Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 26, 2024, 10:25 a.m.	July 26, 2024, 10:30 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`25db2d5ac24b8e34330f8dd7882b6dd6`
SHA256	`034c2236e93baac32f5dc1715f3f021e4b8b95a08e4be332dc8e660b34b71857`
CRC32	`C6EA2235`
ssdeep	`49152:mQB8aH+5TfESZfhaeGumioMylPicqjCbedqfP:rB8KeBpq6otl8jCoqfP`
Yara	PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
1440
- axplong.exe "C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe"
  2224
  - build.exe "C:\Users\test22\AppData\Local\Temp\1000001001\build.exe"
    2772
  - crypted.exe "C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe"
    2876
  - 5447jsX.exe "C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe"
    2932
  - crypteda.exe "C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe"
    3060
  - svhosts.exe "C:\Users\test22\AppData\Local\Temp\1000006001\svhosts.exe"
    2076
  - 25072023.exe "C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe"
    2192
  - pered.exe "C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe"
    1896
    - pered.exe "C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe"
      2856
  - 2020.exe "C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe"
    3012
    - 2020.exe "C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe"
      2800
  - 4ck3rr.exe "C:\Users\test22\AppData\Local\Temp\1000013001\4ck3rr.exe"
    2988
  - gawdth.exe "C:\Users\test22\AppData\Local\Temp\1000014001\gawdth.exe"
    2824
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat" "
      1596
      - clamer.exe clamer.exe -priverdD
        2684
        
        lofsawd.exe "C:\Users\test22\AppData\Local\Temp\RarSFX1\lofsawd.exe"
        1520
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
coe.com.vn	A 103.28.36.182	103.28.36.182
mkstat595.xyz

IP Address	Status	Action
185.215.113.16	Active	Moloch
185.215.113.67	Active	Moloch
103.28.36.182	Active	Moloch
164.124.101.2	Active	Moloch
38.180.203.208	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.16:80 -> 192.168.56.103:49164	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49164	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.16:80 -> 192.168.56.103:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.103:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2022491	ET HUNTING Download Request Containing Suspicious Filename - Crypted	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49201 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49204 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.28.36.182:443 -> 192.168.56.103:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 103.28.36.182:443 -> 192.168.56.103:49213	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49216 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.67:40960 -> 192.168.56.103:49222	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49211 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49215 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.103:49222	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 103.28.36.182:443 -> 192.168.56.103:49217	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 185.215.113.67:40960 -> 192.168.56.103:49222	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 38.180.203.208:14238 -> 192.168.56.103:49228	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 38.180.203.208:14238 -> 192.168.56.103:49228	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49222 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49228 -> 38.180.203.208:14238	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.103:49167 -> 185.215.113.16:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (26 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 26, 2024, 10:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:26 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 26, 2024, 10:27 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 65 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 26, 2024, 10:25 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:25 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:25 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:25 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:25 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:25 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:25 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:25 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:25 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:25 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:26 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:27 a.m.			0	0
IsDebuggerPresent July 26, 2024, 10:27 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (34 events)

Time & API	Arguments	Status	Return
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00535dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00535dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00535dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00535dc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00535e40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00535e40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00535d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00535d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00535d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00535d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00535d40 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005364c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005364c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00536680 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00536340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00536340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00536200 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00528fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00528fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00528fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00528fb0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00529030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00529030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00528f30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00528f30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00528f30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00528f30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00528f30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005296f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005296f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005298b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0590b220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0590b220 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 26, 2024, 10:27 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00529e70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 26, 2024, 10:18 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	bauryisr
section	doglopfu
section	.taggant

One or more processes crashed (50 out of 258 events)

