Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	June 16, 2024, 10 a.m.	June 16, 2024, 10:11 a.m.

Size	1.9MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`0f2c5d3966f262c04af7eb8cbe26c78a`
SHA256	`78368e1e15c6a4e92b78922eb386f95255f751467f5cf379542c1a013d4e970a`
CRC32	`33377F15`
ssdeep	`49152:IKJZZwLxzOlVCayaK/9CZLbb+KrSWr0SAIJPHHh:RZZwdOl4ayaKoRrdN5`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature IsPE32 - (no description) Admin_Tool_IN_Zero - Admin Tool Sysinternals

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
1696
- axplong.exe "C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe"
  2260
  - judit.exe "C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe"
    2760
  - redline123123.exe "C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe"
    2812
  - upd.exe "C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe"
    2920
  - setup222.exe "C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe"
    2972
  - gold.exe "C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe"
    3060
  - lummac2.exe "C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe"
    792
  - drivermanager.exe "C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe"
    2412
    - MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      368
  - NewLatest.exe "C:\Users\test22\AppData\Local\Temp\1000064001\NewLatest.exe"
    2872
    - Hkbsse.exe "C:\Users\test22\AppData\Local\Temp\263c5c4d73\Hkbsse.exe"
      2172
      - b2c2c1.exe "C:\Users\test22\AppData\Local\Temp\1000001001\b2c2c1.exe"
        2544
      - FirstZ.exe "C:\Users\test22\AppData\Local\Temp\1000002001\FirstZ.exe"
        948
  - monster.exe "C:\Users\test22\AppData\Local\Temp\1000070001\monster.exe"
    2828
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
xmr-eu1.nanopool.org	A 51.15.58.224 A 141.94.23.83 A 163.172.154.142 A 212.47.253.124 A 51.15.193.130 A 146.59.154.106 A 54.37.232.103 A 54.37.137.114 A 51.15.65.182 A 162.19.224.121 A 51.89.23.91	51.15.58.224
boredombusters.online	A 104.21.44.95 A 172.67.198.131	104.21.44.95
zeph-eu2.nanopool.org	A 51.195.43.17 A 51.15.61.114 A 51.210.150.92 A 51.195.138.197 A 163.172.171.111 A 51.15.89.13 A 51.68.137.186	51.68.137.186
pastebin.com	A 172.67.19.24 A 104.20.4.235 A 104.20.3.235	104.20.4.235
x1.i.lencr.org	CNAME crl.root-x1.letsencrypt.org.edgekey.net CNAME e8652.dscx.akamaiedge.net A 23.41.113.9	23.40.44.214
apps.identrust.com	A 121.254.136.9 CNAME a1952.dscq.akamai.net CNAME identrust.edgesuite.net A 121.254.136.18	23.67.53.17
kmsandallapp.ru	A 31.31.198.35	31.31.198.35

IP Address	Status	Action
104.20.3.235	Active	Moloch
121.254.136.9	Active	Moloch
164.124.101.2	Active	Moloch
172.67.198.131	Active	Moloch
185.172.128.116	Active	Moloch
185.172.128.19	Active	Moloch
185.215.113.67	Active	Moloch
23.41.113.9	Active	Moloch
31.31.198.35	Active	Moloch
51.15.193.130	Active	Moloch
51.68.137.186	Active	Moloch
77.91.77.81	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49164 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49164	2014819	ET INFO Packed Executable Download	Misc activity
TCP 77.91.77.81:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.77.81:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 77.91.77.81:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 77.91.77.81:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.67:40960 -> 192.168.56.103:49169	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.103:49169	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49173 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.67:40960 -> 192.168.56.103:49169	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49212 -> 185.172.128.116:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.172.128.116:80 -> 192.168.56.103:49212	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.116:80 -> 192.168.56.103:49212	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.116:80 -> 192.168.56.103:49212	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 185.172.128.116:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.116:80 -> 192.168.56.103:49217	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.172.128.116:80 -> 192.168.56.103:49217	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.116:80 -> 192.168.56.103:49217	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.116:80 -> 192.168.56.103:49217	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49217 -> 185.172.128.116:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49221 -> 185.172.128.19:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49221	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.172.128.19:80 -> 192.168.56.103:49221	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.172.128.19:80 -> 192.168.56.103:49221	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.172.128.19:80 -> 192.168.56.103:49221	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 77.91.77.81:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49217 -> 185.172.128.116:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49229 -> 31.31.198.35:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49169 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49236 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49239 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:62576 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49232 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49234 -> 104.20.3.235:443	906200068	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (CoinMiner)	undefined
TCP 192.168.56.103:49237 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49218 -> 185.172.128.116:80	2044597	ET MALWARE Amadey Bot Activity (POST) M1	A Network Trojan was detected
TCP 192.168.56.103:49219 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49225 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.103:64178 -> 164.124.101.2:53	2033268	ET POLICY Observed DNS Query to Coin Mining Domain (nanopool .org)	Potential Corporate Privacy Violation
TCP 192.168.56.103:49238 -> 172.67.198.131:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49173 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49228 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLS 1.2 192.168.56.103:49229 31.31.198.35:443	C=US, O=Let's Encrypt, CN=R11	CN=kmsandallapp.ru	26:c0:93:6a:03:1b:96:aa:25:61:71:21:f5:de:ad:77:51:bf:39:19
TLS 1.3 192.168.56.103:49235 51.15.193.130:14433	None	None	None
TLSv1 192.168.56.103:49236 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49239 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49232 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLS 1.3 192.168.56.103:49233 51.68.137.186:10943	None	None	None
TLS 1.3 192.168.56.103:49234 104.20.3.235:443	None	None	None
TLSv1 192.168.56.103:49237 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49219 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49225 172.67.198.131:443	C=US, O=Let's Encrypt, CN=E5	CN=boredombusters.online	ae:46:98:37:44:2d:ec:1c:ce:ae:4b:ef:67:3e:b5:93:42:fe:8c:94
TLSv1 192.168.56.103:49238 172.67.198.131:443	None	None	None

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 16, 2024, 10:01 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 65 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 16, 2024, 10 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:01 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0
IsDebuggerPresent June 16, 2024, 10:02 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (17 events)

Time & API	Arguments	Status	Return
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00543050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00543050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00543050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00543050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005430d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005430d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00542fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00542fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00542fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00542fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00542fd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00543050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00543050 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00543250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00543990 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00543990 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 16, 2024, 10:01 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00543850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 16, 2024, 9:54 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	fbxmxckk
section	nhkzgudz
section	.taggant

One or more processes crashed (50 out of 246 events)

