯üÀÖîíîôÇü¼ãëÖ÷#H½gBÅ¶//!í½ÝÉß·!ðóm rs Qª+ÏÁÄêípÔ3Ì²ÃÈ:Î»)°jj]cdW~±çúð87ó[e<a,2k\|g}iÃÔ"-9³ ¡É3élÆÔo¨ ¾ÍHKjÛÆ6"OÎÄ§ÒÇªÌ^ãlJÎû6Å½5àËð¿¦ÑóLÃÃ9[ÖpµqÀÍÒ+ùsþþ% åÕh½Jí¼WüÕ6öRÉ-µVë\sTAOÎï©KÂü!Þ5ÖvaæÄwµºVñ¹U»-öü fÅøJeKÇ£Ë+ÉÓ gÍX0G4¨xµÓr]kó¶è¸W.äpkØNÏÃ§»eÍ¼i»ªm®Ëõø3×³ÅÉú>ú3ãNY:¾µ!Æè_»ãhGõYNö¯ñF"¾îòÆ+9¡\×öZ :R¡Þ^q1Â´HÌ²È}8fx÷Ëo.ø¹ÂeÅjKiOÙ¼§Éç¢!,®·í<¬Ãénc9'©èYáyH¢LíË_÷AçK«ý -ÂPÒh¿Å¼àT^6@ÈÔ?iÚwëtzè`ÕQ/a÷údÍjïÉ+@Ô<zïógÒÙeë«íºÕ¼fHrOSñiW§bqxl{Gø÷J¯\Õ`±VmâyÝC)6é]½:¢²ÜÄWPÃá/²\|Êsâ½LjZð\|òíÉ%lb½7;VúK@³É«ÄðG$8Ïì éßh(¨V8ÿRlÉÎl¡¬sOü~ßëÑC çó}¾tüKßÍC/¯û§9)]1Ëøúp×:1³Ö}ù~É}RÃ2 Â Ù%ûPñ.5k3ê!s³ékGiÑØ¾½Z)EvÐðëºR?¯'>]#ÅËûÀÂçAÓq×£ÂÅ]¼ñï¾ËGÊÒÉ6½(ïCdwJP©Ë-÷¼îZXÌtPÏRoÓÅ²ã¥ ÞæFÚ÷µ½ÂE.AÝ]b:3Ð\,»eóÄ£,¨@Ë×EôÚ;¢Uü ÑßtÐôµ¶¢÷õ8+j§@)àºloù(ÝæÉ)Kª.xÞ;y%TC¶[ù¯rìÎÕ\|¥ZCú´U-Mo7Ló'EfÚ¼[_¥¢DXË»¾mí~Äi¤¨¯] Él{Y?ÏqÔ·×?¦ÒàtO^õ:ßñTL®¨aÌ:×«#^Qn,Ñlm+yDÕÎûÜA³\ª¡ÿaÝÒ¬ËÀæPøþÐZÅ8Éø&îfÁéÏûÌf@ziE'ÖÅLÓSµÔ"d ¥$9xUäµSiwTÔþÃÍCÆñð2AqÓTÄ¢öä»óò1ÊVeimQë:mß`«CHÅ{8vvíX¡PùÂ©s;í\q´ÇXÃáØj¹Sðÿ^o!wø}mÿÏä(äJ«Â»îN>Þ ÏV;ÿQø¶Þª^sKX®º½@ðñÑîå¨}TYøw¬w¥¬Mñ¿ÐaùsÚÊT0!\ÙJ üR3RtÂþÎ 8Ëäö4O «rgE5(±GÃ3¨¹vjÞJ2R ÊK¥7Ò2¤^-×î4Éß9¯$X!03$öÖØDØnÁßM¡ä5Së°ÒM¶á¯Ïh§)3)}ºîÎxc4"¸#3ê®ÎK¦Ñ~#Øí¨\×Uú+pMî¬©>¸\Õ©ññBv±QºqBÙÑªD ©U«ÎýjLâÂCôYØ³3FÜÇ»üJprfôðc}¬h&"§ïéÏÔCsk¬}ó WPNeh);£\Äî¦3"Rbr»±aÐj¯êf CY¸=;÷1x±¦{ÑEKóÉA\SÄÝ\|Q¶&REÅÉp®¿±(°S¸eh{ÇÝ:¼9Þà2êº0òÕèÅµ¨°® h½(éhìÍ0ÆS¢v}ÁQN:©µ.c4SÔxyhÛ©¯Ñè÷ðYZãxJtõäáeÐ¡dÏu"ìçZªDhUïïÓÜò(!ìî5ðÂÎðúèx¾tº\|o<^]ùKÍGÀMÚQQõÔ£mü+i,Dçý µßÔNóZÙâ!:(Â[0ÀõØ¯Tð+Jç2$É?#\ä¶#Ec¸¶_ã x§Ïá[;Dû§"§áiÏ~Óô¢Y{üõÓô³eÕÝôÙ)íØ½XÐÚÄáIàôi]÷K è´cÝNJb»'nÆ?Fä¤myÚ³5Lö§fÞjp÷!ùbØÉ\Ôþ5ÐêÌ¸9îìº¯÷´Õðpµ¦ùâiÚ WËõÅòÌ&ÓQ-¢j ~^kW£\|º9£p /ÌÅu½Å~L$[ÆÝÑÐgSB¸gkÄ)HÜ¶w[z2}({²§eU×è²c8Î±µ_ÆáúbÕÐdÒÆr´&6ËÎVwªJÕâíaxg@6¹iÑÑ?