Time & API	Arguments	Status
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x3230b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3289273 exception.address: 0x5e30b9 registers.esp: 9043652 registers.edi: 0 registers.eax: 1 registers.ebp: 9043668 registers.edx: 7905280 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 57 e9 95 fb ff ff 52 e9 c3 fc ff ff 81 ed 42 exception.symbol: random+0x6d96f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 448879 exception.address: 0x32d96f registers.esp: 9043620 registers.edi: 1971192040 registers.eax: 31432 registers.ebp: 3993350164 registers.edx: 2883584 registers.ebx: 1610113865 registers.esi: 3 registers.ecx: 3361141	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 d1 00 00 00 c1 e8 07 c1 e8 02 e9 0d 00 00 exception.symbol: random+0x6d7cd exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 448461 exception.address: 0x32d7cd registers.esp: 9043620 registers.edi: 1971192040 registers.eax: 31432 registers.ebp: 3993350164 registers.edx: 2883584 registers.ebx: 4294938948 registers.esi: 240873 registers.ecx: 3361141	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 8a 03 89 00 89 1c 24 bb da b5 df exception.symbol: random+0x6e94e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 452942 exception.address: 0x32e94e registers.esp: 9043616 registers.edi: 1971192040 registers.eax: 27465 registers.ebp: 3993350164 registers.edx: 3334092 registers.ebx: 464140324 registers.esi: 240873 registers.ecx: 1272511932	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 51 e9 66 01 00 00 81 c1 ad 92 c1 12 81 c2 36 exception.symbol: random+0x6e8d5 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 452821 exception.address: 0x32e8d5 registers.esp: 9043620 registers.edi: 1971192040 registers.eax: 27465 registers.ebp: 3993350164 registers.edx: 3361557 registers.ebx: 464140324 registers.esi: 240873 registers.ecx: 1272511932	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 56 83 ec 04 89 04 24 57 e9 56 05 00 00 81 eb exception.symbol: random+0x6e085 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 450693 exception.address: 0x32e085 registers.esp: 9043620 registers.edi: 1259 registers.eax: 27465 registers.ebp: 3993350164 registers.edx: 3337361 registers.ebx: 464140324 registers.esi: 0 registers.ecx: 1272511932	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 81 c1 bd 37 ff 3e 81 c1 a5 9e ff 4f e9 73 08 exception.symbol: random+0x1e90c8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2003144 exception.address: 0x4a90c8 registers.esp: 9043616 registers.edi: 3369914 registers.eax: 26421 registers.ebp: 3993350164 registers.edx: 2345 registers.ebx: 425984 registers.esi: 4885920 registers.ecx: 4886406	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 a9 07 00 00 81 ed 03 62 3b 6e 57 bf c1 a5 exception.symbol: random+0x1e9319 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2003737 exception.address: 0x4a9319 registers.esp: 9043620 registers.edi: 3369914 registers.eax: 26421 registers.ebp: 3993350164 registers.edx: 17688915 registers.ebx: 425984 registers.esi: 4294943964 registers.ecx: 4912827	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 e5 01 00 00 50 e9 1a 03 00 00 31 f0 e9 59 exception.symbol: random+0x1ef64b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2029131 exception.address: 0x4af64b registers.esp: 9043620 registers.edi: 3369914 registers.eax: 31403 registers.ebp: 3993350164 registers.edx: 2130566132 registers.ebx: 4943236 registers.esi: 4294943964 registers.ecx: 921	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 a4 08 00 00 ba 24 6d d3 f4 29 f2 8b 34 24 exception.symbol: random+0x1ef32f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2028335 exception.address: 0x4af32f registers.esp: 9043620 registers.edi: 4294938876 registers.eax: 1549541099 registers.ebp: 3993350164 registers.edx: 2130566132 registers.ebx: 4943236 registers.esi: 4294943964 registers.ecx: 921	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 68 8f c5 92 21 89 2c 24 e9 b7 f6 ff ff c1 ed exception.symbol: random+0x1f31d3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2044371 exception.address: 0x4b31d3 registers.esp: 9043620 registers.edi: 4294937528 registers.eax: 0 registers.ebp: 3993350164 registers.edx: 0 registers.ebx: 4928177 registers.esi: 202985 registers.ecx: 4914842	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 0c exception.symbol: random+0x1f94ea exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2069738 exception.address: 0x4b94ea registers.esp: 9043612 registers.edi: 9907952 registers.eax: 1447909480 registers.ebp: 3993350164 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 4949616 registers.ecx: 20	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x1fa2e3 exception.address: 0x4ba2e3 exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 2073315 registers.esp: 9043612 registers.edi: 9907952 registers.eax: 1 registers.ebp: 3993350164 registers.edx: 22104 registers.ebx: 0 registers.esi: 4949616 registers.ecx: 20	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 76 2c 2d 12 01 exception.symbol: random+0x1fc7eb exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2082795 exception.address: 0x4bc7eb registers.esp: 9043612 registers.edi: 9907952 registers.eax: 1447909480 registers.ebp: 3993350164 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 4949616 registers.ecx: 10	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 55 54 5d e9 4c 06 00 00 53 bb 00 c8 ef 5c 01 exception.symbol: random+0x2013bb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2102203 exception.address: 0x4c13bb registers.esp: 9043616 registers.edi: 4984449 registers.eax: 30782 registers.ebp: 3993350164 registers.edx: 2130566132 registers.ebx: 60114077 registers.esi: 10 registers.ecx: 761593856	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 52 50 52 ba 00 46 cf 5f 50 c7 04 24 98 84 7a exception.symbol: random+0x20111f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2101535 exception.address: 0x4c111f registers.esp: 9043620 registers.edi: 4987967 registers.eax: 30782 registers.ebp: 3993350164 registers.edx: 0 registers.ebx: 60114077 registers.esi: 1426090592 registers.ecx: 761593856	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 56 e8 03 00 00 00 20 5e c3 5e exception.symbol: random+0x201e4f exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 2104911 exception.address: 0x4c1e4f registers.esp: 9043580 registers.edi: 0 registers.eax: 9043580 registers.ebp: 3993350164 registers.edx: 62965 registers.ebx: 4988902 registers.esi: 12255232 registers.ecx: 1375597776	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 68 70 dc 3e 7d e9 25 ff ff ff 81 c1 ab 76 b6 exception.symbol: random+0x2119b2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2169266 exception.address: 0x4d19b2 registers.esp: 9043620 registers.edi: 0 registers.eax: 1474398545 registers.ebp: 3993350164 registers.edx: 5054199 registers.ebx: 60114299 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 12 fe ff ff 59 89 f3 5e 53 89 e3 81 c3 04 exception.symbol: random+0x21905d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2199645 exception.address: 0x4d905d registers.esp: 9043608 registers.edi: 0 registers.eax: 27392 registers.ebp: 3993350164 registers.edx: 1373805658 registers.ebx: 5082044 registers.esi: 1976321244 registers.ecx: 1373805658	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 4c 04 00 00 93 f7 d0 93 c1 e3 01 52 ba 02 exception.symbol: random+0x218e16 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2199062 exception.address: 0x4d8e16 registers.esp: 9043612 registers.edi: 0 registers.eax: 27392 registers.ebp: 3993350164 registers.edx: 1373805658 registers.ebx: 5109436 registers.esi: 1976321244 registers.ecx: 1373805658	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 53 e9 2a fc ff ff 29 f6 ff 34 33 81 34 24 63 exception.symbol: random+0x219261 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2200161 exception.address: 0x4d9261 registers.esp: 9043612 registers.edi: 584018 registers.eax: 27392 registers.ebp: 3993350164 registers.edx: 1373805658 registers.ebx: 5109436 registers.esi: 4294942620 registers.ecx: 1373805658	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 50 51 b9 ef 46 ff 7d 83 e9 01 81 f1 40 98 00 exception.symbol: random+0x21a02f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2203695 exception.address: 0x4da02f registers.esp: 9043608 registers.edi: 584018 registers.eax: 32380 registers.ebp: 3993350164 registers.edx: 5085148 registers.ebx: 349657203 registers.esi: 4294942620 registers.ecx: 1361785591	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 51 57 52 c7 04 24 f8 a7 77 7d 8b 3c 24 81 c4 exception.symbol: random+0x219a51 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2202193 exception.address: 0x4d9a51 registers.esp: 9043612 registers.edi: 584018 registers.eax: 32380 registers.ebp: 3993350164 registers.edx: 5117528 registers.ebx: 349657203 registers.esi: 4294942620 registers.ecx: 1361785591	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 1f 02 00 00 5b 31 ee 5d 81 c6 0a ba 8b 3f exception.symbol: random+0x219b19 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2202393 exception.address: 0x4d9b19 registers.esp: 9043612 registers.edi: 84201 registers.eax: 0 registers.ebp: 3993350164 registers.edx: 5088076 registers.ebx: 349657203 registers.esi: 4294942620 registers.ecx: 1361785591	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 04 03 00 00 81 ea 45 ac e4 7b 81 exception.symbol: random+0x21e9bf exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2222527 exception.address: 0x4de9bf registers.esp: 9043612 registers.edi: 84201 registers.eax: 27400 registers.ebp: 3993350164 registers.edx: 5109125 registers.ebx: 1585073651 registers.esi: 0 registers.ecx: 14827	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 7b 03 00 00 55 bd 03 8b ff 3f 50 b8 54 87 exception.symbol: random+0x23b272 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2339442 exception.address: 0x4fb272 registers.esp: 9043580 registers.edi: 0 registers.eax: 29301 registers.ebp: 3993350164 registers.edx: 5251655 registers.ebx: 130 registers.esi: 5218569 registers.ecx: 761593856	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 50 89 2c 24 57 68 de 97 5a 5a 89 34 24 c7 04 exception.symbol: random+0x23b012 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2338834 exception.address: 0x4fb012 registers.esp: 9043580 registers.edi: 0 registers.eax: 607947088 registers.ebp: 3993350164 registers.edx: 5251655 registers.ebx: 130 registers.esi: 5218569 registers.ecx: 4294941024	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb bb 81 c7 7f 4e e9 07 01 00 00 83 c1 04 87 0c exception.symbol: random+0x23bdab exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2342315 exception.address: 0x4fbdab registers.esp: 9043580 registers.edi: 0 registers.eax: 28388 registers.ebp: 3993350164 registers.edx: 4294941692 registers.ebx: 130 registers.esi: 604801363 registers.ecx: 5254238	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 81 eb c0 53 fa 77 52 ba e8 25 f9 7a 01 d3 5a exception.symbol: random+0x23d166 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2347366 exception.address: 0x4fd166 registers.esp: 9043576 registers.edi: 0 registers.eax: 31980 registers.ebp: 3993350164 registers.edx: 1554057386 registers.ebx: 5229046 registers.esi: 604801363 registers.ecx: 537931008	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 b3 fe ff ff 31 ce c1 e6 08 81 ec 04 00 00 exception.symbol: random+0x23d11d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2347293 exception.address: 0x4fd11d registers.esp: 9043580 registers.edi: 4294938416 registers.eax: 1108320 registers.ebp: 3993350164 registers.edx: 1554057386 registers.ebx: 5261026 registers.esi: 604801363 registers.ecx: 537931008	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 51 57 bf 2e 7d aa 2f 89 7c 24 04 e9 ad 03 00 exception.symbol: random+0x23df90 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2350992 exception.address: 0x4fdf90 registers.esp: 9043580 registers.edi: 5260900 registers.eax: 4294943132 registers.ebp: 3993350164 registers.edx: 1554057386 registers.ebx: 1800636544 registers.esi: 604292951 registers.ecx: 1975590913	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 57 68 78 ba 7f 6d exception.symbol: random+0x245d1f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2383135 exception.address: 0x505d1f registers.esp: 9043576 registers.edi: 5249018 registers.eax: 32482 registers.ebp: 3993350164 registers.edx: 5265074 registers.ebx: 65804 registers.esi: 5248334 registers.ecx: 1969225870	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 55 e9 f9 fe ff ff 83 ec 04 e9 e7 01 00 00 81 exception.symbol: random+0x245f98 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2383768 exception.address: 0x505f98 registers.esp: 9043580 registers.edi: 5249018 registers.eax: 32482 registers.ebp: 3993350164 registers.edx: 5297556 registers.ebx: 65804 registers.esi: 5248334 registers.ecx: 1969225870	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 52 89 34 24 e9 1c 07 00 00 ba 1c 9d fe 4d e9 exception.symbol: random+0x245955 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2382165 exception.address: 0x505955 registers.esp: 9043580 registers.edi: 83433 registers.eax: 32482 registers.ebp: 3993350164 registers.edx: 5297556 registers.ebx: 65804 registers.esi: 4294937680 registers.ecx: 1969225870	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 50 68 33 04 03 15 89 0c 24 e9 5c 03 00 00 01 exception.symbol: random+0x246985 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2386309 exception.address: 0x506985 registers.esp: 9043580 registers.edi: 0 registers.eax: 30255 registers.ebp: 3993350164 registers.edx: 1165149955 registers.ebx: 740308224 registers.esi: 5271922 registers.ecx: 24811	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 55 e9 99 05 00 00 c7 04 24 ca 46 6b 5b e9 c8 exception.symbol: random+0x24b339 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2405177 exception.address: 0x50b339 registers.esp: 9043576 registers.edi: 3993350164 registers.eax: 30310 registers.ebp: 3993350164 registers.edx: 5287766 registers.ebx: 3993356581 registers.esi: 5271922 registers.ecx: 762515454	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 26 04 00 00 81 f2 60 7c 43 7f 29 d3 5a 01 exception.symbol: random+0x24b07f exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2404479 exception.address: 0x50b07f registers.esp: 9043580 registers.edi: 3993350164 registers.eax: 30310 registers.ebp: 3993350164 registers.edx: 5318076 registers.ebx: 3993356581 registers.esi: 5271922 registers.ecx: 762515454	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 68 94 e6 78 3d 89 14 24 53 bb 5d f9 9d 37 89 exception.symbol: random+0x24bb5b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2407259 exception.address: 0x50bb5b registers.esp: 9043580 registers.edi: 0 registers.eax: 30310 registers.ebp: 3993350164 registers.edx: 5290948 registers.ebx: 59734 registers.esi: 5271922 registers.ecx: 762515454	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 52 ba ce 1b 7e 51 89 d3 5a 81 f3 f1 e0 fe 3c exception.symbol: random+0x24c161 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2408801 exception.address: 0x50c161 registers.esp: 9043580 registers.edi: 0 registers.eax: 27977 registers.ebp: 3993350164 registers.edx: 5319274 registers.ebx: 140293223 registers.esi: 3939837675 registers.ecx: 4294941944	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 1c 24 51 e9 ec 02 00 00 c7 04 24 exception.symbol: random+0x2686ec exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2524908 exception.address: 0x5286ec registers.esp: 9043580 registers.edi: 0 registers.eax: 30062 registers.ebp: 3993350164 registers.edx: 5409328 registers.ebx: 607453008 registers.esi: 5381693 registers.ecx: 761593856	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 31 ff 52 55 89 3c 24 50 e9 fa 00 00 00 81 ee exception.symbol: random+0x26c399 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2540441 exception.address: 0x52c399 registers.esp: 9043580 registers.edi: 0 registers.eax: 29894 registers.ebp: 3993350164 registers.edx: 1491586461 registers.ebx: 1268244167 registers.esi: 5451706 registers.ecx: 761593856	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 50 89 0c 24 b9 80 90 b0 1c e9 db fb ff ff 83 exception.symbol: random+0x26c13e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2539838 exception.address: 0x52c13e registers.esp: 9043580 registers.edi: 4294940216 registers.eax: 29894 registers.ebp: 3993350164 registers.edx: 1491586461 registers.ebx: 1268244167 registers.esi: 5451706 registers.ecx: 9451	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 50 52 e9 a3 00 00 00 5d 81 f1 38 ee 0a 8c 89 exception.symbol: random+0x27228d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2564749 exception.address: 0x53228d registers.esp: 9043580 registers.edi: 5474128 registers.eax: 4294942620 registers.ebp: 3993350164 registers.edx: 3065598288 registers.ebx: 1796384536 registers.esi: 5451706 registers.ecx: 761593856	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 76 01 00 00 01 f9 5f 87 0c 24 5c ff 34 32 exception.symbol: random+0x280220 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2621984 exception.address: 0x540220 registers.esp: 9043576 registers.edi: 5145600 registers.eax: 29802 registers.ebp: 3993350164 registers.edx: 3186440646 registers.ebx: 5480398 registers.esi: 5503902 registers.ecx: 4718644	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb e9 6b 03 00 00 89 24 24 51 b9 04 00 00 00 81 exception.symbol: random+0x27fc3c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2620476 exception.address: 0x53fc3c registers.esp: 9043580 registers.edi: 5145600 registers.eax: 29802 registers.ebp: 3993350164 registers.edx: 3186440646 registers.ebx: 5480398 registers.esi: 5533704 registers.ecx: 4718644	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 68 4a f3 c8 51 ff 34 24 8b 14 24 e9 59 06 00 exception.symbol: random+0x27fca9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2620585 exception.address: 0x53fca9 registers.esp: 9043580 registers.edi: 5145600 registers.eax: 4142487377 registers.ebp: 3993350164 registers.edx: 4294940168 registers.ebx: 5480398 registers.esi: 5533704 registers.ecx: 4718644	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 89 e2 50 b8 04 00 exception.symbol: random+0x280eb1 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2625201 exception.address: 0x540eb1 registers.esp: 9043580 registers.edi: 5145600 registers.eax: 5533438 registers.ebp: 3993350164 registers.edx: 1372123978 registers.ebx: 1418829795 registers.esi: 5533704 registers.ecx: 4718644	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 53 81 ec 04 00 00 00 89 14 24 c7 04 24 21 03 exception.symbol: random+0x280e64 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2625124 exception.address: 0x540e64 registers.esp: 9043580 registers.edi: 4294943876 registers.eax: 5533438 registers.ebp: 3993350164 registers.edx: 1372123978 registers.ebx: 1418829795 registers.esi: 604801362 registers.ecx: 4718644	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 50 57 e9 53 fd ff ff ff 34 24 5e 81 c4 04 00 exception.symbol: random+0x293b17 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2702103 exception.address: 0x553b17 registers.esp: 9043580 registers.edi: 3997905940 registers.eax: 5611885 registers.ebp: 3993350164 registers.edx: 2130566132 registers.ebx: 4456458 registers.esi: 2005598220 registers.ecx: 761593856	1
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 52 60 df 6f 89 2c 24 56 be 42 d6 exception.symbol: random+0x293e33 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2702899 exception.address: 0x553e33 registers.esp: 9043580 registers.edi: 4294942860 registers.eax: 5611885 registers.ebp: 3993350164 registers.edx: 2130566132 registers.ebx: 1474333008 registers.esi: 2005598220 registers.ecx: 761593856	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (9 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.16/Jo89Ku7d/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/build.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/crypted.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/5447jsX.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/crypteda.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/svhosts.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/25072023.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/pered.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/2020.exe