Time & API	Arguments	Status
__exception__ June 16, 2024, 10 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x3240b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3293369 exception.address: 0x12740b9 registers.esp: 2621180 registers.edi: 0 registers.eax: 1 registers.ebp: 2621196 registers.edx: 21094400 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 55 68 c3 ac bb 66 e9 9c 00 00 00 81 f1 16 4c exception.symbol: random+0x6d332 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 447282 exception.address: 0xfbd332 registers.esp: 2621148 registers.edi: 0 registers.eax: 27030 registers.ebp: 4006522900 registers.edx: 82608470 registers.ebx: 16505036 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 57 54 5f 81 c7 04 00 00 00 83 ef 04 87 3c 24 exception.symbol: random+0x6e5e4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 452068 exception.address: 0xfbe5e4 registers.esp: 2621148 registers.edi: 0 registers.eax: 26704 registers.ebp: 4006522900 registers.edx: 16532110 registers.ebx: 980140288 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 55 68 ba c5 7d 7f exception.symbol: random+0x6e148 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 450888 exception.address: 0xfbe148 registers.esp: 2621148 registers.edi: 4294943896 registers.eax: 26704 registers.ebp: 4006522900 registers.edx: 16532110 registers.ebx: 980140288 registers.esi: 233705 registers.ecx: 1971388416	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb e9 6b 09 00 00 81 c2 29 07 4f 3f e9 78 ff ff exception.symbol: random+0x1ee088 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2023560 exception.address: 0x113e088 registers.esp: 2621148 registers.edi: 16542306 registers.eax: 32107 registers.ebp: 4006522900 registers.edx: 16494721 registers.ebx: 425984 registers.esi: 18079005 registers.ecx: 18111609	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 52 89 e2 e9 57 00 00 00 81 f6 15 5a 79 7f 21 exception.symbol: random+0x1edfd5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2023381 exception.address: 0x113dfd5 registers.esp: 2621148 registers.edi: 16542306 registers.eax: 0 registers.ebp: 4006522900 registers.edx: 16494721 registers.ebx: 425984 registers.esi: 604292949 registers.ecx: 18082565	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 53 bb f7 e7 eb 75 81 c6 15 40 e7 1d 29 de 57 exception.symbol: random+0x1f50de exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2052318 exception.address: 0x11450de registers.esp: 2621144 registers.edi: 1814312927 registers.eax: 30775 registers.ebp: 4006522900 registers.edx: 1814312927 registers.ebx: 18101762 registers.esi: 18105967 registers.ecx: 96	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 56 89 e6 51 b9 a0 e2 bb 22 e9 1a 0b 00 00 5a exception.symbol: random+0x1f47ef exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2050031 exception.address: 0x11447ef registers.esp: 2621148 registers.edi: 4294939884 registers.eax: 30775 registers.ebp: 4006522900 registers.edx: 1814312927 registers.ebx: 134889 registers.esi: 18136742 registers.ecx: 96	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb b9 17 7d d2 3f 53 bb 55 c5 d7 78 81 f3 cb 97 exception.symbol: random+0x1f9ada exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2071258 exception.address: 0x1149ada registers.esp: 2621148 registers.edi: 202985 registers.eax: 28663 registers.ebp: 4006522900 registers.edx: 4294941352 registers.ebx: 18153626 registers.esi: 18136742 registers.ecx: 14288	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 40 17 00 00 ba ac e2 exception.symbol: random+0x1ff3a5 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2093989 exception.address: 0x114f3a5 registers.esp: 2621140 registers.edi: 4730608 registers.eax: 1447909480 registers.ebp: 4006522900 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 18141970 registers.ecx: 20	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x1ff85e exception.address: 0x114f85e exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 2095198 registers.esp: 2621140 registers.edi: 4730608 registers.eax: 1 registers.ebp: 4006522900 registers.edx: 22104 registers.ebx: 0 registers.esi: 18141970 registers.ecx: 20	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 cf 38 2d 12 01 exception.symbol: random+0x1ff7ff exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2095103 exception.address: 0x114f7ff registers.esp: 2621140 registers.edi: 4730608 registers.eax: 1447909480 registers.ebp: 4006522900 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 18141970 registers.ecx: 10	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 e9 0e 00 00 00 e4 ca 74 c3 c1 e0 95 exception.symbol: random+0x205d58 exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 2121048 exception.address: 0x1155d58 registers.esp: 2621108 registers.edi: 0 registers.eax: 2621108 registers.ebp: 4006522900 registers.edx: 57802 registers.ebx: 18177567 registers.esi: 24095 registers.ecx: 28769	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 2d 4e 6e e0 69 03 04 24 81 ec 04 00 00 00 89 exception.symbol: random+0x206d0f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2125071 exception.address: 0x1156d0f registers.esp: 2621144 registers.edi: 4730608 registers.eax: 18179001 registers.ebp: 4006522900 registers.edx: 1345282759 registers.ebx: 7314312 registers.esi: 10 registers.ecx: 738263040	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb e9 1c 01 00 00 53 e9 39 00 00 00 81 c7 43 30 exception.symbol: random+0x20659c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2123164 exception.address: 0x115659c registers.esp: 2621148 registers.edi: 4730608 registers.eax: 18209801 registers.ebp: 4006522900 registers.edx: 1345282759 registers.ebx: 7314312 registers.esi: 10 registers.ecx: 738263040	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 68 c1 09 67 0b 89 0c 24 b9 f7 78 63 7f e9 c8 exception.symbol: random+0x20648d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2122893 exception.address: 0x115648d registers.esp: 2621148 registers.edi: 2283 registers.eax: 18209801 registers.ebp: 4006522900 registers.edx: 4294938932 registers.ebx: 7314312 registers.esi: 10 registers.ecx: 738263040	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 84 ea a6 3c 89 34 24 e9 81 ff ff exception.symbol: random+0x2159df exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2185695 exception.address: 0x11659df registers.esp: 2621144 registers.edi: 16497350 registers.eax: 27871 registers.ebp: 4006522900 registers.edx: 18241401 registers.ebx: 7314534 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 57 68 c2 e8 4e 73 5f e9 c4 00 00 00 57 e9 ee exception.symbol: random+0x215a64 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2185828 exception.address: 0x1165a64 registers.esp: 2621148 registers.edi: 4294942080 registers.eax: 27871 registers.ebp: 4006522900 registers.edx: 18269272 registers.ebx: 7314534 registers.esi: 604277079 registers.ecx: 0	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 55 68 f9 c1 67 77 e9 00 00 00 00 89 14 24 55 exception.symbol: random+0x2193bf exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2200511 exception.address: 0x11693bf registers.esp: 2621148 registers.edi: 4294942080 registers.eax: 18285271 registers.ebp: 4006522900 registers.edx: 2013296964 registers.ebx: 607947089 registers.esi: 586053925 registers.ecx: 4294939472	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb e9 35 ff ff ff 83 c5 04 87 2c 24 5c 83 c4 04 exception.symbol: random+0x21dfc2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2219970 exception.address: 0x116dfc2 registers.esp: 2621140 registers.edi: 18277978 registers.eax: 0 registers.ebp: 4006522900 registers.edx: 2013296964 registers.ebx: 4294950892 registers.esi: 33047400 registers.ecx: 2031558576	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 53 e9 35 00 00 00 81 eb 01 00 00 00 c1 e3 01 exception.symbol: random+0x220571 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2229617 exception.address: 0x1170571 registers.esp: 2621140 registers.edi: 18277978 registers.eax: 31537 registers.ebp: 4006522900 registers.edx: 18317456 registers.ebx: 4294950892 registers.esi: 33047400 registers.ecx: 1176665969	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 68 ba b2 eb 47 89 34 24 be 25 9f dd 3f 46 4e exception.symbol: random+0x220c73 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2231411 exception.address: 0x1170c73 registers.esp: 2621140 registers.edi: 0 registers.eax: 31537 registers.ebp: 4006522900 registers.edx: 18288904 registers.ebx: 4294950892 registers.esi: 33047400 registers.ecx: 3924265303	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 53 57 81 ec 04 00 00 00 89 34 24 be 30 c6 e1 exception.symbol: random+0x231f04 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2301700 exception.address: 0x1181f04 registers.esp: 2621136 registers.edi: 4006522900 registers.eax: 30272 registers.ebp: 4006522900 registers.edx: 18357445 registers.ebx: 2147575809 registers.esi: 2130566132 registers.ecx: 2148925025	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 16 ff 34 24 8b 04 24 e9 00 00 00 exception.symbol: random+0x2327c2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2303938 exception.address: 0x11827c2 registers.esp: 2621140 registers.edi: 4006522900 registers.eax: 30272 registers.ebp: 4006522900 registers.edx: 18387717 registers.ebx: 2147575809 registers.esi: 2130566132 registers.ecx: 2148925025	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 56 be 5a 7e ef 6f c1 ee 05 81 ee 74 f7 fd 6d exception.symbol: random+0x2326c6 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2303686 exception.address: 0x11826c6 registers.esp: 2621140 registers.edi: 4006522900 registers.eax: 3367964512 registers.ebp: 4006522900 registers.edx: 18387717 registers.ebx: 2147575809 registers.esi: 4294940008 registers.ecx: 2148925025	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 68 44 94 4b 29 89 34 24 c7 04 24 98 dc fe 6b exception.symbol: random+0x2443d8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2376664 exception.address: 0x11943d8 registers.esp: 2621108 registers.edi: 1392536160 registers.eax: 0 registers.ebp: 4006522900 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 18433740 registers.ecx: 738263040	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 89 04 24 b8 f4 ef exception.symbol: random+0x245a28 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2382376 exception.address: 0x1195a28 registers.esp: 2621108 registers.edi: 18436102 registers.eax: 3070391912 registers.ebp: 4006522900 registers.edx: 0 registers.ebx: 18439482 registers.esi: 0 registers.ecx: 0	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 05 71 61 97 7d 57 51 b9 34 c2 fc 3f bf 8c 81 exception.symbol: random+0x2466dd exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2385629 exception.address: 0x11966dd registers.esp: 2621104 registers.edi: 18436102 registers.eax: 18439835 registers.ebp: 4006522900 registers.edx: 508261142 registers.ebx: 863758862 registers.esi: 0 registers.ecx: 521041918	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb e9 d8 f7 ff ff c1 e2 03 e9 b5 fd ff ff 52 ba exception.symbol: random+0x246844 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2385988 exception.address: 0x1196844 registers.esp: 2621108 registers.edi: 4294939064 registers.eax: 18471119 registers.ebp: 4006522900 registers.edx: 508261142 registers.ebx: 863758862 registers.esi: 0 registers.ecx: 1882634834	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 57 e9 ed f8 ff ff 89 1c 24 e9 de ff ff ff 29 exception.symbol: random+0x24744f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2389071 exception.address: 0x119744f registers.esp: 2621104 registers.edi: 4294939064 registers.eax: 28726 registers.ebp: 4006522900 registers.edx: 18443300 registers.ebx: 863758862 registers.esi: 0 registers.ecx: 1882634834	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb e9 d0 ff ff ff 31 0c 24 e9 c0 09 00 00 c1 e1 exception.symbol: random+0x246ea3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2387619 exception.address: 0x1196ea3 registers.esp: 2621108 registers.edi: 4294939064 registers.eax: 28726 registers.ebp: 4006522900 registers.edx: 18472026 registers.ebx: 863758862 registers.esi: 0 registers.ecx: 1882634834	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 53 bb 55 44 7f 5f 53 52 e9 7b f9 ff ff 29 c1 exception.symbol: random+0x2473c5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2388933 exception.address: 0x11973c5 registers.esp: 2621108 registers.edi: 940809613 registers.eax: 0 registers.ebp: 4006522900 registers.edx: 18446550 registers.ebx: 863758862 registers.esi: 0 registers.ecx: 1882634834	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 56 89 3c 24 c7 04 24 a6 10 d7 72 89 04 24 b8 exception.symbol: random+0x24da56 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2415190 exception.address: 0x119da56 registers.esp: 2621104 registers.edi: 18469810 registers.eax: 26001 registers.ebp: 4006522900 registers.edx: 18462050 registers.ebx: 65804 registers.esi: 0 registers.ecx: 1969225870	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 53 51 54 8b 0c 24 83 c4 04 81 c1 04 00 00 00 exception.symbol: random+0x24d7f3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2414579 exception.address: 0x119d7f3 registers.esp: 2621108 registers.edi: 18495811 registers.eax: 26001 registers.ebp: 4006522900 registers.edx: 18462050 registers.ebx: 65804 registers.esi: 0 registers.ecx: 1969225870	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 68 45 18 e5 36 8b 1c 24 51 54 59 51 89 04 24 exception.symbol: random+0x24df32 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2416434 exception.address: 0x119df32 registers.esp: 2621108 registers.edi: 18495811 registers.eax: 26001 registers.ebp: 4006522900 registers.edx: 96233 registers.ebx: 4294944344 registers.esi: 0 registers.ecx: 1969225870	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb e9 3b 00 00 00 83 c4 04 68 33 7e 93 23 89 1c exception.symbol: random+0x24f5c0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2422208 exception.address: 0x119f5c0 registers.esp: 2621104 registers.edi: 18448559 registers.eax: 29348 registers.ebp: 4006522900 registers.edx: 829194415 registers.ebx: 1687934050 registers.esi: 18476928 registers.ecx: 0	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 22 2c 58 76 89 1c 24 55 55 c7 04 exception.symbol: random+0x24f8e6 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2423014 exception.address: 0x119f8e6 registers.esp: 2621108 registers.edi: 18448559 registers.eax: 29348 registers.ebp: 4006522900 registers.edx: 829194415 registers.ebx: 1687934050 registers.esi: 18506276 registers.ecx: 0	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 52 51 57 c7 04 24 16 09 bd 6e 81 2c 24 25 4b exception.symbol: random+0x24f286 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2421382 exception.address: 0x119f286 registers.esp: 2621108 registers.edi: 18448559 registers.eax: 29348 registers.ebp: 4006522900 registers.edx: 0 registers.ebx: 322689 registers.esi: 18479620 registers.ecx: 0	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 51 b9 44 90 be 7a 01 ca e9 10 01 00 00 89 c5 exception.symbol: random+0x251462 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2430050 exception.address: 0x11a1462 registers.esp: 2621104 registers.edi: 4023857339 registers.eax: 27495 registers.ebp: 4006522900 registers.edx: 18485666 registers.ebx: 109461664 registers.esi: 36928179 registers.ecx: 380073120	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 52 89 e2 81 c2 04 00 00 00 81 ea 04 00 00 00 exception.symbol: random+0x251d34 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2432308 exception.address: 0x11a1d34 registers.esp: 2621108 registers.edi: 4023857339 registers.eax: 27495 registers.ebp: 4006522900 registers.edx: 18513161 registers.ebx: 109461664 registers.esi: 36928179 registers.ecx: 380073120	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 55 89 e5 81 c5 04 00 00 00 50 e9 42 00 00 00 exception.symbol: random+0x251837 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2431031 exception.address: 0x11a1837 registers.esp: 2621108 registers.edi: 3909414019 registers.eax: 27495 registers.ebp: 4006522900 registers.edx: 18513161 registers.ebx: 4294942780 registers.esi: 36928179 registers.ecx: 380073120	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 68 52 97 b3 63 89 04 24 e9 ac fe ff ff ba cd exception.symbol: random+0x26edd8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2551256 exception.address: 0x11bedd8 registers.esp: 2621108 registers.edi: 18585336 registers.eax: 30212 registers.ebp: 4006522900 registers.edx: 18637257 registers.ebx: 1969225702 registers.esi: 18548725 registers.ecx: 0	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 56 be 47 1b 7b 6f e9 9e fc ff exception.symbol: random+0x26f18e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2552206 exception.address: 0x11bf18e registers.esp: 2621108 registers.edi: 0 registers.eax: 22210897 registers.ebp: 4006522900 registers.edx: 18609741 registers.ebx: 1969225702 registers.esi: 18548725 registers.ecx: 0	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 5f 2c 6f 66 87 0c 24 f7 d1 87 0c exception.symbol: random+0x26fb5e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2554718 exception.address: 0x11bfb5e registers.esp: 2621108 registers.edi: 0 registers.eax: 4294938872 registers.ebp: 4006522900 registers.edx: 878872855 registers.ebx: 1969225702 registers.esi: 82608464 registers.ecx: 18641036	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb e9 fb 03 00 00 81 e2 bb f3 ae 6e 81 ea 29 cc exception.symbol: random+0x276e3a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2584122 exception.address: 0x11c6e3a registers.esp: 2621108 registers.edi: 605849942 registers.eax: 29850 registers.ebp: 4006522900 registers.edx: 4294940240 registers.ebx: 18669826 registers.esi: 82608464 registers.ecx: 738263040	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 50 51 b9 06 18 5d 39 89 c8 59 c1 e8 04 e9 9a exception.symbol: random+0x27def2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2612978 exception.address: 0x11cdef2 registers.esp: 2621104 registers.edi: 49132 registers.eax: 27661 registers.ebp: 4006522900 registers.edx: 38744 registers.ebx: 18666736 registers.esi: 4702188 registers.ecx: 1182898008	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 d6 ad a3 5f 89 14 24 51 e9 cd f5 exception.symbol: random+0x27e0a9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2613417 exception.address: 0x11ce0a9 registers.esp: 2621108 registers.edi: 604292949 registers.eax: 27661 registers.ebp: 4006522900 registers.edx: 38744 registers.ebx: 18694397 registers.esi: 4702188 registers.ecx: 4294943392	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 53 e9 df 02 00 00 b8 af 29 fc b6 31 44 24 04 exception.symbol: random+0x28d458 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2675800 exception.address: 0x11dd458 registers.esp: 2621108 registers.edi: 18759277 registers.eax: 4294941900 registers.ebp: 4006522900 registers.edx: 11 registers.ebx: 3923937618 registers.esi: 4702188 registers.ecx: 12	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 51 55 e9 92 04 00 00 5f 33 14 24 e9 e7 00 00 exception.symbol: random+0x296969 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2713961 exception.address: 0x11e6969 registers.esp: 2621104 registers.edi: 18759277 registers.eax: 31645 registers.ebp: 4006522900 registers.edx: 18769646 registers.ebx: 55099636 registers.esi: 2005598220 registers.ecx: 738263040	1
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 00 bb cc 32 89 34 24 57 52 89 0c exception.symbol: random+0x296a26 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2714150 exception.address: 0x11e6a26 registers.esp: 2621108 registers.edi: 18759277 registers.eax: 31645 registers.ebp: 4006522900 registers.edx: 18801291 registers.ebx: 55099636 registers.esi: 2005598220 registers.ecx: 738263040	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (15 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://77.91.77.81/Kiru9gu/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/judit.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/redline123123.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/upd.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/setup222.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/gold.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/lummac2.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/drivermanager.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.116/NewLatest.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://77.91.77.81/lend/monster.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.172.128.116/Mb3GvQs8/index.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.172.128.116/Mb3GvQs8/index.php?scr=1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.116/b2c2c1.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.172.128.19/FirstZ.exe
suspicious_features	GET method with no useragent header	suspicious_request	GET https://kmsandallapp.ru/Gibson.exe

Performs some HTTP requests (17 events)

request	POST http://77.91.77.81/Kiru9gu/index.php
request	GET http://77.91.77.81/lend/judit.exe
request	GET http://77.91.77.81/lend/redline123123.exe
request	GET http://77.91.77.81/lend/upd.exe
request	GET http://77.91.77.81/lend/setup222.exe
request	GET http://77.91.77.81/lend/gold.exe
request	GET http://77.91.77.81/lend/lummac2.exe
request	GET http://77.91.77.81/lend/drivermanager.exe
request	GET http://apps.identrust.com/roots/dstrootcax3.p7c
request	GET http://185.172.128.116/NewLatest.exe
request	GET http://77.91.77.81/lend/monster.exe
request	POST http://185.172.128.116/Mb3GvQs8/index.php
request	POST http://185.172.128.116/Mb3GvQs8/index.php?scr=1
request	GET http://185.172.128.116/b2c2c1.exe
request	GET http://185.172.128.19/FirstZ.exe
request	GET http://x1.i.lencr.org/
request	GET https://kmsandallapp.ru/Gibson.exe

Sends data using the HTTP POST Method (3 events)

request	POST http://77.91.77.81/Kiru9gu/index.php
request	POST http://185.172.128.116/Mb3GvQs8/index.php
request	POST http://185.172.128.116/Mb3GvQs8/index.php?scr=1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 180 events)

Time & API	Arguments	Status
NtProtectVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f51000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 1696 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 9:54 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000067c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00071000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 2260 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

axplong.exe tried to sleep 1139 seconds, actually delayed analysis time by 1139 seconds

Steals private information from local Internet browsers (7 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (28 events)

file	C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe
file	C:\Users\test22\AppData\Local\Temp\SetupWizard.exe
file	C:\Users\test22\AppData\Local\Temp\1000064001\NewLatest.exe
file	C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2760_133629768733125000\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\1000001001\b2c2c1.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\FirstZ.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2760_133629768733125000\python310.dll
file	C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2760_133629768733125000\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2760_133629768733125000\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2760_133629768733125000\python3.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2828_133629768978437500\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2760_133629768733125000\stub.exe
file	C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2828_133629768978437500\python3.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2828_133629768978437500\python310.dll
file	C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2828_133629768978437500\stub.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2828_133629768978437500\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\1000070001\monster.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2828_133629768978437500\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2760_133629768733125000\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2828_133629768978437500\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe
file	C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2828_133629768978437500\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2760_133629768733125000\sqlite3.dll

Drops a binary and executes it (14 events)

file	C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe
file	C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe
file	C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe
file	C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe
file	C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe
file	C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe
file	C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe
file	C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe
file	C:\Users\test22\AppData\Local\Temp\1000064001\NewLatest.exe
file	C:\Users\test22\AppData\Local\Temp\1000070001\monster.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2760_133629768733125000\stub.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\b2c2c1.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\FirstZ.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2828_133629768978437500\stub.exe

Drops an executable to the user AppData folder (8 events)

file	C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe
file	C:\Users\test22\AppData\Local\Temp\1000064001\NewLatest.exe
file	C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe
file	C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe
file	C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\b2c2c1.exe
file	C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe
file	C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe

A process created a hidden window (13 events)

Time & API	Arguments	Status	Return
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000064001\NewLatest.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000064001\NewLatest.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000070001\monster.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000070001\monster.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\263c5c4d73\Hkbsse.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\263c5c4d73\Hkbsse.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000001001\b2c2c1.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000001001\b2c2c1.exe	1	1
ShellExecuteExW June 16, 2024, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000002001\FirstZ.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000002001\FirstZ.exe	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 16, 2024, 10:02 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes axplong.exe, hkbsse.exe (11 events)