>ÕF+×Ûf3Hº¬9£oïæ}º×ã8pÀK`ù[÷ÎÁÝ4§ÎtSk;;ºb²k#§Å3Qi÷QÒÀj»±VØçKß ËjãµUÖÝ1P÷EFaô`²RÄñF¹½mK0§ËÆ9=u¦÷I´yõÍx&òòÅs·\Àiçe~-ªw¶x.×LNý;»í úúÏôñ]h"æfHÅ»ÂÑÏI¯CçKâ;¸~ÐÇDÆ©ÁÊÔFk§\SÍl§ç8i¾ÌsQêÜ{Vø¦gñØS>ÕÖê;ã2mjÐý õªlÄ×Ýæd}×¢"ÔÝÅPÇN¸j_·)REÚM 'a½/¢PÝqk$7UþKÎÿ\|Óüok`ËÍotÒÿpo+e¡Ã=©ôp6>V@×ö¤cFR Y ]o¬°Ïc¬Aìfø½úyÜ<µXËÇÔâhIQ¦ c;ÇòÈøpH?,~sg&d®ûehµòÁñímq×Ý`p request_handle: 0x00cc000c	1	1
InternetReadFile June 14, 2023, 7:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÕçsOÕçsOÕçsOwNÇçsOpNÞçsOvNeçsOvNçsOwNÚçsOpNÜçsOrNØçsOÕçrOiçsONzNÑçsONsNÔçsONOÔçsONqNÔçsORichÕçsOPEd{wdð" ¾80`XèøPdÌ`ÝpÐÝ0 À.textH `.rdataÌ0 @@.dataLuÐ<ª@À.pdatadPæ@@_RDATAð@@.rsrcø@@.relocÌ@BHì(A¸ HG»H êècl H lóHÄ(éï ÌÌÌHì(A¸ H?»H ïè3l H ¬óHÄ(éoï ÌÌÌHì(A¸H3»H ïèl H ìóHÄ(é?ï ÌÌÌHì(A¸ H»H ðêèÓk H ,ôHÄ(éï ÌÌÌHì(A¸H»H `îè£k H lôHÄ(éßî ÌÌÌHì(A¸HïºH 0éèsk H ¬ôHÄ(é¯î ÌÌÌHì(E3ÀHÂH £îèFk H ïôHÄ(éî ÌÌÌÌÌÌHì(E3ÀHH Óîèk H /õHÄ(éRî ÌÌÌÌÌÌHì(E3ÀHbH #êèæj H oõHÄ(é"î ÌÌÌÌÌÌHì(E3ÀH2H 3èè¶j H ¯õHÄ(éòí ÌÌÌÌÌÌHì(A¸HºH èèj H ìõHÄ(é¿í ÌÌÌHì(A¸Hÿ¹H PéèSj H ,öHÄ(éí ÌÌÌHì(A¸Hï¹H ëè#j H löHÄ(é_í ÌÌÌHì(A¸HÏ¹H ëèói H ¬öHÄ(é/í ÌÌÌHì(A¸H«¹H éèÃi H ìöHÄ(éÿì ÌÌÌHì(A¸H¹H Pêèi H ,÷HÄ(éÏì ÌÌÌHì(A¸Ho¹H ìèci H l÷HÄ(éì ÌÌÌHì(A¸HO¹H pìè3i H ¬÷HÄ(éoì ÌÌÌHì(A¸LH/¹H àèèi H ì÷HÄ(é?ì ÌÌÌHì(A¸HO¹H 0æèÓh H ,øHÄ(éì ÌÌÌHì(A¸dH?¹H íè£h H løHÄ(éßë ÌÌÌHì(A¸Hw¹H Pìèsh H ¬øHÄ(é¯ë ÌÌÌHì(A¸H_¹H `êèCh H ìøHÄ(éë ÌÌÌHì(A¸HO¹H °åèh H ,ùHÄ(éOë ÌÌÌHì(A¸H/¹H àêèãg H lùHÄ(éë ÌÌÌHì(A¸(H¹H péè³g H ¬ùHÄ(éïê ÌÌÌHì(A¸H¹H ëèg H ìùHÄ(é¿ê ÌÌÌHì(A¸Hï¸H ðìèSg H ,úHÄ(éê ÌÌÌHì(A¸HÏ¸H @êè#g H lúHÄ(é_ê ÌÌÌHì(A¸H¯¸H Pëèóf H ¬úHÄ(é/ê ÌÌÌHì(A¸H¸H çèÃf H ìúHÄ(éÿé ÌÌÌHì(A¸,H¸H Ðçèf H ,ûHÄ(éÏé ÌÌÌHì(A¸H¸H àæècf H lûHÄ(éé ÌÌÌHì(A¸Ho¸H 0êè3f H ¬ûHÄ(éoé ÌÌÌHì(A¸$HO¸H êèf H ìûHÄ(é?