Performs some HTTP requests (9 events)

request	POST http://185.215.113.16/Jo89Ku7d/index.php
request	GET http://185.215.113.16/inc/build.exe
request	GET http://185.215.113.16/inc/crypted.exe
request	GET http://185.215.113.16/inc/5447jsX.exe
request	GET http://185.215.113.16/inc/crypteda.exe
request	GET http://185.215.113.16/inc/svhosts.exe
request	GET http://185.215.113.16/inc/25072023.exe
request	GET http://185.215.113.16/inc/pered.exe
request	GET http://185.215.113.16/inc/2020.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.16/Jo89Ku7d/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 209 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002c1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02400000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 1440 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x034b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:18 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01281000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 26, 2024, 10:25 a.m.	process_identifier: 2224 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

axplong.exe tried to sleep 1176 seconds, actually delayed analysis time by 1176 seconds

Steals private information from local Internet browsers (7 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (50 out of 74 events)

file	C:\Users\test22\AppData\Local\Temp\1000014001\gawdth.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\1000001001\build.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI30122\libssl-3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30122\python311.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2772_133664607593437500\sqlite3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30122\python3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\_pytransform.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\clamer.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2772_133664607593437500\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2772_133664607593437500\python3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI30122\libcrypto-3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\1000006001\svhosts.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe
file	C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2772_133664607593437500\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2772_133664607593437500\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2772_133664607593437500\python310.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-datetime-l1-1-0.dll

Creates hidden or system file (8 events)

Time & API	Arguments	Return
NtCreateFile July 26, 2024, 10:26 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 26, 2024, 10:26 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 26, 2024, 10:26 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 26, 2024, 10:26 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 26, 2024, 10:27 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 26, 2024, 10:27 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 26, 2024, 10:27 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 26, 2024, 10:27 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk

Drops a binary and executes it (15 events)

file	C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\build.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe
file	C:\Users\test22\AppData\Local\Temp\1000006001\svhosts.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe
file	C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe
file	C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe
file	C:\Users\test22\AppData\Local\Temp\1000013001\4ck3rr.exe
file	C:\Users\test22\AppData\Local\Temp\1000014001\gawdth.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2772_133664607593437500\stub.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\clamer.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX1\lofsawd.exe

Drops an executable to the user AppData folder (8 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX1\lofsawd.exe
file	C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe
file	C:\Users\test22\AppData\Local\Temp\1000006001\svhosts.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe
file	C:\Users\test22\AppData\Local\Temp\1000013001\4ck3rr.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe

A process created a hidden window (11 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 26, 2024, 10:25 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe	1	1
ShellExecuteExW July 26, 2024, 10:25 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000001001\build.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000001001\build.exe	1	1
ShellExecuteExW July 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe	1	1
ShellExecuteExW July 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe	1	1
ShellExecuteExW July 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe	1	1
ShellExecuteExW July 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000006001\svhosts.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000006001\svhosts.exe	1	1
ShellExecuteExW July 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe	1	1
ShellExecuteExW July 26, 2024, 10:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe	1	1
ShellExecuteExW July 26, 2024, 10:27 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe	1	1
ShellExecuteExW July 26, 2024, 10:27 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000013001\4ck3rr.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000013001\4ck3rr.exe	1	1
ShellExecuteExW July 26, 2024, 10:27 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000014001\gawdth.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000014001\gawdth.exe	1	1

An executable file was downloaded by the process axplong.exe (10 events)