Time & API	Arguments	Status	Return
InternetReadFile June 16, 2024, 10:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdÉOXfð.)®À«ö@Pý` Pì (¸©(@@ã(`S.text8¬®``.dataÀ²@À.rdataP+Ð,´@@.eh_framà@À.pdata( â@@.xdataø ì@@.bss0À.idataì Pö@À.CRT``@À.tlsp@À.rsrc(¸©º©@@.reloc@Â«@BUHåHMHULE DM(]ÃUHåHì èTöHÚÀt¹èÏ¨ë ¹èÃ¨è^ H7Ûè^ HÛè>2HgÙøuH)ÛHÁèK;¸HÄ ]ÃUHåHì0HÛwHÈÚHgHD$ AÑL@H1HÂH#HÁè7¨)HÄ0]ÃUHåHì0ÇEüÿH¤ÙÇè=EüEüHÄ0]ÃUHåHì0ÇEüÿHuÙÇèEüEüHÄ0]ÃUHåHìpHÇEðÇEä0EäeHHEØHEØH@HEèÇEüë!HEðH;Eèu ÇEüëE¹èHöBÿÐHMÙHEÐHEèHEÈHÇEÀHMÈHEÀHUÐðH± HEðH}ðu¨H&Ùøu¹è-§ë?HÙÀu(HÿØÇHBÙHÂH(ÙHÁè§ë ÇèHÍØøu&HïØHÂHÕØHÁèÝ¦H¦ØÇ}üuHØHE¸HÇE°HU°HE¸HH×HHÀtH×HA¸º¹ÿÐè8HÕØHÁH»AÿÐHØHHýÿÿHÁèèË/ HÁèsè),H[×HHñHH çHØÎIÈÁè ,ÖÔÀu ÆÁè+¦ÁÀuèÄ¥ªHÄp]ÃUHåHì H9×ÇH<×ÇH?×ÇH¢ÖHEøHEø·f=MZt ¸éHEø@<HcÐHEøHÐHEðHEð=PEt ¸éHEðHÀHEèHEè··À=t =t)ëVHEè@\øw¸ëHHEèÐÀÀ¶Àë4HEèHEàHEà@løw¸ëHEààÀÀ¶Àë¸HÄ ]ÃUSHìHHl$@M HU(E ÀHHÁàHÁè¥HEðHE(HHEèÇEüéEüHHÅHEèHÐHHÁè,¥HÀHÀHEàEüHHÅHEðHHEàHÁè°¤HEüHHÅHEèHÐHEüHHÅHEðHÈHHMàIÈHÁè¤EüEü;E eÿÿÿEüHHÅHEðHÐHÇHE(HUðHHÄH[]ÃUHåHì HMHEHÁè²£HÀt¸ë¸ÿÿÿÿHÄ ]ÃÃff.@1ÀÃff.fUWVSHì(Hl$ H5ºHñÿ>HÃHÀtkHñÿB>H=û=H÷¹HÙHÿ×Hú¹HÙHÆÿ×HÂ©HötHH ¯éÿÖH 6HÄ([^_]éÿÿÿfHYÿÿÿH5BÿÿÿH{©ë¼fUHåHì Ha©HÀt H UéÿÐH HÉtHÄ ]Hÿ%ó<HÄ ]Ãf.fDUWVSHºÅgV/ëÔ'IÊHI(EJHMBMIÉLÂIûIZIRH¿OëÔ'=®²ÂIB HÞH¯ßHÕHÑÂHÁÆH¯ïHòLÆHÁÆL¯ÇHòHÆHÁÅHÁÆH¯ÇHòIÁÀH¾Êë±y7H¯îL¯ÆH1êHÝH»c®²ÂwÊëH¯ÖHÁÅH¯îHÚH1êH¯ÖHÚI1ÐHÂL¯ÆHÁÂH¯ÖIH1ÂH¯ÖHÚIr0LÚI9ñr`H»OëÔ'=®²ÂHñI¸Êë±y7I»c®²ÂwÊëfDHAøHÁH¯ÃHÁÀI¯ÀH1ÐHÁÀI¯ÀJI9ÉsØLÈL)ÐHHÐHáøHñLAM9Ár5H¹Êë±y7H¯ÁLÁH1ÐHºOëÔ'=®²ÂHÁÀH¯ÂHºùy7±gVHÂL9És2IºÅgV/ëÔ'I¸Êë±y7¶HÁI¯ÂH1ÐHÁÀI¯ÀHÂI9ÉuâHÐHÁè!H1ÐHºOëÔ'=®²ÂH¯ÂHÂHÁêH1ÐHºùy7±gVH¯ÂHÂHÁê H1Ð[^_]ÃHì8LD$PLD$PLL$XLD$(è3=HÄ8Ãff.Hì8LL$XLL$XLL$(èx=HÄ8ÃAWAVAUATUWVSL\$hA;IÊIÔMÉ=C¶DÿIùv1HÇÂÿÿÿÿÀâ½Ð¸)ÐIù%KtøHë@HÉ¶A¶JcHÙÿá@A¶HHÁá0HÊA¶HHÁá(HÊA¶HHÁá HÊA¶HHÁáHÊA¶HHÁáHÊA¶HHÁáHÊÀQ½È¸ LÆD)ÈÁà)ÈÁïK,"MK@¶ÿMhLuýû÷Ûã?éÁfI9ð?ÂHñÁêAÓL)ÙL9ÁÁâHÎ)ÐHM9ò¬ÁIÓIÂIÓãÙIÓëKYD¶YD¶9AÃHÐEzüDÙHÓàÙHÓèIA¶¶@DØAJýIÓÁIÓãÙIÓëKYD¶YD¶9AÃHÐEzþDÙHÓàÙHÓèIA¶¶@DØAJÿø@w!L9î8ÿÿÿÂàÁêH)ÖHM9òUÿÿÿI9ês/÷ßç?ÁIÓIÂIÓãùIÓëOYA¶E¶[AJÿDØL9ÕuÖI9ðt4HÇÂìÿÿÿHÐ[^_]A\A]A^A_ÃHòL)ÂÑÁâH)Î)ÐHëI9êrLâø@uÄëÉfHÇÂ¸ÿÿÿHÐ[^_]A\A]A^A_ÃLÊë¤@AVAUATUWVSL\$`A3HÕMÉBC¶DÿIùv6HÇÂÿÿÿÿÀä½Ð¸)ÐIù(K\ request_handle: 0x00cc000c	1	1
InternetReadFile June 16, 2024, 10:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¼yà0ÐÐÚ @ @OÔÉàl H.textÀÏ Ð `.rsrcÔÉÌÔ@@.relocà @B¼HPdtK´¸0 1s% ~Í%-&~Ìþ[s& %Í(+o( 8Ðo) £%rprYp~ (+ ¢%rqpr¯p~* (+ ¢%rÇprp~* (+ ¢%r!prap~* (+ ¢( o, 81(- sNsk~* }Ë~* s. (/ o0 }Ë{ËrqprÑp~* (+ o1 ,rãprp~* (+ +;rprap~* (+ o1 -{Ë(+{Ë((2 þ 9:o3 (4 o5 o6 (7 {Ë((2 þ 9ñs8 s8 s8 þOs9 ~Î%-&~Ìþ\s: %Î(+þPs9 ~Ï%-&~Ìþ]s: %Ï(+þQs9 ~Ð%-&~Ìþ^s: %Ð(+o; þ9E{Ë£%rip¢o< r}p(7 (A(+o> s? (L(+oRo@ #>@(A (B ioC &ÞÞ(D þ9þRs9 ~Ñ%-&~Ìþ_s: %Ñ(+þSs9 ~Ò%-&~Ìþ`s: %Ò(+þTs9 ~Ó%-&~Ìþas: %Ó(+ÞÞo]o_þUsE ~Ô%-&~ÌþbsF %Ô(+oaogþVsG ~Õ%-&~ÌþcsH %Õ(+ocþWsI ~Ö%-&~ÌþdsJ %Ö(+oeþXsK ~×%-&~ÌþesL %×(+oi( +,dsk%o]%r£p(7 o_%sN oa%og%oi%sO oc%sP oeoQ ( +,dsk%o]%rµp(7 o_%sN oa%og%oi%sO oc%sP oeoQ ÞÞojþ,oQ (R :ÃúÿÿÞþoS ÜoT :%úÿÿÞ,oS ÜÞ&Þ + Añ,:ÕåäÉµDù4â$0sp rËp(U (V þ , Ýî(srÝpo&8ooW ooW (rùpo1 ,4sp ¥%-oX om oo +sp%om%oo ÞÞXoþ:NÿÿÿÞ ÞÞÞ+ALPà1Ó 0sN ¥%Ð®(Y sZ (U (V þ , ÝS(s¥%Ðz(Y sZ o&8òsooW oooW oo(oÞÞÞoo(D - o+rýpoo(D - o+rýpoo(D - o+rýpoÜorýp([ ,o\ Xoþ :úþÿÿÞÞÞÞ+*AdzJÄzRÌoC8{}0Ìs8 (U (V þ , Ý£(s¥%Ð(Y sZ o&8Csq%ooW ot%ooW o3 .þov%ooW ox%oo3 1þoz%ooW (] @Bj[!¶Yo\|%ooW o~%r po(oo{jþ,-(^ (_ (` request_handle: 0x00cc000c	1	1
InternetReadFile June 16, 2024, 10:01 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $³Ù#÷q·p÷q·p÷q·p$´qüq·p$²q^q·p$³qâq·p$¶qôq·p÷q¶pq·p5ð³qåq·p5ð´qâq·p5ð²q£q·pó¾qöq·póµqöq·pRich÷q·pPELò\fà'8ªYsP@@Xê(Ø(&ð, Î`Í@PT.text/0 `.BSs³@4 `.rdata¢P¤<@@.dataèÚà@À.reloc,ðº@B¹pØ[èÕ=hJ?BèÿeYÃjjhÙ[¹@Ù[èChT?BèàeYÃVWjè©Y¿Ù[ðÏèFCjVÏÇÙ[8TBèìGh^?Bè¨eY_^Ã¹9Ù[éC¹8Ù[è\=hh?BèeYÃh\|?BèzeYÃhr?BèneYÃ¹ Ü[è.=h?BèXeYÃh?BèLeYÃÌÌÌÌÌÌÌ¸àç[ÃÌÌÌÌÌÌÌÌÌÌUìäøQVujèd¨ÄMQjVPèÎÿÿÿÿpÿ0è ÓÄ^å]ÃÌÌÌÌÌÌÌÌÌÌÌÌUìäøEPjÿuÿuÿuèÿÿÿÿpÿ0èvÓÉÿÄÀHÁå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌìD$WÀVñD$VÆD$RD$ÇÄRBPfÖèmmÄÆ^ÄÂÌÌÌÌÌÌVñWÀFPÇÄRBfÖD$ÀPè:mÄÆ^ÂÌÌÌÌÌÌI¸ôËBÉEÁÃÌÌVñFÇÄRBPèlmÄöD$tjVè¢aÄÆ^ÂÌÌÌAÇÄRBPè?mYÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌWÀÁfÖAÇAÌBÇÜRBÃÌÌÌÌÌÌÌÌì$èÕÿÿÿhôéBD$Pè6mÌÌÌÌÌÌVñWÀFPÇÄRBfÖD$ÀPèjlÄÇÜRBÆ^ÂVñWÀFPÇÄRBfÖD$ÀPè:lÄÇÐRBÆ^Âh ÌBèC>ÌÌÌÌÌÌVñWÀFPÇÄRBfÖD$ÀPèúkÄÇèRBÆ^ÂD$T$HÂT$øìVÿt$RÿPt$HVI;Ju;u °^ÄÂ2À^ÄÂÌÌÌÌAVt$V;Bu;D$u°^Â2À^ÂÌÌÌÌÌÌÌÌÌÌÌÌD$L$Ç@¨Ó[ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìäðì¡@C3Ä$VuWÀWù)D$ ÇD$0Æ~ÇD$4t$@vD$@vþÿÿÿ-þw¹t$0L$4D$ ë[ÆÈ=ÿÿÿv¸ÿÿÿë ¹;ÁBÁD$D$PD$$Pèª8Èt$8D$D$<FPÿt$LL$0QèJoL$HÄt$0EUD$T$ötKÁ+Æør#FùD$0¹: D$ GD$ f0ÆD0ëjh0ÌBÆD$HL$(ÿt$Hjè6,T$ÿt$L$LQÊÿP\|$\T$HL$XGT$HD$4t$0+ÆL$QR;Èw*\|$<D$8D$(GD$(ðVènD$$ÄÆ0ëÆD$ ÿt$ QL$0è¿+L$\ùv-T$HAÂùrPüÁ#+ÂÀüø¿QRè"^Ä(L$ L$`ó~D$0fÖD$pWÀ\|$tf~ÈÇÄRBfÖGGÈ)L$`GL$PD$ÆD$ Pè)iL$\|ÄÇèRBùv)T$`AÂùrPüÁ#+ÂÀüøw>QRè]ÄMÇUO$ÇôRBW_^3Ìè2]å]ÂèüÿÿèÛèÛÌÌÌÌÌÌÌÌÌÌVñFÇÄRBPèühÄöD$tjVè2]ÄÆ^ÂÌÌÌVt$WÀWùGPÇÄRBfÖFPèYhÇôRBÄFNGÇOÇSB_^ÂÌÌÌÌÌÌÌÌÌÌÌÌVt$WÀWùGPÇÄRBfÖFPè hÄÇôRBFNGÇO_^ÂÌÌ¸4ÌBÃÌÌÌÌÌÌÌÌÌÌD$Vt$øu`D$ÇD$WÀPVÇFÇFè«5L$ÄÇFNÍB ,ÍBH 0ÍBHÆ@Æ^ÂWPèöPÐWÀÊÄÇFÇFyAÀuù+ÏQRÎèK#_Æ^ÂÌÌÌÌöD$VñtjVèÄ[ÄÆ^ÂÌÌÌÌÌWÀÁfÖAÇA@ÌBÇSBÃÌÌÌÌÌÌÌÌì$èÕÿÿÿhéBD$PèvgÌÌÌÌÌÌVñWÀFPÇÄRBfÖD$ÀPèªfÄÇSBÆ^ÂöD$VñÇSBtjVè.[ÄÆ^ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌVjñèr53ÀÇFfFFfF F$F(F,F0D$ÆFÇFÆFÇFÀtPVèNÄÆ^ÂhLÌBèk8ÌÌÌÌÌÌÌÌÌÌÌÌÌÌVñVè³NF,ÄÀt PèFÌÄÇF,F$Àt Pè/ÌÄÇF$FÀt PèÌÄÇFFÀt PèÌÄÇFFÀt PèêËÄÇFFÀt PèÓËÄÇFÎ^éÆ4ÌÌQVñ>u&jL$èX4>u ¡øÙ[@£øÙ[L$è4^YÃÌÌÌÌÌÌÌÌÌÌÌÌðÿAÃÌÌÌÌÌÌÌÌÌÌÌÈÿðÁA¸DÁÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌIÉtÿPÀtÈjÿÃÌÌÌÌÌÌÌAÀtHÉtÁÃÀÃ¸iÌBÃÌÌÌÌÌIVt$W<µ;qsAÀu!ë3ÀytèïK;ps@_^Â3À_^ÂÌÌÌÌÌÌÌÌÌÌÌAP¶D$PèlNÄÂÌÌÌÌÌÌÌÌÌÌÌVt$W\|$;÷tSY¶SPè?NÄF;÷uì[_Æ^ÂÌÌAP¶D$Pè"PÄÂÌÌÌÌÌÌÌÌÌÌÌVt$W\|$;÷tSY¶SPèõOÄF;÷uì[_Æ^ÂÌÌD$ÂÌÌÌÌÌÌÌÌÌT$L$+ÊQRÿt$è[hD$ÄÂÌD$ÂÌÌÌÌÌÌÌÌÌT$L$+ÊQRÿt$è+hD$ÄÂÌVñFÇSBÀ~ ÿvè§Éë yÿvèWÄÿvèÉÄÇSBöD$tjVè¿WÄÆ^ÂUìäðì8¡@C3Ä request_handle: 0x00cc000c	1	1