é ÌÌÌHì(A¸HG¸H °çèÓe H ,üHÄ(éé ÌÌÌHì(A¸H/¸H àâè£e H lüHÄ(éßè ÌÌÌHì(A¸H¸H ðçèse H ¬üHÄ(é¯è ÌÌÌHì(A¸H¸H àäèCe H ìüHÄ(éè ÌÌÌHì(A¸ Hï·H èèe H ,ýHÄ(éOè ÌÌÌHì(A¸ Hç·H Àåèãd H lýHÄ(éè ÌÌÌHì(A¸H·H ãè³d H ¬ýHÄ(éïç ÌÌÌHì(A¸H¯·H åèd H ìýHÄ(é¿ç ÌÌÌHì(A¸H·H pâèSd H ,þHÄ(éç ÌÌÌHì(A¸Hw·H Àèè#d H lþHÄ(é_ç ÌÌÌHì(A¸LH´H Påèóc H ¬þHÄ(é/ç ÌÌÌHì(A¸H'·H @åèÃc H ìþHÄ(éÿæ ÌÌÌHì(A¸dH/´H ðåèc H ,ÿHÄ(éÏæ ÌÌÌHì(A¸H×¶H èècc H lÿHÄ(éæ ÌÌÌHì(A¸H¿¶H pçè3c H ¬ÿHÄ(éoæ ÌÌÌHì(A¸H§¶H åèc H ìÿHÄ(é?æ ÌÌÌHì(A¸H¶H 0âèÓb H , HÄ(éæ ÌÌÌHì(A¸H_¶H àçè£b H l HÄ(éßå ÌÌÌHì(A¸H7¶H äèsb H ¬ HÄ(é¯å ÌÌÌHì(A¸H¶H âèCb H ì HÄ(éå ÌÌÌHì(A¸HïµH Ðàèb H , HÄ(éOå ÌÌÌHì(A¸?H¶H äèãa H l HÄ(éå ÌÌÌH É éå ÌÌÌÌH ) éå ÌÌÌÌH éðä ÌÌÌÌH é éàä ÌÌÌÌH I éÐä ÌÌÌÌHì(E3ÀHâH àèfa H HÄ(é¢ä ÌÌÌÌÌÌH é éä ÌÌÌÌH I éä ÌÌÌÌH © épä ÌÌÌÌH é`ä ÌÌÌÌH i éPä Hì(H ¹ïè¤í H ¹ HÄ(é0ä H µ é$ä H éä H 9 éä Hì(H Eóè`í H e HÄ(éìã ¸ÃÌÌÌÌÌÌÌÌÌÌH\$Hl$Ht$ W request_handle: 0x00cc000c	1	1
InternetReadFile June 14, 2023, 7:25 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $,CyáCyáCyáâ~Iyáä~Ëyáå~Qyáå~Lyáâ~Ryáä~byáà~FyáCyàyáØè~@yáØá~ByáØByáØã~ByáRichCyáPEL{wdà!Þ>ð°@ J<K<øT ?p?@ð,.textVÝÞ `.rdataîaðbâ@@.dataD`D@À.rsrcøP@@.relocTR@Bj h¨<¹phè?#hêèYÃÌÌÌj,hÌ<¹hè#h`êèlYÃÌÌÌj,hÌ<¹ hèÿ"hÀêèLYÃÌÌÌj,hÌ<¹¸hèß"h ëè,YÃÌÌÌj8hü<¹Ðhè¿"hëè*YÃÌÌÌj<h8=¹èhè"hàëèì)YÃÌÌÌj0hx=¹iè"h@ìèÌ)YÃÌÌÌhh°=¹iè\"h ìè©)YÃj?h>¹0iè?"híè)YÃÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPèÂ2ÄÆ^]ÂÌÌÌI¸\|<ÉEÁÃÌÌUìVñFÇñPèó2ÄöEtjVè«%ÄÆ^]ÂAÇñPèÉ2YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇA<ÇìñÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhJEôPè2ÌÌÌÌUìVñWÀFPÇñfÖEÀPèò1ÄÇìñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇñfÖEÀPè²1ÄÇ ñÆ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìQSZVWQSñè=h3É3À}üÛ~53Ò;ÇþEÐ=h¸phCph~r>A}üB;Ë\|Ë~r_ÆÆ^[å]Ã_ÆÆ^[å]ÃÌÌÌÌÌUììSVWòùQ}ôFPEðè3Û]ø9]ð)D~Ær¾Pè¯KÄÀu-NÆùr< tÆùrÏréÌ~Ær=@i3Ò Diÿt+EÿfD]ÿù¸0iC0i8]øtB;×ráÊÿEÈxr3Àÿt.MÿD=Di¹0i]ÿC 0i8]øt@;ÇrÝÈÿ=Di¹0iC 0iMìMôMøyr MøÏ+È 3Ò÷÷Mì}ô MøC]ø;]ðÜþÿÿrÆÇ_^[å]ÃÆÇ_^[å]ÃÌÌÌÌÌÌÌÌÌÌUìì@SVWÙòQMÄ]ôèçýÿÿEÄÖPMÜèYþÿÿhÇCÇCÆè°"Ø¹Èÿ]øûÄó«3Ò¾8>Bú@\|ðUì3ö3Û~øÒtAMø}ðEÜCEÜ¾øÿt'ÁæðÇxÏÆÓøMôPèUìïMøC;ÚrÂEøÀthPèð!ÄUðúr(MÜBÁúrIüÂ#+ÁÀüøwVRQèÀ!ÄUØÇEìÇEðÆEÜúr(MÄBÁúrIüÂ#+ÁÀüøwRQè~!ÄEô_^[å]ÃèGÌÌÌÌÌÌÌÌÌÌÌUìì4E0SVW3ÿÆEè¾À]ÇEàÇEäÆEÐ;Ç´+ÇMÐ;ÃBØ}4E CE SÇPèþr.MèVÁúrIüÂ#+ÁÀüøhRQè× ÄMÐ}Uó~EàEèCU}äuà]f~ÉMèCÁfÖEø;óu\îr; uÀÂîsïþüî: u7þýßH:Ju&þþÎH:Juþÿ½@:B±E0Guü;øõþÿÿ3ÿUþr/MèFÁþrIüÆ#+ÁÀüøVQè UÄEør'HÂùrRüÁ#+ÂÀüøw`QRèÏÄU4ÇEÇEÆEúr3M BÁúrIüÂ#+ÁÀüøwë uüGéWÿÿÿRQèÄÇ_^[å]Ãè Eè«ÌÌÌÌÌÌÌÌÌÌÌUìQS]Vñ]üWjhÀ>ÇFÇFÆèD3ÿÛ~1}ECE8S¿C ú¶È¶ÃGÈ¶ÁÎPèG;}ü\|ÏUúr(MBÁúrIüÂ#+ÁÀüøwRQèÑÄ_Æ^[å]ÃèïDÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì0VWj$hÄ>MÐÇEàÇEäÆEÐèEÀu3öéÇ3ÿÀ¸ÇEøÇEüÆEè;ÇF+Ç¹;ÁBÈ}ECEQÇMèPèBìEÐÌPètìEèôìÌPèaÎèªþÿÿÄè¢üÿÿUüÄ0Àúr,MèBÁúrIüÂ#+ÁÀüø¹RQèÇÄEG;øHÿÿÿ¾Uäúr(MÐBÁúrIüÂ#+ÁÀüøwxRQèÄUúr^MBÁúrFIüÂ#+ÁÀüøwHë4úr(MèBÁúrIüÂ#+ÁÀüøw#RQè1Ä3öétÿÿÿRQè Ä_Æ^å]Ãè?CèJÌÌÌÌÌÌÌÌÌÌUìQEUMVÀS@WPè] ÄM}ØÓCM+ÑID ÿÀuóóNFÀuù+ñFVjÿðVøSWÿðPèÇ5ÄWÿðjÿñÿñWjÿñÿ ñUM_[^úr%BÁúrIüÂ#+ÁÀüøwRQèAÄå]ÃèdBÌÌÌÌUìì$SVWùjÇGÇGÆÿñÀj ÿ$ñØ]üÛlSÿðEôÀSjjjjjÿPjhéýÿððuøö.WN;ÊwOÇrÆëFGÙ+Ú+Â;Øw%ÇOrS4jVèE,ÆÄuøëQSÆEøÏÿuøSè¨]üÇrjjVPjÿÿuô request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x003a8200', u'virtual_address': u'0x00001000', u'entropy': 7.999953920275578, u'name': u'.MPRESS1', u'virtual_size': u'0x00789000'}