Time & API	Arguments	Status	Return
InternetReadFile July 26, 2024, 10:25 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd*¨fð.)®ê«ö@ ` P@à©(p@ã(hS.text¸¬®``.dataÀ²@À.rdataP+Ð,´@@.eh_framà@À.pdata( â@@.xdataø ì@@.bss0À.idataPö@À.CRT``@À.tlsp@À.rsrc@à©â© @@.relocpì«@BUHåHMHULE DM(]ÃUHåHì èTöHÚÀt¹èO©ë ¹èC©èÞ H7ÛèÞ HÛè¾2HgÙøuH)ÛHÁèË;¸HÄ ]ÃUHåHì0HÛwHÈÚHgHD$ AÑL@H1HÂH#HÁè·¨)HÄ0]ÃUHåHì0ÇEüÿH¤ÙÇè=EüEüHÄ0]ÃUHåHì0ÇEüÿHuÙÇèEüEüHÄ0]ÃUHåHìpHÇEðÇEä0EäeHHEØHEØH@HEèÇEüë!HEðH;Eèu ÇEüëE¹èHCÿÐHMÙHEÐHEèHEÈHÇEÀHMÈHEÀHUÐðH± HEðH}ðu¨H&Ùøu¹è§ë?HÙÀu(HÿØÇHBÙHÂH(ÙHÁè§ë ÇèHÍØøu&HïØHÂHÕØHÁè]§H¦ØÇ}üuHØHE¸HÇE°HU°HE¸HH×HHÀtH×HA¸º¹ÿÐè8HÕØHÁHËAÿÐHØHHýÿÿHÁèèK0 HÁèsè©,H[×HHñHH çHØÎIÈÁè ,ÖÔÀu ÆÁè«¦ÁÀuèD¦ªHÄp]ÃUHåHì H9×ÇH<×ÇH?×ÇH¢ÖHEøHEø·f=MZt ¸éHEø@<HcÐHEøHÐHEðHEð=PEt ¸éHEðHÀHEèHEè··À=t =t)ëVHEè@\øw¸ëHHEèÐÀÀ¶Àë4HEèHEàHEà@løw¸ëHEààÀÀ¶Àë¸HÄ ]ÃUSHìHHl$@M HU(E ÀHHÁàHÁè¥HEðHE(HHEèÇEüéEüHHÅHEèHÐHHÁè¬¥HÀHÀHEàEüHHÅHEðHHEàHÁè0¥HEüHHÅHEèHÐHEüHHÅHEðHÈHHMàIÈHÁè¥EüEü;E eÿÿÿEüHHÅHEðHÐHÇHE(HUðHHÄH[]ÃUHåHì HMHEHÁè2¤HÀt¸ë¸ÿÿÿÿHÄ ]ÃÃff.@1ÀÃff.fUWVSHì(Hl$ H5ºHñÿ>HÃHÀtkHñÿR>H=>H÷¹HÙHÿ×Hú¹HÙHÆÿ×HÂ©HötHH ¯éÿÖH 6HÄ([^_]éÿÿÿfHYÿÿÿH5BÿÿÿH{©ë¼fUHåHì Ha©HÀt H UéÿÐH HÉtHÄ ]Hÿ%û<HÄ ]Ãf.fDUWVSHºÅgV/ëÔ'IÊHI(EJHMBMIÉLÂIûIZIRH¿OëÔ'=®²ÂIB HÞH¯ßHÕHÑÂHÁÆH¯ïHòLÆHÁÆL¯ÇHòHÆHÁÅHÁÆH¯ÇHòIÁÀH¾Êë±y7H¯îL¯ÆH1êHÝH»c®²ÂwÊëH¯ÖHÁÅH¯îHÚH1êH¯ÖHÚI1ÐHÂL¯ÆHÁÂH¯ÖIH1ÂH¯ÖHÚIr0LÚI9ñr`H»OëÔ'=®²ÂHñI¸Êë±y7I»c®²ÂwÊëfDHAøHÁH¯ÃHÁÀI¯ÀH1ÐHÁÀI¯ÀJI9ÉsØLÈL)ÐHHÐHáøHñLAM9Ár5H¹Êë±y7H¯ÁLÁH1ÐHºOëÔ'=®²ÂHÁÀH¯ÂHºùy7±gVHÂL9És2IºÅgV/ëÔ'I¸Êë±y7¶HÁI¯ÂH1ÐHÁÀI¯ÀHÂI9ÉuâHÐHÁè!H1ÐHºOëÔ'=®²ÂH¯ÂHÂHÁêH1ÐHºùy7±gVH¯ÂHÂHÁê H1Ð[^_]ÃHì8LD$PLD$PLL$XLD$(è³=HÄ8Ãff.Hì8LL$XLL$XLL$(èø=HÄ8ÃAWAVAUATUWVSL\$hA;IÊIÔMÉ=C¶DÿIùv1HÇÂÿÿÿÿÀâ½Ð¸)ÐIù%KtøHë@HÉ¶A¶JcHÙÿá@A¶HHÁá0HÊA¶HHÁá(HÊA¶HHÁá HÊA¶HHÁáHÊA¶HHÁáHÊA¶HHÁáHÊÀQ½È¸ LÆD)ÈÁà)ÈÁïK,"MK@¶ÿMhLuýû÷Ûã?éÁfI9ð?ÂHñÁêAÓL)ÙL9ÁÁâHÎ)ÐHM9ò¬ÁIÓIÂIÓãÙIÓëKYD¶YD¶9AÃHÐEzüDÙHÓàÙHÓèIA¶¶@DØAJýIÓÁIÓãÙIÓëKYD¶YD¶9AÃHÐEzþDÙHÓàÙHÓèIA¶¶@DØAJÿø@w!L9î8ÿÿÿÂàÁêH)ÖHM9òUÿÿÿI9ês/÷ßç?ÁIÓIÂIÓãùIÓëOYA¶E¶[AJÿDØL9ÕuÖI9ðt4HÇÂìÿÿÿHÐ[^_]A\A]A^A_ÃHòL)ÂÑÁâH)Î)ÐHëI9êrLâø@uÄëÉfHÇÂ¸ÿÿÿHÐ[^_]A\A]A^A_ÃLÊë¤@AVAUATUWVSL\$`A3HÕMÉBC¶DÿIùv6HÇÂÿÿÿÿÀä½Ð¸)ÐIù(K\ request_handle: 0x00cc000c	1	1
InternetReadFile July 26, 2024, 10:26 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $Àýxl???Wî>?Wî>.?Wî>?F>?Wî>???F>Ø?F>?w>?wé??w>?Rich?PEL³fà'rdºá@ @ª <°àÀÜP°1 TÀ2 ð0 @.textöpr `.rdatal'(v@@.dataøçÀ Ð @À.rsrcà°n@@.relocÜPÀRp@Bj¸ELHèêÑ¸ÄÀIÇEðhÀIEìeüÇÄÀIHÇEühlIPhtÀIèn\|MüÿhVHè}ÎÄènÑÃj¸LHèÑ¸\ÀIÇEðÀIEìeüÇ\ÀIðHÇEüh\lIPhÀIè\|MüÿhYHè&ÎÄèÑÃhPNè Ç$\HèÎYÃj¹Nè`hhHèïÍYÃ¹LNèöh~HèÙÍYÃhtHèÍÍYÃ¹NèÔhHè·ÍYÃjjh8N¹èNèðhHèÍYÃVWjèÑ³Y¿8NðÏè4jVÏÇ8NDHèÛhHè`ÍY_^Ã¹áNéû¹àNè[h¦Hè>ÍYÃhºHè2ÍYÃh°Hè&ÍYÃjjhàN¹8Nè®©hÄHèÍYÃVWjè@³Y¿àNðÏè£jVÏÇàNDHèJhÎHèÏÌY_^Ã¡8NÇØN8NH¡ÜNtNÃ¹ØNè¶hØHèÌYÃ¹øNè hìHèÌYÃhâHèwÌYÃÌÌÌÌÌÌÌÌÌÌD$Ã¸Ø§NÃÿt$jRQèíÿÿÿÿpÿ0èiPÄÃD$Pjè}²T$ÈèÎÿÿÿYYÃUìQQEVñEøEøÆEüVÇäH"bRPèðÞYYÆ^ÉÂD$ÇäHaaAÁÂVñFÇäH `PD$ÀPè¬ÞYYÆ^ÂAÇäHPèøÞYÃy¸Ä,IEAÃVñFÇäHPèÖÞöD$Yt jVèËYYÆ^ÂaaD$AÁÇHÂVñFÇäHPèÞöD$Yt jVèCËYYÆ^ÂAÇäHPèkÞYÃaÁaÇAØ,IÇDHÃVñFÇäHPè?