InternetReadFile June 16, 2024, 10:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdì1cftÜð&\|Ð@@?"` 00 PX°A(Èè.textX``.data0"@À.rdata @$@@.pdataXP0@@.xdatað`4@@.bsspÀ.idata 6@À.CRT`B@À.tls D@À.reloc°F@B/4ÀH@B/19]®Ð°L@B/31r ü@B/45 @B/57 À :@B/70ÚÐD@B/81åàH@B/97Ð^@B/113 r@B.rsrc0 0t@@Ãff.@Hì(Hµ41ÉÇH¶4ÇH¹4ÇH4f8MZuHcP<HÐ8PEtfH_4 ¥_ÀtC¹èÉèDH5è,Hí4èdH38tP1ÀHÄ(Ã¹èë»@·PfútEfúu¸{ÿÿÿø1ÉÒÁéiÿÿÿH Á4è\| 1ÀHÄ(ÃDxt@ÿÿÿDè1ÉEÀÁé,ÿÿÿfHì8H4LÖ^H×^H Ø^¬^H14DH^HD$ èýHÄ8ÃATUWVSHì H3H=pqeH%0HpëfH9Æg¹èÿ×1ÀðH±3uçH5`31ÿøZÀ¹Ç^øPÿiH2HHÀtE1Àº1ÉÿÐè¬H 3ÿÏpHØ2H ÁýÿÿHèèÖ]{HcÿHÁçHùèDL%µ]HÅÛJHï1Û@IèHpHñèIðHDIHÁHÃèËH9ßuÎHïHÇH-]]èHÑ1LB] L]HLH7]èb ]]ÉÆ]ÒttHÄ [^_]A\ÃfH5 2¿ø¦þÿÿ¹èOø°þÿÿHý1H æ1èÙÇÿþÿÿ1ÀHéþÿÿfès\HÄ [^_]A\Ãf.HÉ1H ²1Çèé3þÿÿfHÇéíþÿÿÁèHì(Hå0ÇèýÿÿHÄ(ÃHì(HÅ0ÇèzýÿÿHÄ(ÃHì(è7HøÀHÄ(ÃH éÔÿÿÿ@ÃUAWAVAUATVWSHì8H¬$D) )½)µèZH5s+H=¼+(5Å+(=®+EWÀL-[nHnL5µ+L=,ëfff.¹'AÿÕHÇD$ 1ÉHòIøE1Éè+ÀuÛ)uP)}@D)EÐD)EàD)EðD)ED)ED)E HÇE0ÇEÐhD)E`HÇEpHE`HD$HHEÐHD$@DD$0ÇD$(ÇD$ 1ÉHU@E1ÀE1Éÿ_mAÄ¹AÿÕEätHÇD$ 1ÉLòMøE1ÉèÀtR¹¸AÿÕHÇD$ 1ÉLòMøE1Éè]Àt-¹¸AÿÕHÇD$ 1ÉLòMøE1Éè8Àt¹¸AÿÕA¼_¹_AÿÕëA¼:HM`ÿÓHMhÿÓDáé»þÿÿfÿ%~nf.fHì(HÅHHÀt"DÿÐH¯HPH@H HÀuãHÄ(ÃfDVSHì(HÓ-HÁøÿt9Ét ÈéHÂH)ÈHtÂø@ÿHëH9óuõH ~ÿÿÿHÄ([^éSýÿÿ1ÀfDD@ÁJ<ÂLÀuðëfDJYÀtÃDÇ6Yéqÿÿÿ1ÀÃHì(útÒt¸HÄ(Ãfè ¸HÄ(ÃVSHì(Hã,8tÇútútN¸HÄ([^ÃfHáxH5ÚxH9ótßDHHÀtÿÐHÃH9óuí¸HÄ([^Ãfè ¸HÄ([^Ãff.@1ÀÃVSHìxt$@\|$PDD$`9ÍH\HcHÐÿàH@)òDA òyòqHq¹èsòDD$0IØHê)ò\|$(HÁIñòt$ è»t$@\|$P1ÀDD$`HÄx[^ÃH¹(ëH )ëHÙ(ésÿÿÿ@H9)écÿÿÿ@H)éSÿÿÿHS)éGÿÿÿÛãÃVSHì8HËHD$X¹HT$XLD$`LL$hHD$(èA¸ºH R)IÁè¢Ht$(¹èkHÚHÁIðè èøWVSHìPHc5&WHËöHWE1ÉHÀfLL9ÃrHPRIÐL9ÃAÁHÀ(A9ñuØHÙè HÇHÀæHÅVH¶HÁãHØHx Çè3WA¸0HHV request_handle: 0x00cc000c	1	1
InternetReadFile June 16, 2024, 10:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ì£èÍTèÍTèÍT[ÎUèÍT[ÈU#èÍT[ÉUèÍTJiÉUèÍT[ÌUèÍTèÌT èÍTJiÈUÔèÍTJiÎUèÍT{jÈUèÍT{j2TèÍT{jÏUèÍTRichèÍTPELþÔdfà'Z¸ép@P@d<à(& ("xðÀð¸ï@pt.textYZ `.rdata¶p¸^@@.data¼Ø0È@À.rsrcàÞ@@.reloc(" $à@B¹ øGèDhëhBè^YÃj¸¿dBèK¸¼ÝGÇEð`ÝGEìeüÇ¼ÝGHrBÇEüh\|CPhlÝGèÅNMüÿhõhBèÄèÞÃj¸þdBèô¸TÝGÇEðøÜGEìeüÇTÝGpwBÇEühèCPhÝGènNMüÿhøhBè·ÄèÃhiBè¤YÃhûhBèYÃhèúGè´NÇ$iBèYÃj¹´úGèhiBèhYÃ¹äúGèCh1iBèRYÃh'iBèFYÃjjhpûG¹ ûGèah;iBè'YÃVWjèÏàY¿pûGðÏèØajVÏÇpûGÐBè~fhEiBèïY_^Ã¹ûGéb¹ûGèChOiBèÍYÃ¹ÙûGé,u¹ØûGèëBhYiBèYÃjjh0üG¹àûGèóshciBèYÃVWjè6àY¿0üGðÏè7tÏÇ0üG¨BÆxüGÆnüGèWf¡üG üG%hüGhmiB5\|üG£püG tüGè(Y_^Ã¹ÀüGèNBhiBèYÃhwiBèYÃVÿt$ñ3Àÿt$@FFFPÇüuBèÀÄÆ^ÂVÿt$ñÇävBè/YPNè^Vÿt$ñ3Àÿt$@NFFÇèuBè©Æ^ÂVÿt$ñf$NÇ vBèy v$Æ^Âì$SUl$43ÀVWñD$ìÌUFè(}j[ÿtðÿGÇëÃPÎè#ÿtÏè\-}tEL$(D$$E Pè3ÛD$$Cë3ÀD$D$D$ D$4D$D$Pè80öÃtL$ãýÉtD$ +ÁàüPQèHYYöÃt L$(è;2D$8ÎPè _Æ^][Ä$ÂVjñèÜD$ÇvBb$ÇävBBÆR$^ÂUìQQVWÿuñè½ÿÿÿì0ÇÈvB¾¨Ì'gèEøVPèð Ä8;øtPÏè2MüÉtè#_ÆFvÆ^ÉÂj ¸bBè_]3ÿÇEèÿuè§ùYÈMä@t D$;Ç\|;÷v;Ç\|;ñv+ñÇëWÀfEÜEàuÜEìSMÔè }Øu j^Öé}üAD%Àø@t<Eì;Ç\|3;÷v-H¶D@PL8èõ<øÿtsÆÿuÜEìÐÿEìEàëÉAL8WÿuäÿuÿP$;EäuE;×uAEì;Ç\|3;÷v-H¶D@PL8è<øÿtÆÿuÜEìÐÿEìEàëÉj^×ëj^ÖUè@\| \|$Müÿë;MPÑBj^Æj3É9J8EñðVÊè2¸Ö@ÃMüÿ3ÿj^]UèHËW3À9y8EðqòVèa2MÔè-Ãè;ÃÌÌÌÌÌj@¸bBèµ3ÛÃEäEàÿuèý÷YÐUÜ]Ø}It9 D9$;Ã\|;óvË;Á\|;òv+òÁëWÀfEÄEÈuÄuèEìWM¼èë8]Àu j^Öé«]ü@D80HMÐÿPEÌPè YEÔMÌè\IL9áÀù@tRMì;Ë\|K;óvEH·D9@PL98èT;·À¹ÿÿf;Èu j^ÖUäUàëÆÿuèuÄMìÑÿMìMÈë±j^ÓEÜËÒ;Ë\|_;ÃvYEEÐMÔÿuÐÿP0·ÀPHL98èâ:·ÀUä¹ÿÿf;ÈDÖUäUàEÜÀÿEÜE´MØÑÿMØM¸ÿEëEèMì;Ë\|/;Ãv)H·D9@PL98è:·À¹ÿÿf;ÈuUäÖUà@\8 \8$MüÿëXEèÀÿEèEÄMìÑÿMìMÈUäëMPÑBj^Æj3É9J8EñðVÊè70¸0@ÃMüÿ3Ûj^}UàHÏS3À9Y8EðqòVè0M¼èÓÇèáÃÌÌÌÌÌÃD$=rPèYÃÀtPèdYÃ3ÀÃD$H#;È,QèJYÈÉt A#ààHüÃé ÍSÙVW\|$C3+ÆÁø;øvWè$3VWÿt$è÷Äë<Uk+îÁýV;ýv t$UVèÙ®+ýsVWPèÉÄë Wÿt$èºÄ]¾_^C[Âj,è¶Y@@fÇ@ÃS\$Ué¹ÿÿÿ;ÙwZjX;ØwSÿt$]UEè/ÄÆ+ë4VWQPSèðNQèÞþÿÿSÿt$(ø]W}uèV/ÄÆ_^][Âèü-ÌSÙ¹ÿÿÿW\|$;ùwQjX;øwjÿt${SCèXÄë.VQPWè£ðNQèqþÿÿOQÿt$${Psèé.Ä^_[Âè-ÌVt$WùNÉtèó"ÀtFG°ë2À_^ÂìÌÿt$èí D$L$ÿ0èÃ\|$Vñt#ÿt$èÑD$Vÿ6ÿ0D$ÿ0èÄF^ÂT$BÀtðÿ@BAÂVt$W\|$+\|$Wÿt$VèiÄ7_^ÃL$D$ÿt$PQèÈÿÿÿÄÃUìE=rEPEPèýEYYPÿuèYY]ÃVñÿpÿt$èj,ÿ6èãYY^ÂVt$WùëÿvÏÿt$èèÿÿÿVÿt$6è YY~ tÞ_^ÂVt$Nèj,VèYY^ÃD$èt0èu+Vh¨èJðYötÿt$ÎèøÿÿÇ¬vBë3öÆ^Ãh°è YÀtÿt$Èè)øÿÿÃ3ÀÃVj0èðYÿt$NÇXvBè request_handle: 0x00cc000c	1	1
InternetReadFile June 16, 2024, 10:01 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¯ cfàÀ°@@öx0ìQ÷.textÀÀ `.rdata7*Ð,Ä@@.data+ð@À.relocìQ0R@BUåSWVì0]¡hDEðPàPáPæPçUÆÆÇCÇCÇCÇCÇCÇCÇÿeð}ÐMÈ±ÇEð1ÒÉÂ]EÜÿ$lD1Àý&Àÿ$ìDEÀ(°@ß]ðÃ]ðû1ÀþÉÀÿ$lD+C1ÀýfÀÿ$tD1ÀýðÀÿ$\|D1ÀýòÀÿ$D1ÀýóÀÿ$DÀ¶Àÿ$DE@(°ß]ðÃ]ðû1ÀþÉÀÿ$lD1Àý6Àÿ$´D1Àý>Àÿ$¼D1ÀýdÀÿ$ÄD1Àý>Àÿ$ÌD1ÀýgÀÿ$¤DÀ¶Àÿ$¬DEÀ(°ß]ðÃ]ðû1ÀþÉÀÿ$lD1Àý.Àÿ$ÜDÀ¶Àÿ$äD1ÀýðÀÿ$D]ìÿ%ôDEhÿ%DEhhÿ%D° ]ðÃ]ð1ÀþÉÀ]ìÿ$lD1Àý6Àÿ$ÔDEÀ(°ß]ðÃ]ðû1ÀþÉÀÿ$lDE@(°ß]ðÃ]ðû1ÀþÉÀÿ$lDuÌUð¶òÁæEp1ÀÒÀÿ$DÊEÌEh1ÀýÀÿ$D1Àý ÀÇEèÐC1ÿÿ$D1Àý¤À1ÿÿ$,DÐÀè$¶Àÿ$4Dâ÷ëbEh1ÀýÀÿ$DUð+CEh¿JÐC¶ÕÐÁèEØ¶âUäÐÇEèJÐC¶Uì1ÀúÿÀêUàÿ$LDÊEÌ¡DD1ÿÿà}àUð¶ÕÐÁèEØ}è¶âUäÐ¶1ÀUìúÿÀÿ$LDÎ0Epéáý1Àù$ÀÇEìÿ$TDEìÀè¶Àÿ$lD1À}àÀÇ1ÒEìÔEì}ÔUðÿ$½D°Eì°Àè¶Àÿ$lD¶EìàUè·Eì1À}àÀEÔUðÿ$DEØ¶0ÑC}ä0ÑC¡Dÿà1ÀÊÀÿ$DEì$¶Àÿ$¤DÀêâ¶Âÿ$DD¶EìÁÁéáuÜÿ¡LDð÷Ð ÿÏÿÿÆÆ0EpEì$¶Àÿ$¤DUðmèÿ%¬Dð÷ÐÈþÆÆðÎMqÿ%¸D¶}WÑÀéMàO ÑáMØOÁêâUäW 1ÉUìöÁUðÿ$¼D×Mì¶ÕMäÓâÀê¶Êúÿ$ÄDÿ%ÐD 0ÆÎ0Epÿ%ØDEÔUðÿ$ìD1À}èÙÀÿ$ôD1À}èàÀÿ$üD¶Eè'1É}àÁÿ$DMäÿ%D¶À¶ñÐCÒà¶À¶ñÐCÒàÿ%D¶EìÎMqÁÁéáuÜÿ¡LD¶ÀMä¶ÁøÐC¶MØÒà (DÿáÀè¶Àÿ$,D¶ÊÊòßÉ 1ÀÑÀmèMàÿ$4D1ÀùÀÿ$<DºËÑC¸¹ÑCmèé}Ôÿ$½DDmèÿ%PDmèåþéöÑÉþéþÁº¹ÑC¸¡ÑCÍÿ%TD9Ð×ºÂUÄmèUÄÿ$\D1Ò8Âÿ$dDÀ1Ò9øÂÿ$\D¶@êMäÕÓàÀè¶Àÿ$\|D¡DMàÿàÎEpMàEÔÿ$D1ÀýÀUäÿ$ DÀ¶Àÿ$ D1ÀúÀÿ$4 D1À}äÀÿ$< D1Àý"ÀUäÿ$D1Àý#Àÿ$¤DÀ¶Àÿ$¬D1ÀýÀÿ$ D1ÀúÀÿ$ D1Àý!Àÿ$´D1ÀúÀ±ÿ$ôD1À}äÀÿ$üD1Àý Àÿ$¼D1ÀùÀÿ$D Dÿ%Ä DEÔÿ$Ì D1ÀýÖÀÿ$Ô DÀ¶Àÿ$Ü D1Àý÷Àÿ$ä DÀ¶Àÿ$ì Dÿ%X Dmè¿ÚÑC¸ËÑCMÔÿ$\ D l D¿ÒC¸ÚÑCÿá1É9øÁÿ$t D1É¶Uè8Áÿ$\| DÀ1É9øÁÿ$t D1ÀúÀ±ÿ$ÔD1À}äÀÿ$ÜD1ÉUðPÁÿ$ D¶@MäÓàÀè¶Àÿ$ D1ÿº¶Màÿ$¤ Dmèÿ$´ Dÿ%8 DÎEpÿ%< DÎÎEpÿ%< D1À}äÀMàÿ$D D1ÀýöÀÿ$L D¡p Dÿà1Àý÷Àÿ$t DEìEì1ÀÉÀUðÿ$\| DÐÀè$¶Àÿ$ D1É}ØÁ°ÿ$¤ DEìEì¡` Dÿà1ÀÉÀUðÿ$\| DÈ1É<Á°ÿ$ DÀ¶Àÿ$ DEÐÿ%¬ DÆÆÿ%¸ DÐÀè$¶È°ÿ$¼ D1É}ØÁ°ÿ$ DMÐK1À}àÀÿ$Ä D1À}ØÀÿ$Ì DÀêâ¶Âÿ$Ô D¶Cÿ%Ü DÎ}wAGÂÀêW ÿ%ä DÎ}wAGÂÀêW ÎwAGW ÿ%ä DÂÀêâW$G1Ò<Âÿ$ì D¶Eà$¶Àÿ$ô Dÿ%ü DEÐÆÿ%DEÐÆÆÿ%DIEÐ¶1ÀûÀÿ$D1ÀûÀUìÿ$D1ÀûÀÿ$DÎE×ÂpBËø¶ÀÁÁéáuÜÿ¡LD1ÀûÀUìÿ$,DÎ E×Âp¶BËø¶ÀÁÁéáuÜÿ¡LD request_handle: 0x00cc000c	1	1