entropy

7.99995392028

description

A section with a high entropy has been found

entropy

0.987083168578

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 14, 2023, 7:24 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Queries for potentially installed applications (50 out of 102 events)

Time & API	Arguments	Status
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000434 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: 7-Zip base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: AddressBook base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: Adobe AIR base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: Connection Manager base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: DirectDrawEx base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: EditPlus base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: Fontcore base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: Google Chrome base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: IE40 base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: IE4Data base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: IE5BAKEX base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: IEData base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: MobileOptionPack base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: SchedulingAgent base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: WIC base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW June 14, 2023, 7:24 p.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000434 key_handle: 0x00000438 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe" /F

Communicates with host for which no DNS query was performed (3 events)

host	62.182.156.152
host	95.143.190.57
host	77.91.68.63

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known windows from debuggers and forensic tools (12 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA June 14, 2023, 7:24 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 14, 2023, 7:24 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 14, 2023, 7:24 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 14, 2023, 7:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 14, 2023, 7:24 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 14, 2023, 7:24 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 14, 2023, 7:24 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 14, 2023, 7:24 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 14, 2023, 7:24 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 14, 2023, 7:24 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 14, 2023, 7:24 p.m.	class_name: Registry Monitor - Sysinternals: www.sysinternals.com window_name:		0	0
FindWindowA June 14, 2023, 7:24 p.m.	class_name: 18467-41 window_name:		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 14, 2023, 7:24 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (2 events)

description	oneetx.exe tried to sleep 141 seconds, actually delayed analysis time by 141 seconds
description	YoutubeAdvert.exe tried to sleep 5456575 seconds, actually delayed analysis time by 5456575 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\64.dll	reg_value	rundll32 C:\Users\test22\AppData\Local\Temp\1000006061\64.dll, rundll
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\YoutubeAdvert.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000011051\YoutubeAdvert.exe
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe" /F

Creates an executable file in a user folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe

Drops a binary and executes it (2 events)

file	C:\Users\test22\AppData\Local\Temp\9b11736588\oneetx.exe
file	C:\Users\test22\AppData\Local\Temp\1000011051\YoutubeAdvert.exe

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (50 out of 76 events)

Time & API	Arguments	Status
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x00000438 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW June 14, 2023, 7:24 p.m.	key_handle: 0x000003c4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Uses suspicious command line tools or Windows utilities (6 events)

cmdline	cmd /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\9b11736588" /P "test22:N"&&CACLS "..\9b11736588" /P "test22:R" /E&&Exit
cmdline	CACLS "..\9b11736588" /P "test22:R" /E
cmdline	"C:\Windows\System32\cmd.exe" /k echo Y\|CACLS "oneetx.exe" /P "test22:N"&&CACLS "oneetx.exe" /P "test22:R" /E&&echo Y\|CACLS "..\9b11736588" /P "test22:N"&&CACLS "..\9b11736588" /P "test22:R" /E&&Exit
cmdline	CACLS "oneetx.exe" /P "test22:N"
cmdline	CACLS "oneetx.exe" /P "test22:R" /E
cmdline	CACLS "..\9b11736588" /P "test22:N"

Tries to unhook Windows functions monitored by Cuckoo (1 event)

Time & API	Arguments	Status	Return	Repeated
__anomaly__ June 14, 2023, 7:24 p.m.	tid: 2804 message: Encountered 65537 exceptions, quitting. subcategory: exception function_name:	1	0	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 14, 2023, 7:24 p.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 14, 2023, 7:24 p.m.	stacktrace: exception.instruction_r: ed e9 67 f5 ff ff c3 e9 5e 6b 00 00 92 c6 12 cb exception.symbol: youtubeadvert+0x519ecb exception.instruction: in eax, dx exception.module: YoutubeAdvert.exe exception.exception_code: 0xc0000096 exception.offset: 5349067 exception.address: 0x919ecb registers.esp: 1638268 registers.edi: 7915946 registers.eax: 1447909480 registers.ebp: 6307840 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 13 registers.ecx: 10	1	0	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Deyma.4!c
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.67464031
CAT-QuickHeal	Trojandownloader.Deyma
ALYac	Trojan.GenericKD.67464031
Malwarebytes	Trojan.Downloader
VIPRE	Trojan.GenericKD.67464031
Sangfor	Downloader.Win32.Deyma.V7qe
K7AntiVirus	Trojan ( 0059d2b31 )
Alibaba	TrojanDownloader:Win32/Deyma.b3ead6ae
K7GW	Trojan ( 0059d2b31 )
CrowdStrike	win/malicious_confidence_100% (W)
Cyren	W32/ABRisk.NLTL-0247
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of Win32/GenCBL.DHF
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	Trojan-Downloader.Win32.Deyma.dkl
BitDefender	Trojan.GenericKD.67464031
ViRobot	Trojan.Win.Z.Agent.3891384
Avast	Win32:BotX-gen [Trj]
Emsisoft	Trojan.GenericKD.67464031 (B)
DrWeb	Trojan.Siggen20.56222
TrendMicro	Trojan.Win32.AMADEY.YXDFKZ
McAfee-GW-Edition	Artemis!Trojan
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.325cedfb3e4d23dd
Sophos	Mal/Generic-S
GData	Trojan.GenericKD.67464031
Webroot	W32.Trojan.Gen
Antiy-AVL	Trojan/Win32.GenCBL
Gridinsoft	Ransom.Win32.Sabsik.cl
Arcabit	Trojan.Generic.D4056B5F
Microsoft	Trojan:Win32/Casdet!rfn
Google	Detected
AhnLab-V3	Trojan/Win.AntiAnalysis.C5386312
McAfee	Artemis!325CEDFB3E4D
MAX	malware (ai score=87)
Cylance	unsafe
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.AMADEY.YXDFKZ
Rising	Downloader.Amadey!8.125AC (TFE:5:65oQciLZtWJ)
Fortinet	W32/GenCBL.DHF!tr
BitDefenderTheta	Gen:NN.ZexaF.36250.Tpvaa0U6R8cO
AVG	Win32:BotX-gen [Trj]
DeepInstinct	MALICIOUS

Amday.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All