ÞöD$Yt jVèðÊYYÆ^ÂAÇäHPèÞYÃVñV&fèpyYÆ^ÃQèPzYÃVÿt$ñV&fèyYYÆ^ÂVÿt$ñVèÛxYYÆ^ÂQè{YÃVñV&fèyVè#yYYÆ^ÃD$PèþyÌ¸ÿÿÿÃUììMôèÿÿÿhªIEôPèëÌVÿt$ñè:þÿÿÇDHÆ^ÂVÿt$ñè"þÿÿÇHÆ^ÂéIÆD$L$#Pü+ÂÀüøwÃéxpÂÂÂÁÂÂhð,IèIÌVÿt$ñèxýÿÿÇ°HÆ^ÂVñFÇäHPèÙÜöD$Yt jVèÉYYÆ^ÂAÇäHPè²ÜYÃD$VñxvPèýÿÿÇPHÆ^ÂVÿt$ñèýÿÿÇPHÆ^ÂVñFÇäHPèeÜöD$Yt jVèÉYYÆ^ÂAÇäHPè>ÜYÃVÿt$ñèýÿÿÇPHÆ^Âjÿqÿ1ÿTHÀ£¦ÃÂD$I;HÀÂÂD$D$AÁÂÃAÃAÿ1Èÿt$ÿRD$ÂD$D$AÁÂÃAÃT$Vt$BN@;Au ;u°^Ã2À^ÃD$T$HÂUìQQÿuUøÿuRÿPPè±ÿÿÿYYÉÂAVt$V;Bu;D$u°ë2À^ÂÁÇA°ËIÃD$L$Ç@¨tNÃUìì$¡ÁI3ÅEø}$VuWt¿-IWèRYPWMèÁ5MUàÿuRÿP}ôEàÿuðGEàMPè5Màè 5EÎPèg/Mèö4MøÆ_3Í^èÂÉÃUìì¡ÁI3ÅEüVÿuñUäMRÿP}øEäÎGEäPèäúÿÿMäÇPHè£4MÆUNMüÇ\H3ÍV^è'ÂÉÂUìì ¡ÁI3ÅEøEVìñÌPèE/ÿuEàÿuPèèþÿÿÄ$ÎPèGýÿÿMàè=4MÆUNMøÇ\H3ÍV^èÁÁÉÂVñFÇäHPèºÙöD$Yt jVèkÆYYÆ^ÂAÇäHPèÙYÃVÿt$ñÿt$èéþÿÿÇhHÆ^ÂUìäøì¡ÁI3ÄD$EVñL$Pè,.D$ÎPÿuÿuè ÿÿÿL$è3L$ÆÇhH^3ÌèÁå]ÂVñFÇäHPè ÙöD$Yt jVè»ÅYYÆ^ÂAÇäHPèãØYÃUìì ÑMøèýÿÿMäÿpÿ0è3ÿÿÿh\|¨IEäPèÛæÌVÿt$ñèÇhHÆ^ÂVt$WVùè_ùÿÿÇ\HFVGÇW_^Â¸-IÃÿt$è£YL$Pè7-D$ÂöD$Vñt jVèÅYYÆ^ÂÂ¸-IÃUì}uMjh\|/Iè&-ëÿuè©¢YMPèá,E]ÂöD$Vñt jVè®ÄYYÆ^ÂÂ¸°ËIÃ¸¨tNÃaÁaÇA-IÇPHÃVñFÇäHPè¬×öD$Yt jVè]ÄYYÆ^ÂAÇäHPè×YÃUììMôèÿÿÿh`©IEôPèåÌVÿt$ñè*øÿÿÇPHÆ^ÂÂVqÒtJÂð±;Ât ÐÀuí2À^Ã°^ÃðÿAÃðÿAÃVWÏÿñÇðÁFuÿðÁ~Ou Î_^ÿ`_^ÃÈÿðÁAuÿ`Ã3ÀÂ3À@AAÁÃÇ\HÃöD$VñÇ\Ht jVèuÃYYÆ^ÂSV3ÛñSèz3À^^^^^fF^fF ^$^(^,^09D$tÿt$Vè2YYÆ^[Âh$-IèÌVñWVè_~,Yt ÿv,èWNY3ÿ~,9~$t ÿv$èDNY~$9~t request_handle: 0x00cc000c	1	1
InternetReadFile July 26, 2024, 10:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ègX¬ô¬ô¬ôt÷ ôtñ ôtð ¹ôtõ ¯ô¬õ.ônð ¾ônñ ÷ôn÷ ´ô_ñ ô_ô ô_ö ôRich¬ôPELk\¢fà':ôA`@p@À ¸x (@\ HßßÞ@`l.textG12 `.zzZ P6 `.rdataò²`´>@@.data\| ò@À.reloc\ @"@B¹ ,Fè'=hÅ@Bè)pYÃj¸ü<Bèq¸¤FÇEðHFEìeüÇ¤FHbBÇEühýBPhTFèPGMüÿhÏ@BèÙoÄè©pÃj¸;=Bè¿p¸<FÇEðàFEìeüÇ<FgBÇEühøCPhìFèùFMüÿhÒ@BèoÄèRpÃhß@BèooYÃhÕ@BècoYÃhh/Fè?GÇ$é@BèKoYÃj¹4/Fè hõ@Bè3oYÃ¹d/Fè<hABèoYÃhABèoYÃjjhð/F¹ /FèÖUhABèònYÃVWjèÿÃY¿ð/FðÏèVjVÏÇð/FxsBèÀZhABèºnY_^Ã¹/Fé_V¹/Fè;h)ABènYÃ¹0Fè;h=ABènYÃh3ABèvnYÃÌÌÌÌÌÌÌVÿt$ñ3Àÿt$@FFFPÇ eBèfÄÆ^ÂVÿt$ñÇfBèÒYPNèa^Vÿt$ñ3Àÿt$@NFFÇeBèWÆ^ÂVÿt$ñf$NÇÄeBè¦=v$Æ^Âì$SUl$43ÀVWñD$ìÌUFèÖ}j[ÿtðÿGÇëÃPÎèw"ÿtÏè+}tEL$(D$$E Pèc3ÛD$$Cë3ÀD$D$D$ D$4D$D$Pèó-öÃtL$ãýÉtD$ +ÁàüPQèîYYöÃt L$(è0D$8ÎPè´ _Æ^][Ä$ÂVjñè¹D$Ç4fBb$ÇfBBÆR$^ÂUìQQVWÿuñè½ÿÿÿì0ÇlfB¾¨Ì'gè¯EøVPè¼ Ä8;øtPÏè·MüÉtèê!_ÆFvÆ^ÉÂj ¸":BèÊm]3ÿÇEèÿuèwÝYÈMä@t D$;Ç\|;÷v;Ç\|;ñv+ñÇëWÀfEÜEàuÜEìSMÔèN}Øu j^Öé}üAD%Àø@t<Eì;Ç\|3;÷v-H¶D@PL8èª7øÿtsÆÿuÜEìÐÿEìEàëÉAL8WÿuäÿuÿP$;EäuE;×uAEì;Ç\|3;÷v-H¶D@PL8èR7øÿtÆÿuÜEìÐÿEìEàëÉj^×ëj^ÖUè@\| \|$Müÿë;MPÑBj^Æj3É9J8EñðVÊè0¸6@ÃMüÿ3ÿj^]UèHËW3À9y8EðqòVèe0MÔè²Ãè¦kÃÌÌÌÌÌÃD$=rPèYÃÀtPè)hYÃ3ÀÃD$H#;È,QèhYÈÉt A#ààHüÃéÊ³SÙVW\|$C3+ÆÁø;øvWèa3VWÿt$è÷Äë<Uk+îÁýV;ýv t$UVèÙ®+ýsVWPèÉÄë Wÿt$èºÄ]¾_^C[Âj,è{gY@@fÇ@ÃS\$Ué¹ÿÿÿ;ÙwZjX;ØwSÿt$]UEèè/ÄÆ+ë4VWQPSè»ðNQèÞþÿÿSÿt$(ø]W}uè´/ÄÆ_^][ÂèZ.ÌSÙ¹ÿÿÿW\|$;ùwQjX;øwjÿt${SCèrvÄë.VQPWèNðNQèqþÿÿOQÿt$${PsèG/Ä^_[Âèò-ÌVt$WùNÉtèA#ÀtFG°ë2À_^ÂìÌÿt$èõD$L$ÿ0èa Ã\|$Vñt#ÿt$è\|D$Vÿ6ÿ0D$ÿ0èÄF^ÂT$BÀtðÿ@BAÂVt$W\|$+\|$Wÿt$VèuÄ7_^ÃL$D$ÿt$PQèÈÿÿÿÄÃUìE=rEPEPè¨EYYPÿuèÆeYY]ÃÑJ;JtD$BHJëÿt$QÊèËÂj¸?:Bè=iñuà]Ã+EF+=ÿÿÿ@EèPèîEìPèâüÿÿYø}äeüEÇEM N;ÙuÇ]ëVWSRèÄÓN]CVPQRèpÄMüÿÿuìÿuèWÎèäÃèhÂÿuìÿuäMàè-jjèMzè,ÌÌÌÌÌÌj¸\:Bèuhñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèLEìPÎèí+Ø]äeü<»M F9EuÓëVSÿuQèÄMFWVRPQèÄMüÿÿuìÿuèSÎèTÇèWgÂÿuìÿuäMàèÞ,jjèyèK+ÌÌÌÌÌÌj¸y:Bè²gñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèEìPÎè+Ø]äeü<»EV9UuÃëVSÿuQèÚÄMVGVPRQèÅÄMüÿÿuìÿuèSÎèÇèfÂÿuìÿuäMàè,jjèÇxèÌÌÌÌÌÌVñÿpÿt$èj,ÿ6è.cYY^ÂVt$WùëÿvÏÿt$èèÿÿÿVÿt$6è YY~ tÞ_^ÂVt$Nè(j,VèâbYY^ÃD$èt0èu+Vh¨èbðYötÿt$Îèÿ÷ÿÿÇPfBë3öÆ^Ãh°èkbYÀtÿt$Èè øÿÿÃ3ÀÃVj0èObðYÿt$NÇüeBèÆ^ÃVqÈèk:L$,Ét#SÿPÈØèP:L$è'Ã[^Â(èÑ2ÌQSÙºÿÿÿL$ÂUk+Å;ÁrlCVWR<)D$PWèUðNQèxùÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile July 26, 2024, 10:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ègX¬ô¬ô¬ôt÷ ôtñ ôtð ¹ôtõ ¯ô¬õ.