InternetReadFile June 16, 2024, 10:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELcefà29,ÎP9 `9@ À9@P9K`9è) 93P9 H.textÔ09 29 `.rsrcè)`949@@.reloc 9^9@B°P9HøO<À]4%ÿ:( 8&~þ~>( 8&~þ~08lþEL8s :×ÿÿÿ&8Íÿÿÿs 8s :ÿÿÿ&8£ÿÿÿs 8¬ÿÿÿs 8¸ÿÿÿ0$8 88~o 8äÿÿÿ0$8 88~o! 8áÿÿÿ0~o" 8880$8 88~o# 8äÿÿÿ0~o$ 88øÿÿÿ8óÿÿÿ&~þ~0W8<þE%8 { (9Ûÿÿÿ&8Ñÿÿÿ8øÿÿÿ8óÿÿÿ{ (+} 8Àÿÿÿ0 þ8þE88øÿÿÿ8968!{ @èÿÿÿ (:¹ÿÿÿ&8¯ÿÿÿ (½Ds% z\| o+8£ÿÿÿ0&9þo& 9ý~ 9:~ Ð(' o( 9 J(½D() s z8s+ ~ Ð(' o, (+ ÝÝuQ%:&8%(. o/ þþþþ& (½D o/ o0 ¢ () o/ s1 z(2 Ý~ Ð(' o3 Ü8 8¿?yþ0 þo4 þ>(5 80! ((88øÿÿÿ8óÿÿÿ0 8(88êÿÿÿ8åÿÿÿ0Ð(8880 8 88(6 8èÿÿÿ&~þ~.þ (7 :þ þ (8 *þ (9 .þ (' 0& 8 88(7 (8 8âÿÿÿ0 8 8øÿÿÿ8óÿÿÿ('8èÿÿÿ0$8 8øÿÿÿ8óÿÿÿÐ(' 8äÿÿÿ0 8 88((8åÿÿÿ0' :(+ 88 80 þ>(5 8&~þ~þ (9 þ (6 0' ~: : (+: ~: 8>(5 8&~; þ~; 0 þ8þEËçN6%ÒÎuï-mS¤©B}î8 È(½D 8ÿÿÿ"÷ÕA 8sÿÿÿ( þ8^ÿÿÿ"Ü¬ÂB 8Qÿÿÿ h(é 8;ÿÿÿ þ8&ÿÿÿ8 8ÿÿÿ î(½D (ê:ùþÿÿ& 8îþÿÿG 8àþÿÿ"©¦B8Pÿÿÿ ¾(é (ê:¸þÿÿ&8®þÿÿ ø(é 8þÿÿ8Yÿÿÿ8ÿÿÿ32 þ8vþÿÿ8²Y-8°"-f A 8Xþÿÿ"ä A08fa38cÿÿÿ Ø(½D%8v ¦(½D'8¼X+8¢ 0(é/8þÿÿ ®(é8Dÿÿÿ8#8G!8ÿÿÿ (½D8ÿÿÿ B(½D8 ÿÿÿ.8Ãþÿÿ (ë9ýÿÿ&8ýÿÿ$8¡8/ÿÿÿ ð(½D8^ÿÿÿ (½D)8Dþÿÿ 8<ÿÿÿ"Á½B, 8Lýÿÿ" 8>ýÿÿ"@ :B (ë9(ýÿÿ&8ýÿÿ"õÝHB 8ýÿÿ T(é& 8ûüÿÿ"'§@8cþÿÿP (ë:Üüÿÿ& 8Ñüÿÿ"#·:A 8Àüÿÿ8zÿÿÿ 8ýÿÿ ª(½D8±þÿÿ1 8üÿÿ0±8ìþ3E<Ë cöH{Â²+REþì³ä87F1 (ë9ÿÿÿ&8ÿÿÿ (½D8 (é- 8^ÿÿÿ* 8Qÿÿÿ"8 2(é (ê:.ÿÿÿ&8$ÿÿÿ 8ÿÿÿ8h8¹H(8G p(é#8d=2 (ê:Þþÿÿ&8Ôþÿÿ æ(é (ê:½þÿÿ&8³þÿÿ"É£B8R (ë:þÿÿ& 8þÿÿ!8æþÿÿ"¸oö@8vÿÿÿ"lªB.8Â8ßþÿÿ3,8ïÿÿÿ58Ê>0 þ38<þÿÿ"gl@ (ë9*þÿÿ&8 þÿÿ"X¶B8¿ 8þÿÿL! (ê9ûýÿÿ& 8ðýÿÿ8q"¦ÎUB8"føâ@'8² Ä(½D%8[ÿÿÿB þ38©ýÿÿ 81"ôãÇB8Q"¢34A (ê:ýÿÿ& 8xýÿÿ (é)8Å+/ 8Yýÿÿ B(½D8`ÿÿÿ"lA (ê:2ýÿÿ&8(ýÿÿE 8ýÿÿ$8þÿÿ81 (ê9úüÿÿ& 8ïüÿÿ/ 8áüÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile June 16, 2024, 10:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌPJr>r>r>Ó=r>Ó;(r>]:r>]=r>];ýr>Ó:r>Ó?r>r?^r>7r>Ár><r>Richr>PELàmfàÌDô @@l#È°àÀ MP±8,²±@ (.textZ `.rdata¼ @@.dataìe@4@À.rsrcà°R@@.reloc MÀNT@BhðßDè¤áYÃÌÌÌÌhßDèáYÃÌÌÌÌj h ¢E¹$LFè/hPàDèsáYÃÌÌÌj hÄ¢E¹ÜQFèh°àDèSáYÃÌÌÌjhè¢E¹lRFèïháDè3áYÃÌÌÌj hð¢E¹MFèÏhpáDèáYÃÌÌÌjh£E¹QFè¯hÐáDèóàYÃÌÌÌjh,£E¹LKFèh0âDèÓàYÃÌÌÌjh«¡E¹<RFèohâDè³àYÃÌÌÌjh«¡E¹RFèOhðâDèàYÃÌÌÌjh«¡E¹,MFè/hPãDèsàYÃÌÌÌjh«¡E¹ìJFèh°ãDèSàYÃÌÌÌjhL£E¹ÜKFèïhäDè3àYÃÌÌÌjhX£E¹UFèÏhpäDèàYÃÌÌÌjhd£E¹$RFè¯hÐäDèóßYÃÌÌÌjhp£E¹DJFèh0åDèÓßYÃÌÌÌjh\|£E¹ÄQFèohåDè³ßYÃÌÌÌjh£E¹¼MFèOhðåDèßYÃÌÌÌjDh¨£E¹ÀTFè/hPæDèsßYÃÌÌÌj\hð£E¹ÌLFèh°æDèSßYÃÌÌÌjhP¤E¹ÔMFèïhçDè3ßYÃÌÌÌjh`¤E¹äIFèÏhpçDèßYÃÌÌÌjhh¤E¹äOFè¯hÐçDèóÞYÃÌÌÌj<h¤E¹´IFèh0èDèÓÞYÃÌÌÌjhÄ¤E¹IFèohèDè³ÞYÃÌÌÌjhÔ¤E¹PUFèOhðèDèÞYÃÌÌÌjXhè¤E¹¬NFè/hPéDèsÞYÃÌÌÌjhD¥E¹hUFèh°éDèSÞYÃÌÌÌjh\¥E¹,SFèïhêDè3ÞYÃÌÌÌjhh¥E¹¨TFèÏhpêDèÞYÃÌÌÌjht¥E¹¼JFè¯hÐêDèóÝYÃÌÌÌjh\|¥E¹´OFèh0ëDèÓÝYÃÌÌÌjh¥E¹PFèohëDè³ÝYÃÌÌÌjh¥E¹QFèOhðëDèÝYÃÌÌÌjh¥E¹JFè/hPìDèsÝYÃÌÌÌjh¥E¹ÌRFèh°ìDèSÝYÃÌÌÌjh¤¥E¹ÜNFèïhíDè3ÝYÃÌÌÌjh¬¥E¹DPFèÏhpíDèÝYÃÌÌÌjh´¥E¹lOFè¯hÐíDèóÜYÃÌÌÌjh¼¥E¹xTFèh0îDèÓÜYÃÌÌÌjhÄ¥E¹ìPFèohîDè³ÜYÃÌÌÌjhÌ¥E¹8UFèOhðîDèÜYÃÌÌÌjhÔ¥E¹TRFè/hPïDèsÜYÃÌÌÌjhÜ¥E¹¤JFèh°ïDèSÜYÃÌÌÌjhä¥E¹ÔJFèïhðDè3ÜYÃÌÌÌjh¦E¹NFèÏhpðDèÜYÃÌÌÌjh¦E¹UFè¯hÐðDèóÛYÃÌÌÌjh¦E¹¼SFèh0ñDèÓÛYÃÌÌÌjh¦E¹ÄKFèohñDè³ÛYÃÌÌÌjh$¦E¹ÈUFèOhðñDèÛYÃÌÌÌjh4¦E¹KFè/hPòDèsÛYÃÌÌÌjhD¦E¹dNFèh°òDèSÛYÃÌÌÌjhL¦E¹¬KFèïhóDè3ÛYÃÌÌÌjhT¦E¹´LFèÏhpóDèÛYÃÌÌÌjh\¦E¹ÄNFè¯hÐóDèóÚYÃÌÌÌjhd¦E¹LFèh0ôDèÓÚYÃÌÌÌjhl¦E¹dQFèohôDè³ÚYÃÌÌÌjht¦E¹\|QFèOhðôDèÚYÃÌÌÌjh¦E¹LNFè/hPõDèsÚYÃÌÌÌjh¦E¹\JFèh°õDèSÚYÃÌÌÌjh¦E¹ÔSFèïhöDè3ÚYÃÌÌÌjh¦E¹SFèÏhpöDèÚYÃÌÌÌjh¨¦E¹4NFè¯hÐöDèóÙYÃÌÌÌjh°¦E¹ðTFèh0÷DèÓÙYÃÌÌÌjhÄ¦E¹NFèoh÷Dè³ÙYÃÌÌÌjhØ¦E¹TFèOhð÷DèÙYÃÌÌÌjhø¦E¹tMFè/hPøDèsÙYÃÌÌÌjh§E¹<LFèh°øDèSÙYÃÌÌÌjh$§E¹¬QFèïhùDè3ÙYÃÌÌÌjh0§E¹TOFèÏhpùDèÙYÃÌÌÌjhH§E¹àUFè¯hÐùDèóØYÃÌÌÌjhT§E¹TFèh0úDèÓØYÃÌÌÌjhl§E¹,JFèohúDè³ØYÃÌÌÌjh§E¹üLFèOhðúDèØYÃÌÌÌjh§E¹ôNFè/hPûDèsØYÃÌÌÌjh¤§E¹LFèh°ûDèSØYÃÌÌÌjh¸§E¹\|NFèïhüDè3ØYÃÌÌÌjhÄ§E¹üOFèÏhpüDèØYÃÌÌÌjhÐ§E¹¤SFè¯hÐüDèó×YÃÌÌÌjhÜ§E¹NFèh0ýDèÓ×YÃÌÌÌjhð§E¹ØTFèohýDè³×YÃÌÌÌjh¨E¹°UFèOhðýDè×YÃÌÌÌjh¨E¹RFè/hPþDès×YÃÌÌÌj@h¨E¹\MFèh°þDèS×YÃÌÌÌjh\¨E¹ÌOFèïhÿDè3×YÃÌÌÌjLhh¨E¹$OFèÏhpÿDè×YÃÌÌÌj<h¸¨E¹dKFè¯hÐÿDèóÖYÃÌÌÌjhø¨E¹4QFèh0EèÓÖYÃÌÌÌjh©E¹OFèohEè³ÖYÃÌÌÌjh©E¹OFèOhðEèÖYÃÌÌÌjh ©E¹LQFè/hPEèsÖYÃÌÌÌj@h0©E¹üIFèh°EèSÖYÃÌÌÌjPhx©E¹ UFèïhEè3ÖYÃÌÌÌjhÌ©E¹tJFèÏhpEèÖYÃÌÌÌj4hà©E¹SFè¯hÐEèóÕYÃÌÌÌjhªE¹ìMFèh0EèÓÕYÃÌÌÌjPh(ªE¹TLFèohEè³ÕYÃÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile June 16, 2024, 10:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdç¹mfð.)®î«ö@` P(å©(p@ã(hS.text¸¬®``.dataÀ²@À.rdataP+Ð,´@@.eh_framà@À.pdata( â@@.xdataø ì@@.bss0À.idataPö@À.CRT``@À.tlsp@À.rsrc(å©æ© @@.relocpð«@BUHåHMHULE DM(]ÃUHåHì èTöHÚÀt¹èO©ë ¹èC©èÞ H7ÛèÞ HÛè¾2HgÙøuH)ÛHÁèË;¸HÄ ]ÃUHåHì0HÛwHÈÚHgHD$ AÑL@H1HÂH#HÁè·¨)HÄ0]ÃUHåHì0ÇEüÿH¤ÙÇè=EüEüHÄ0]ÃUHåHì0ÇEüÿHuÙÇèEüEüHÄ0]ÃUHåHìpHÇEðÇEä0EäeHHEØHEØH@HEèÇEüë!HEðH;Eèu ÇEüëE¹èHCÿÐHMÙHEÐHEèHEÈHÇEÀHMÈHEÀHUÐðH± HEðH}ðu¨H&Ùøu¹è§ë?HÙÀu(HÿØÇHBÙHÂH(ÙHÁè§ë ÇèHÍØøu&HïØHÂHÕØHÁè]§H¦ØÇ}üuHØHE¸HÇE°HU°HE¸HH×HHÀtH×HA¸º¹ÿÐè8HÕØHÁHËAÿÐHØHHýÿÿHÁèèK0 HÁèsè©,H[×HHñHH çHØÎIÈÁè ,ÖÔÀu ÆÁè«¦ÁÀuèD¦ªHÄp]ÃUHåHì H9×ÇH<×ÇH?×ÇH¢ÖHEøHEø·f=MZt ¸éHEø@<HcÐHEøHÐHEðHEð=PEt ¸éHEðHÀHEèHEè··À=t =t)ëVHEè@\øw¸ëHHEèÐÀÀ¶Àë4HEèHEàHEà@løw¸ëHEààÀÀ¶Àë¸HÄ ]ÃUSHìHHl$@M HU(E ÀHHÁàHÁè¥HEðHE(HHEèÇEüéEüHHÅHEèHÐHHÁè¬¥HÀHÀHEàEüHHÅHEðHHEàHÁè0¥HEüHHÅHEèHÐHEüHHÅHEðHÈHHMàIÈHÁè¥EüEü;E eÿÿÿEüHHÅHEðHÐHÇHE(HUðHHÄH[]ÃUHåHì HMHEHÁè2¤HÀt¸ë¸ÿÿÿÿHÄ ]ÃÃff.