ônð ¾ônñ ÷ôn÷ ´ô_ñ ô_ô ô_ö ôRich¬ôPELº]¢fà':,A`@°@À ¸x (d HßßÞ@`l.textG12 `.zzZ P6 `.rdataò²`´>@@.data¼T Fò@À.relocd "8@B¹àdVè'=hÅ@Bè)pYÃj¸ü<Bèq¸ÄKVÇEðhKVEìeüÇÄKVHbBÇEühýBPhtKVèPGMüÿhÏ@BèÙoÄè©pÃj¸;=Bè¿p¸\KVÇEðKVEìeüÇ\KVgBÇEühøCPhKVèùFMüÿhÒ@BèoÄèRpÃhß@BèooYÃhÕ@BècoYÃh¨gVè?GÇ$é@BèKoYÃj¹tgVè hõ@Bè3oYÃ¹¤gVè<hABèoYÃhABèoYÃjjh0hV¹àgVèÖUhABèònYÃVWjèÿÃY¿0hVðÏèVjVÏÇ0hVxsBèÀZhABèºnY_^Ã¹ÙgVé_V¹ØgVè;h)ABènYÃ¹ÄhVè;h=ABènYÃh3ABèvnYÃÌÌÌÌÌÌÌVÿt$ñ3Àÿt$@FFFPÇ eBèfÄÆ^ÂVÿt$ñÇfBèÒYPNèa^Vÿt$ñ3Àÿt$@NFFÇeBèWÆ^ÂVÿt$ñf$NÇÄeBè¦=v$Æ^Âì$SUl$43ÀVWñD$ìÌUFèÖ}j[ÿtðÿGÇëÃPÎèw"ÿtÏè+}tEL$(D$$E Pèc3ÛD$$Cë3ÀD$D$D$ D$4D$D$Pèó-öÃtL$ãýÉtD$ +ÁàüPQèîYYöÃt L$(è0D$8ÎPè´ _Æ^][Ä$ÂVjñè¹D$Ç4fBb$ÇfBBÆR$^ÂUìQQVWÿuñè½ÿÿÿì0ÇlfB¾¨Ì'gè¯EøVPè¼ Ä8;øtPÏè·MüÉtèê!_ÆFvÆ^ÉÂj ¸":BèÊm]3ÿÇEèÿuèwÝYÈMä@t D$;Ç\|;÷v;Ç\|;ñv+ñÇëWÀfEÜEàuÜEìSMÔèN}Øu j^Öé}üAD%Àø@t<Eì;Ç\|3;÷v-H¶D@PL8èª7øÿtsÆÿuÜEìÐÿEìEàëÉAL8WÿuäÿuÿP$;EäuE;×uAEì;Ç\|3;÷v-H¶D@PL8èR7øÿtÆÿuÜEìÐÿEìEàëÉj^×ëj^ÖUè@\| \|$Müÿë;MPÑBj^Æj3É9J8EñðVÊè0¸6@ÃMüÿ3ÿj^]UèHËW3À9y8EðqòVèe0MÔè²Ãè¦kÃÌÌÌÌÌÃD$=rPèYÃÀtPè)hYÃ3ÀÃD$H#;È,QèhYÈÉt A#ààHüÃéÊ³SÙVW\|$C3+ÆÁø;øvWèa3VWÿt$è÷Äë<Uk+îÁýV;ýv t$UVèÙ®+ýsVWPèÉÄë Wÿt$èºÄ]¾_^C[Âj,è{gY@@fÇ@ÃS\$Ué¹ÿÿÿ;ÙwZjX;ØwSÿt$]UEèè/ÄÆ+ë4VWQPSè»ðNQèÞþÿÿSÿt$(ø]W}uè´/ÄÆ_^][ÂèZ.ÌSÙ¹ÿÿÿW\|$;ùwQjX;øwjÿt${SCèrvÄë.VQPWèNðNQèqþÿÿOQÿt$${PsèG/Ä^_[Âèò-ÌVt$WùNÉtèA#ÀtFG°ë2À_^ÂìÌÿt$èõD$L$ÿ0èa Ã\|$Vñt#ÿt$è\|D$Vÿ6ÿ0D$ÿ0èÄF^ÂT$BÀtðÿ@BAÂVt$W\|$+\|$Wÿt$VèuÄ7_^ÃL$D$ÿt$PQèÈÿÿÿÄÃUìE=rEPEPè¨EYYPÿuèÆeYY]ÃÑJ;JtD$BHJëÿt$QÊèËÂj¸?:Bè=iñuà]Ã+EF+=ÿÿÿ@EèPèîEìPèâüÿÿYø}äeüEÇEM N;ÙuÇ]ëVWSRèÄÓN]CVPQRèpÄMüÿÿuìÿuèWÎèäÃèhÂÿuìÿuäMàè-jjèMzè,ÌÌÌÌÌÌj¸\:Bèuhñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèLEìPÎèí+Ø]äeü<»M F9EuÓëVSÿuQèÄMFWVRPQèÄMüÿÿuìÿuèSÎèTÇèWgÂÿuìÿuäMàèÞ,jjèyèK+ÌÌÌÌÌÌj¸y:Bè²gñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèEìPÎè+Ø]äeü<»EV9UuÃëVSÿuQèÚÄMVGVPRQèÅÄMüÿÿuìÿuèSÎèÇèfÂÿuìÿuäMàè,jjèÇxèÌÌÌÌÌÌVñÿpÿt$èj,ÿ6è.cYY^ÂVt$WùëÿvÏÿt$èèÿÿÿVÿt$6è YY~ tÞ_^ÂVt$Nè(j,VèâbYY^ÃD$èt0èu+Vh¨èbðYötÿt$Îèÿ÷ÿÿÇPfBë3öÆ^Ãh°èkbYÀtÿt$Èè øÿÿÃ3ÀÃVj0èObðYÿt$NÇüeBèÆ^ÃVqÈèk:L$,Ét#SÿPÈØèP:L$è'Ã[^Â(èÑ2ÌQSÙºÿÿÿL$ÂUk+Å;ÁrlCVWR<)D$PWèUðNQèxùÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile July 26, 2024, 10:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ègX¬ô¬ô¬ôt÷ ôtñ ôtð ¹ôtõ ¯ô¬õ.ônð ¾ônñ ÷ôn÷ ´ô_ñ ô_ô ô_ö ôRich¬ôPELT¢fà':A`@ @À ¸x (ð d HßßÞ@`l.textG12 `.zzZ P6 `.rdataò²`´>@@.data\|Ä ¶ò@À.relocd ð "¨ @B¹ ÔJè'=hÅ@Bè)pYÃj¸ü<Bèq¸¤»JÇEðH»JEìeüÇ¤»JHbBÇEühýBPhT»JèPGMüÿhÏ@BèÙoÄè©pÃj¸;=Bè¿p¸<»JÇEðàºJEìeüÇ<»JgBÇEühøCPhìºJèùFMüÿhÒ@BèoÄèRpÃhß@BèooYÃhÕ@BècoYÃhh×Jè?GÇ$é@BèKoYÃj¹4×Jè hõ@Bè3oYÃ¹d×Jè<hABèoYÃhABèoYÃjjhð×J¹ ×JèÖUhABèònYÃVWjèÿÃY¿ð×JðÏèVjVÏÇð×JxsBèÀZhABèºnY_^Ã¹×Jé_V¹×Jè;h)ABènYÃ¹ØJè;h=ABènYÃh3ABèvnYÃÌÌÌÌÌÌÌVÿt$ñ3Àÿt$@FFFPÇ eBèfÄÆ^ÂVÿt$ñÇfBèÒYPNèa^Vÿt$ñ3Àÿt$@NFFÇeBèWÆ^ÂVÿt$ñf$NÇÄeBè¦=v$Æ^Âì$SUl$43ÀVWñD$ìÌUFèÖ}j[ÿtðÿGÇëÃPÎèw"ÿtÏè+}tEL$(D$$E Pèc3ÛD$$Cë3ÀD$D$D$ D$4D$D$Pèó-öÃtL$ãýÉtD$ +ÁàüPQèîYYöÃt L$(è0D$8ÎPè´ _Æ^][Ä$ÂVjñè¹D$Ç4fBb$ÇfBBÆR$^ÂUìQQVWÿuñè½ÿÿÿì0ÇlfB¾¨Ì'gè¯EøVPè¼ Ä8;øtPÏè·MüÉtèê!