@1ÀÃff.fUWVSHì(Hl$ H5ºHñÿ>HÃHÀtkHñÿR>H=>H÷¹HÙHÿ×Hú¹HÙHÆÿ×HÂ©HötHH ¯éÿÖH 6HÄ([^_]éÿÿÿfHYÿÿÿH5BÿÿÿH{©ë¼fUHåHì Ha©HÀt H UéÿÐH HÉtHÄ ]Hÿ%û<HÄ ]Ãf.fDUWVSHºÅgV/ëÔ'IÊHI(EJHMBMIÉLÂIûIZIRH¿OëÔ'=®²ÂIB HÞH¯ßHÕHÑÂHÁÆH¯ïHòLÆHÁÆL¯ÇHòHÆHÁÅHÁÆH¯ÇHòIÁÀH¾Êë±y7H¯îL¯ÆH1êHÝH»c®²ÂwÊëH¯ÖHÁÅH¯îHÚH1êH¯ÖHÚI1ÐHÂL¯ÆHÁÂH¯ÖIH1ÂH¯ÖHÚIr0LÚI9ñr`H»OëÔ'=®²ÂHñI¸Êë±y7I»c®²ÂwÊëfDHAøHÁH¯ÃHÁÀI¯ÀH1ÐHÁÀI¯ÀJI9ÉsØLÈL)ÐHHÐHáøHñLAM9Ár5H¹Êë±y7H¯ÁLÁH1ÐHºOëÔ'=®²ÂHÁÀH¯ÂHºùy7±gVHÂL9És2IºÅgV/ëÔ'I¸Êë±y7¶HÁI¯ÂH1ÐHÁÀI¯ÀHÂI9ÉuâHÐHÁè!H1ÐHºOëÔ'=®²ÂH¯ÂHÂHÁêH1ÐHºùy7±gVH¯ÂHÂHÁê H1Ð[^_]ÃHì8LD$PLD$PLL$XLD$(è³=HÄ8Ãff.Hì8LL$XLL$XLL$(èø=HÄ8ÃAWAVAUATUWVSL\$hA;IÊIÔMÉ=C¶DÿIùv1HÇÂÿÿÿÿÀâ½Ð¸)ÐIù%KtøHë@HÉ¶A¶JcHÙÿá@A¶HHÁá0HÊA¶HHÁá(HÊA¶HHÁá HÊA¶HHÁáHÊA¶HHÁáHÊA¶HHÁáHÊÀQ½È¸ LÆD)ÈÁà)ÈÁïK,"MK@¶ÿMhLuýû÷Ûã?éÁfI9ð?ÂHñÁêAÓL)ÙL9ÁÁâHÎ)ÐHM9ò¬ÁIÓIÂIÓãÙIÓëKYD¶YD¶9AÃHÐEzüDÙHÓàÙHÓèIA¶¶@DØAJýIÓÁIÓãÙIÓëKYD¶YD¶9AÃHÐEzþDÙHÓàÙHÓèIA¶¶@DØAJÿø@w!L9î8ÿÿÿÂàÁêH)ÖHM9òUÿÿÿI9ês/÷ßç?ÁIÓIÂIÓãùIÓëOYA¶E¶[AJÿDØL9ÕuÖI9ðt4HÇÂìÿÿÿHÐ[^_]A\A]A^A_ÃHòL)ÂÑÁâH)Î)ÐHëI9êrLâø@uÄëÉfHÇÂ¸ÿÿÿHÐ[^_]A\A]A^A_ÃLÊë¤@AVAUATUWVSL\$`A3HÕMÉBC¶DÿIùv6HÇÂÿÿÿÿÀä½Ð¸)ÐIù(K\ request_handle: 0x00cc000c	1	1
InternetReadFile June 16, 2024, 10:01 a.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $dgRF < < <Op9<Op¢8<Opw<)~¯#< =w<Op!<Op¦!<Op¡!<Rich <PELhiºdà >È0P@Y¬v(Ôvps(s@P0.textÀ<> `.rdata¨-P.B@@.dataö$p@À.rsrc@@VñÇsDèøöD$tVè]YÆ^Âá4ïÆÃUl$ìepEh¡ÐDìýÿÿ¡ÔDVsèýÿÿWEpÇàýÿÿ¹y7è¸ÿÿÿ¡ØDEp?=ÜDäýÿÿÇðýÿÿ ÇEôEôEhÈÁáäýÿÿMt Eù©u ÇE@.ëíùëu%EMpÈEhÁèElElÇ3Á3EtÇüEî=êô+ðElÆÁàEtìýÿÿEtMpÆÁèÎElèýÿÿEl1Mt=EuhðqDjjÿ4PDEl1EtEt)EhÇ`ÿÿÿ²°UÇ@ÿÿÿs·eÇPÿÿÿÃh<Çÿÿÿ6Çhÿÿÿ÷ BÇEÐæGÇE0ÆÄõ?ÇLÿÿÿÐæLÇþÿÿü2ÇEuM6ÇEØqvbÇEdÒ£ÇÔþÿÿüºwÇEÔ(×ÇE4Â²oRÇELàSkÇE´¦ß6XÇlÿÿÿåFoÇàþÿÿ«{\ÇÜþÿÿ!ofÇE(ËrÇÀþÿÿvtÅÇ ÿÿÿÜ{gVÇÿÿÿiÚ¾?Çpÿÿÿl÷³Çÿÿÿ@HÇðþÿÿhw'ÇEf·OÇE¼IQÝÇ\|ÿÿÿðdCZÇE8dÇE¬ÿ7§ÇXÿÿÿï°-ÇEÜ"Ç(ÿÿÿ¶ò=yÇxÿÿÿ&¬KÇÈþÿÿ}²ÇE@9Ë#:ÇEG«ÇEH.:àÇE tÇôýÿÿccÇÌþÿÿaU"ÇET9[ÇTÿÿÿç/K ÇEÅ ôÇüþÿÿìwð=ÇEü`3ÇE<ÑâÇE«DÇ þÿÿçIÇ,ÿÿÿõíMÇEàý]+ÇE -2ÇE6é¾hÇEè]sHÇÿÿÿ¢ÃÂIÇ\|þÿÿRÇEP7Ð0ÇÄþÿÿµZdrÇ4ÿÿÿCoö Ç¼þÿÿ>6cÇHÿÿÿ²5ÇEnÙS?ÇEäÜÍ jÇ\ÿÿÿ²å ÇE±x[ÇE ¢S\sÇøþÿÿQíÇìþÿÿ2<8ÇÐþÿÿi\|QÇEX¬G#ÇE` ^(Çÿÿÿz;VÇ¨þÿÿq>÷ÇEðxÜAÇ¤þÿÿFPÇEr÷JiÇEø¨5qÇüýÿÿÞ6Çxþÿÿ¤GoÇE¤ÕHÇE¨xy~ÇEÙºhÇEbÎR!Ç¸þÿÿtF@cÇEÄ$¾,hÇØþÿÿIjF_Ç<ÿÿÿ!#WÇ¬þÿÿó%zÇdÿÿÿEð#ÇE$¿&>ÇþÿÿóZÇèþÿÿÂ´ÇE¤e\|îDÇ0ÿÿÿÀÃÁQÇE°£æ£"ÇE\.8\Çþÿÿ»nQÇ´þÿÿdAñ1ÇE¸lî Çdþÿÿ6óìÇÿÿÿøié/Ç`þÿÿ¬[ÇE(upEÇ$ÿÿÿÈAmÇEÀÎ/pxÇÿÿÿ:A\|Ç þÿÿºN9ÇEÌ{{°}ÇEÈJÌØÇþÿÿQGKÇED`ú¼@Ç(þÿÿ²Nø#ÇþÿÿªfÇþÿÿäÈ)Ç$þÿÿ~%Çøýÿÿ¾s6ÇE,Ãàl?ÇDþÿÿ?Çþÿÿ·lcÇDÿÿÿ§3+ÇXþÿÿ·¼û4Ç4þÿÿRµnÇLþÿÿ±1Çþÿÿ©à+ÇtÿÿÿíYÇEÇEì.Çhþÿÿ¥¿GvÇTþÿÿX6ÓÇlþÿÿº kÇäþÿÿzP7ÇpþÿÿR1PÇÿÿÿs¢Ç8ÿÿÿ¹ÞfÇôþÿÿ:2@ÇHþÿÿÆ³>Çþÿÿ517OÇþÿÿ:OÎZÇþÿÿò{ ,Çþÿÿ§ÂxÇþÿÿÀmo Ç<þÿÿõ{IÇtþÿÿ«æ-,ÇþÿÿR ÇEªYÇ0þÿÿØWjÇPþÿÿ]GÇ\þÿÿë¥.ÇþÿÿÐÂÇþÿÿ££(,Ç°þÿÿË/~Ç8þÿÿó r#Ç,þÿÿ¾fÇ@þÿÿQG²`ÿÿÿ®}b¸ Î:÷¥`ÿÿÿ`ÿÿÿ`ÿÿÿ;Õºs@ÿÿÿ)51@ÿÿÿ!ÏD@ÿÿÿÒjO`ÿÿÿØÐj`ÿÿÿ»}`ÿÿÿ%¤=-¸iÍy÷¥`ÿÿÿ`ÿÿÿ@ÿÿÿ9¥¾ ¸!¨a@÷¥@ÿÿÿ@ÿÿÿ¸Z÷¥`ÿÿÿ`ÿÿÿ¸'wËE÷¥`ÿÿÿ`ÿÿÿ¸Õ_B÷¥`ÿÿÿ`ÿÿÿ`ÿÿÿ£J¸ÑB¤G÷¥hÿÿÿhÿÿÿm0C1JZ@ÿÿÿA`ÿÿÿ£']¸"æ~÷¥LÿÿÿLÿÿÿ¸ë^÷¥`ÿÿÿ`ÿÿÿÿÿÿUXú+hÿÿÿ\ê\|EÐcK*¸Zíë&÷¥PÿÿÿPÿÿÿ¸6=÷¥PÿÿÿPÿÿÿ¸ "·÷eØEØÿÿÿ½vÂ1ÿÿÿSr±`ÿÿÿû)Ï3PÿÿÿCMâ¸!`og÷e0E0mÔß ê+hÿÿÿßs£_¸P©N÷¥ÔþÿÿÔþÿÿEd&/x¸\;q(÷¥@ÿÿÿ@ÿÿÿ¸þr'÷¥PÿÿÿPÿÿÿ¸¥ô4/÷eLELPÿÿÿ>¥m¸S'«;÷eÔEÔ¸>Ä}÷e4E4¸%d%÷¥hÿÿÿhÿÿÿÀþÿÿªóWl¸0&ef÷eÔEÔPÿÿÿY l`ÿÿÿj(¸Ä1u÷¥ÿÿÿÿÿÿ@ÿÿÿvhdc¸àZ!p÷eEÔþÿÿÈ®w&Pÿÿÿº_¸}'Y÷¥hÿÿÿhÿÿÿEIE%_ì+E¶äs¸©)÷¥ ÿÿÿ ÿÿÿ¸íüíl÷e8E8m8Ý LmLHðþÿÿ=RD¸ÔÆ©&÷eÜEÜlÿÿÿ StEë"cÿÿÿè^þ1xÿÿÿD6+¸S¡T÷¥@ÿÿÿ@ÿÿÿÔþÿÿoþWàþÿÿÖ Wu¸¿d}÷¥@ÿÿÿ@ÿÿÿ¸¹Js÷e¬E¬xÿÿÿLqE·Ï/1E´}3+mEçE´ªX$¸×#÷eÔEÔÜþÿÿÕ3mÔÚfôFm¼gfd(ÿÿÿdT4m´L0ß<pÿÿÿýdõWEØóÒ/ÔþÿÿµGcÀþÿÿL¶J¸ÅL÷eÜEÜmLözàþÿÿ¼þ~m 4©&EÜ¬½Ñ(¸ëm÷e¼E¼`ÿÿÿgMmHM¸Í$P?÷¥hÿÿÿhÿÿÿxÿÿÿÏË[xÿÿÿCõsP¸QÆAF÷¥ÀþÿÿÀþÿÿmo'ÂEÜ¹?ÏG¸èªP÷¥PÿÿÿPÿÿÿ¸èUñ÷¥ÿÿÿÿÿÿEÝa\@ÿÿÿýK}E8®°%lÿÿÿûá]pÿÿÿ«;6Ìþÿÿ6Ç0mØPgK¸Ôy÷eE¸ó-½!÷e¬E¬m0çç<m4?$ím4º¡b¸¦ïY,÷¥(ÿÿÿ(ÿÿÿ@ÿÿÿë724`ÿÿÿ] Sÿÿÿ DEèºy$¸4IIP÷¥ ÿÿÿ ÿÿÿm¬iÃø_Eîdz4hÿÿÿ¿¡¸Y£÷e@E@E42ÏX request_handle: 0x00cc000c	1	1
InternetReadFile June 16, 2024, 10:01 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdÒ®eð"(@@0)`¨Ë<)Ð( )x °(´8@ÍX.textV `.rdataü"°$@@.dataé'àÖ'º@À.pdataÐ((@@.00cfgà((@@.tlsð((@À.rsrc)(@@.relocx )¬(@BVHì H ÇH ÇH ÇH Õ·1ÀúMZuKHcQ<<PEu>HÑ·Qútúu'ytr!HÁèë¹rHÁø1À9ÀH 9¡£(¹ÙèHÙ0è 0H¹0èê0èH,8uH è 1ÀHÄ ^ÃHì(H=£(H6£(H oD HD$ H $£(H!£(L"£(è}HÄ(ÃHì(HÕÇè HÄ(ÃfAWAVVWSHì eH%0HxH5É1ÀðH±>Ãt.H9Çt)L5Ù¼f¹èAÿÖ1ÀðH±>ÃtH9ÇuçH=øu¹èÿë'?t Æy¢(ëÇH zH{èöøuH PHQèÜÇÛt1ÀHHæHHÀt1ÉºE1ÀÿÆÍ(è9H Âÿ¼H åHH +è& èHc=Î¡(HýèHÆHÿ~GûL5´¡(E1ÿfKþèHxHùèkJþKþHÁIøèhIÿÇL9ûuÐë1ÛHÇÞH5e¡(èØHa¡(H "H H B¡(H?¡(L@¡(è)A¡(=¡(t =-¡(uè®$¡(HÄ [_^A^A_ÃÁèÅÌ@Hì(HÅÇèúýÿÿHÄ(ÃfHì(è1ÉHøÉÈHÄ(ÃÃÌÌÌXHL$HT$LD$LL$ Hì( MÌèNÌH1ÉèHCÌH1À6ÌHÄ(HL$HT$LD$LL$ IÊ ÌÿÌÿ5ÌÃÇòË èÿÿÿÇãËQ²?èrÿÿÿÇÔË= C}ècÿÿÿÇÅËÈ\%,èTÿÿÿÇ¶ËÅ$VèEÿÿÿÇ§Ë²Åè6ÿÿÿÇË{ºÛ8è'ÿÿÿÇË TñèÿÿÿÇzËhypüè ÿÿÿÇkËÁÜRÔèúþÿÿÇ\ËÑú_ÓèëþÿÿÇMË`4ÞèÜþÿÿÇ>ËèÍþÿÿÇ/Ëè¾þÿÿÇ ËÇ*éè¯þÿÿÇË]laàè þÿÿÇËËKÓàèþÿÿÇóÊÙâèþÿÿÇäÊ>ÄèsþÿÿÇÕÊ£®~èdþÿÿÇÆÊ6ÿ8èUþÿÿÇ·ÊëË?ìèFþÿÿÇ¨Ên©è7þÿÿÇÊ)?âè(þÿÿÇÊ5¥@dèþÿÿÇ{Êq¼²è þÿÿÇlÊµ¨èûýÿÿÇ]ÊìlÃèìýÿÿÇNÊ_ôèÝýÿÿÇ?ÊÍ=èÎýÿÿÇ0Ê<]]Êè¿ýÿÿÇ!Ênöè°ýÿÿÇÊEÀè¡ýÿÿÌÌÌÌÌÌÌÌÌÌÌÌÌHì(H ÊHHÀt.ffff.ÿâÉ(HëÉHHH àÉH@HÀußHÄ(Ãf.VWSHì H5:øÿu¸ÿÿÿÿfDHÿÀH<ÎuôÀt%ÇHÿÏHûHDþÿmÉ(HÿËÿHßuëH TÿÿÿHÄ [_^é¸üÿÿVWSHì =(tHÄ [_^ÃÆ(H5²øÿu¸ÿÿÿÿfffff.HÿÀH<ÎuôÀt%ÇHÿÏHûHDþÿÝÈ(HÿËÿHßuëH ÄþÿÿHÄ [_^é(üÿÿÌÌÌÌÌÌÌÌ1ÀÃÌÌÌÌÌÌÌÌÌÌÌÌÌVWHì(Hc8tÇút<úuAH5¿³H=¸³H9÷uë,fHÇH9þtHHÀtïÿQÈ(ëçºè ¸HÄ(_^Ã1ÀÃffff.Hì(útÒuèî¸HÄ(ÃÌÌÌÌVWHì8HÎÿÈøwHH ÑHc<HÏëH=¹è[ LNFòN òL$0D$ HkHÁIøè11ÀHÄ8_^ÃÌÌÌÌÌÌÌÌÛãÃÌÌÌÌÌÌÌÌÌÌÌÌÌUAWAVAUATVWSHìHl$=ü(mÆï(Hì ènHÄ HHHÅHàðè H)ÄHàHÆ(ÇÄ(H=ÅHøH+ÃHøH²HøH)ØHø\|,H;u/H{u"HHXxHEØ;u {ÓH;\sHL5«Huffffff.KB1LñEHì A¸HòèHÄ HÃH9ûrÒ(À~g¿Hì(1ÛHuøL5¿´ëffff.HÿÃHcÈHÇ(H9Ë}0DD:ðEÀtçHL:øH:Hì IñAÿÖHÄ H((ëÁHe[_^A\A]A^A_]ÃSú[HÃH;yaÿÿÿL5ÄL=½A¼HuøI½ÿÿÿÿëffffff.HÃH9û!ÿÿÿKAÈAàøAÀøA¬ÈAø×CLðN2OcMúAÿâD¶MÿÿÿEÛëD·MÿÿfEÛë DO+EÛMIÓëLLòI)ÒMÊLUø¶Ñú?w&IÇÃÿÿÿÿÑIÓãI÷ÓM9ÚLJÿIÇÃÿÿÿÿIÓãM9Ú\|:AøDÿÿÿE£Ä:ÿÿÿIcÈH0LÊHì HÁHòèMHÄ éÿÿÿHì0LT$ H IÀèÌ¶ÑHì H Øè¹Hì H è©ÌAWAVATVWSHìXLÇHÓHÎD=ë(Eÿ~GH×(JýH1ÒëHÂ(H9Ñt#LDI9ðwíLL EIMÈI request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.982905320316767, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98290532032

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a8e00', u'virtual_address': u'0x00324000', u'entropy': 7.953702179004272, u'name': u'fbxmxckk', u'virtual_size': u'0x001a9000'}

entropy

7.953702179

description

A section with a high entropy has been found

entropy

0.994190652231

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 16, 2024, 10:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW June 16, 2024, 10:01 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Yara rule detected in process memory (9 events)

description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (50 out of 51 events)

Time & API	Arguments	Status
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x000003e8 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: 7-Zip base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: AddressBook base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: Adobe AIR base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: Connection Manager base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: DirectDrawEx base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: EditPlus base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: Fontcore base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: Google Chrome base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: IE40 base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: IE4Data base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: IE5BAKEX base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: IEData base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: MobileOptionPack base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: SchedulingAgent base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: WIC base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW June 16, 2024, 10:01 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x000003e8 key_handle: 0x000003f4 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Communicates with host for which no DNS query was performed (4 events)

host	185.172.128.116
host	185.172.128.19
host	185.215.113.67
host	77.91.77.81

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 16, 2024, 10:01 a.m.	process_identifier: 368 region_size: 364544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000248	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 361 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA June 16, 2024, 10 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 16, 2024, 10 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA June 16, 2024, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (2 events)

file	C:\Windows\Tasks\axplong.job
file	C:\Windows\Tasks\Hkbsse.job

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 16, 2024, 10:01 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELã_fà¶À@@öx0S÷.textrµ¶ `.rdata7*Ð,º@@.data0.æ@À.relocS0T@B base_address: 0x00400000 process_identifier: 368 process_handle: 0x00000248	1	1	0
WriteProcessMemory June 16, 2024, 10:01 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 368 process_handle: 0x00000248	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 16, 2024, 10:01 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELã_fà¶À@@öx0S÷.textrµ¶ `.rdata7*Ð,º@@.data0.æ@À.relocS0T@B base_address: 0x00400000 process_identifier: 368 process_handle: 0x00000248	1	1	0

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW June 16, 2024, 10:01 a.m.	key_handle: 0x000003f4 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2412 called NtSetContextThread to modify thread in remote process 368
NtSetContextThread June 16, 2024, 10:01 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4232128 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000244 process_identifier: 368	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2412 resumed a thread in remote process 368
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x00000244 suspend_count: 1 process_identifier: 368	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ June 16, 2024, 10 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 40 17 00 00 ba ac e2 exception.symbol: random+0x1ff3a5 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2093989 exception.address: 0x114f3a5 registers.esp: 2621140 registers.edi: 4730608 registers.eax: 1447909480 registers.ebp: 4006522900 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 18141970 registers.ecx: 20	1	0	0

Executed a process and injected code into it, probably while unpacking (50 out of 74 events)

Time & API	Arguments	Status	Return
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 1696	1	0
CreateProcessInternalW June 16, 2024, 10:01 a.m.	thread_identifier: 2264 thread_handle: 0x000003e0 process_identifier: 2260 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\8254624243\axplong.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003dc	1	1
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 2260	1	0
CreateProcessInternalW June 16, 2024, 10:01 a.m.	thread_identifier: 2764 thread_handle: 0x00000470 process_identifier: 2760 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000474	1	1
CreateProcessInternalW June 16, 2024, 10:01 a.m.	thread_identifier: 2816 thread_handle: 0x00000448 process_identifier: 2812 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000007001\redline123123.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000488	1	1
CreateProcessInternalW June 16, 2024, 10:01 a.m.	thread_identifier: 2924 thread_handle: 0x000003a0 process_identifier: 2920 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000008001\upd.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
CreateProcessInternalW June 16, 2024, 10:01 a.m.	thread_identifier: 2976 thread_handle: 0x00000454 process_identifier: 2972 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000025001\setup222.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000494	1	1
CreateProcessInternalW June 16, 2024, 10:01 a.m.	thread_identifier: 3064 thread_handle: 0x00000480 process_identifier: 3060 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000035001\gold.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000048c	1	1
CreateProcessInternalW June 16, 2024, 10:01 a.m.	thread_identifier: 2196 thread_handle: 0x00000448 process_identifier: 792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000047001\lummac2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000049c	1	1
CreateProcessInternalW June 16, 2024, 10:01 a.m.	thread_identifier: 948 thread_handle: 0x00000484 process_identifier: 2412 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000063001\drivermanager.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004a0	1	1
CreateProcessInternalW June 16, 2024, 10:01 a.m.	thread_identifier: 2868 thread_handle: 0x00000458 process_identifier: 2872 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000064001\NewLatest.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000064001\NewLatest.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000064001\NewLatest.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004a8	1	1
CreateProcessInternalW June 16, 2024, 10:01 a.m.	thread_identifier: 1200 thread_handle: 0x00000454 process_identifier: 2828 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000070001\monster.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000070001\monster.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000070001\monster.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004ac	1	1
CreateProcessInternalW June 16, 2024, 9:54 a.m.	thread_identifier: 2872 thread_handle: 0x0000000000000084 process_identifier: 2868 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\onefile_2760_133629768733125000\stub.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000005001\judit.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\onefile_2760_133629768733125000\stub.exe stack_pivoted: 0 creation_flags: 32 (NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x0000000000000088	1	1
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x0000032c suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000003ac suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000003c8 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000003e0 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x00000414 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x00000430 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x00000468 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x0000056c suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x00000420 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000003dc suspend_count: 1 process_identifier: 2812	1	0
NtGetContextThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x000003b8 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:01 a.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:02 a.m.	thread_handle: 0x00000538 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 10:02 a.m.	thread_handle: 0x00000698 suspend_count: 1 process_identifier: 2812	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x00000000000004cc suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x00000000000004ec suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x0000000000000508 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x0000000000000504 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x0000000000000508 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x000000000000054c suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x000000000000054c suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x0000000000000538 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x000000000000054c suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:54 a.m.	thread_handle: 0x0000000000000570 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:55 a.m.	thread_handle: 0x000000000000056c suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:55 a.m.	thread_handle: 0x0000000000000568 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:55 a.m.	thread_handle: 0x00000000000004f0 suspend_count: 1 process_identifier: 2972	1	0
NtResumeThread June 16, 2024, 9:55 a.m.	thread_handle: 0x0000000000000274 suspend_count: 1 process_identifier: 2972	1	0

File has been identified by 41 AntiVirus engines on VirusTotal as malicious (41 events)

Bkav	W32.AIDetectMalware
Lionic	Virus.Generic.AI.1!c
tehtris	Generic.Malware
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Trojan.GenericKDZ.107415
Cylance	Unsafe
VIPRE	Trojan.GenericKDZ.107415
BitDefender	Trojan.GenericKDZ.107415
Arcabit	Trojan.Generic.D1A397
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Trojan.GenericKDZ.107415
Rising	Stealer.RisePro!8.176E1 (TFE:2:IW4ctOC6JVQ)
Emsisoft	Trojan.GenericKDZ.107415 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!0F2C5D3966F2
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.0f2c5d3966f262c0
Sophos	Generic ML PUA (PUA)
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=80)
Gridinsoft	Trojan.Heur!.038120A1
Microsoft	Trojan:Win32/Sabsik.RD.A!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Trojan.GenericKDZ.107415
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36806.2DWaaWlJZHei
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
SentinelOne	Static AI - Malicious PE
MaxSecure	Win.MxResIcn.Heur.Gen
Fortinet	W32/Themida.HZB!tr
AVG	Win32:TrojanX-gen [Trj]

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All