_ÆFvÆ^ÉÂj ¸":BèÊm]3ÿÇEèÿuèwÝYÈMä@t D$;Ç\|;÷v;Ç\|;ñv+ñÇëWÀfEÜEàuÜEìSMÔèN}Øu j^Öé}üAD%Àø@t<Eì;Ç\|3;÷v-H¶D@PL8èª7øÿtsÆÿuÜEìÐÿEìEàëÉAL8WÿuäÿuÿP$;EäuE;×uAEì;Ç\|3;÷v-H¶D@PL8èR7øÿtÆÿuÜEìÐÿEìEàëÉj^×ëj^ÖUè@\| \|$Müÿë;MPÑBj^Æj3É9J8EñðVÊè0¸6@ÃMüÿ3ÿj^]UèHËW3À9y8EðqòVèe0MÔè²Ãè¦kÃÌÌÌÌÌÃD$=rPèYÃÀtPè)hYÃ3ÀÃD$H#;È,QèhYÈÉt A#ààHüÃéÊ³SÙVW\|$C3+ÆÁø;øvWèa3VWÿt$è÷Äë<Uk+îÁýV;ýv t$UVèÙ®+ýsVWPèÉÄë Wÿt$èºÄ]¾_^C[Âj,è{gY@@fÇ@ÃS\$Ué¹ÿÿÿ;ÙwZjX;ØwSÿt$]UEèè/ÄÆ+ë4VWQPSè»ðNQèÞþÿÿSÿt$(ø]W}uè´/ÄÆ_^][ÂèZ.ÌSÙ¹ÿÿÿW\|$;ùwQjX;øwjÿt${SCèrvÄë.VQPWèNðNQèqþÿÿOQÿt$${PsèG/Ä^_[Âèò-ÌVt$WùNÉtèA#ÀtFG°ë2À_^ÂìÌÿt$èõD$L$ÿ0èa Ã\|$Vñt#ÿt$è\|D$Vÿ6ÿ0D$ÿ0èÄF^ÂT$BÀtðÿ@BAÂVt$W\|$+\|$Wÿt$VèuÄ7_^ÃL$D$ÿt$PQèÈÿÿÿÄÃUìE=rEPEPè¨EYYPÿuèÆeYY]ÃÑJ;JtD$BHJëÿt$QÊèËÂj¸?:Bè=iñuà]Ã+EF+=ÿÿÿ@EèPèîEìPèâüÿÿYø}äeüEÇEM N;ÙuÇ]ëVWSRèÄÓN]CVPQRèpÄMüÿÿuìÿuèWÎèäÃèhÂÿuìÿuäMàè-jjèMzè,ÌÌÌÌÌÌj¸\:Bèuhñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèLEìPÎèí+Ø]äeü<»M F9EuÓëVSÿuQèÄMFWVRPQèÄMüÿÿuìÿuèSÎèTÇèWgÂÿuìÿuäMàèÞ,jjèyèK+ÌÌÌÌÌÌj¸y:Bè²gñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèEìPÎè+Ø]äeü<»EV9UuÃëVSÿuQèÚÄMVGVPRQèÅÄMüÿÿuìÿuèSÎèÇèfÂÿuìÿuäMàè,jjèÇxèÌÌÌÌÌÌVñÿpÿt$èj,ÿ6è.cYY^ÂVt$WùëÿvÏÿt$èèÿÿÿVÿt$6è YY~ tÞ_^ÂVt$Nè(j,VèâbYY^ÃD$èt0èu+Vh¨èbðYötÿt$Îèÿ÷ÿÿÇPfBë3öÆ^Ãh°èkbYÀtÿt$Èè øÿÿÃ3ÀÃVj0èObðYÿt$NÇüeBèÆ^ÃVqÈèk:L$,Ét#SÿPÈØèP:L$è'Ã[^Â(èÑ2ÌQSÙºÿÿÿL$ÂUk+Å;ÁrlCVWR<)D$PWèUðNQèxùÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile July 26, 2024, 10:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELB½à0ìÐÆ¹ @ @t¹O ÄÉX¹ H.text¬é ì `.rsrcÄÉ Ìð@@.reloc¼@B¨¹HT-M`ø0 1s, ~Ï%-&~Îþls- %Ï(+o/ 8Ðo0 ±%rprYp~1 (2 ¢%rqpr¯p~1 (2 ¢%rÇprp~1 (2 ¢%r!prap~1 (2 ¢( o3 81(4 s_sm~1 }Í~1 s5 (6 o7 }Í{ÍrqprÑp~1 (2 o8 ,rãprp~1 (2 +;rprap~1 (2 o8 -{Í(+{Í((9 þ 9:o: (; o< o= (> {Í((9 þ 9ñs? s? s? þ`s@ ~Ð%-&~ÎþmsA %Ð(+þas@ ~Ñ%-&~ÎþnsA %Ñ(+þbs@ ~Ò%-&~ÎþosA %Ò(+oB þ9E{Í±%rip¢oC r}p(> (C(+oE sF (N(+oToG #>@(H (I ioJ &ÞÞ(K þ9þcs@ ~Ó%-&~ÎþpsA %Ó(+þds@ ~Ô%-&~ÎþqsA %Ô(+þes@ ~Õ%-&~ÎþrsA %Õ(+ÞÞo_oaþfsL ~Ö%-&~ÎþssM %Ö(+ocoiþgsN ~×%-&~ÎþtsO %×(+oeþhsP ~Ø%-&~ÎþusQ %Ø(+ogþisR ~Ù%-&~ÎþvsS %Ù(+ok( +,dsm%o_%r£p(> oa%sU oc%oi%ok%sV oe%sW ogoX ( +,dsm%o_%rµp(> oa%sU oc%oi%ok%sV oe%sW ogoX ÞÞolþ,oX (Y :ÃúÿÿÞþoZ Üo[ :%úÿÿÞ,oZ ÜÞ&Þ + Añ,:ÕåäÉµDù4â$0sr rËp(\ (] þ , Ýî(srÝpo&8oo^ oo^ (rùpo8 ,4sr ³%-o_ oo oq +sr%oo%oq ÞÞXoþ:NÿÿÿÞ ÞÞÞ+ALPà1Ó 0sU ³%Ð°(` sa (\ (] þ , ÝS(s³%Ð\|(` sa o&8òsoo^ ooo^ oo(oÞÞÞoo(K - o+rýpoo(K - o+rýpoo(K - o+rýpoÜorýp(b ,oc Xoþ :úþÿÿÞÞÞÞ+*AdzJÄzRÌoC8{}0Ìs? (\ (] þ , Ý£(s³%Ð(` sa o&8Css%oo^ ov%oo^ o: .þox%oo^ oz%oo: 1þo\|%oo^ (d @Bj[!¶Yo~%oo^ o%r po(oo}jþ,-(e (f (g request_handle: 0x00cc000c	1	1
InternetReadFile July 26, 2024, 10:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¨:ìf}iìf}iìf}i§~hëf}i§xhSf}i§yhæf}iièf}ixhÄf}iyhýf}i~håf}i§\|hçf}iìf\|igf}iyhøf}ihíf}iRichìf}iPEdpZ¢fð" \°¯@0pÊ®`Á¼x ôàÄ X à@ .text `.rdata* ,@@.dataèÐ¸@À.pdataÄ à"Æ@@_RDATA\è@@.rsrc ô öê@@.relocX à@B@SHì è¥ßHèßHÓèSeHØèßHÓHÄ [éÜ%ÌÌÌÌÌÌÌÌÌÌÌÌHÃÃÌÌÌÌÌÌÌÌHT$HL$SUVWAVAWHì3ÀMðHÚHD$PHùHD$XH¿HD$`D@XD$(HL$ HD$ Iñèè DøÀt&HSDÀH è°EÿHÄA_A^_^][Ã¹ L¬$èû.LèHÀuLCH¨H åèÌéc¹ èÍ.HèHÀuLCHÊH ·èé5L¤$ÐDc@fL¸ L;àIÜºIÍHGØLÃèºãH;ÃãHèáÀÓL+ã\$(Ll$ f» Hl$03Ò\$8HL$ èfkøA¿ÿÿÿÿHùvwøtmL$8H+ÙMöt(MÎAWLÃHÍèêH;ÃuIÎè¦àÀtAÿë>HötLÃHÕHÎè¨Hó\|$8tÿtMätH¼$ÀéÿÿÿE3ÿë(¿ýÿÿÿH$ÈH ðHÂDÇèëA¿ÿÿÿÿL¤$ÐHL$ èIÍèN-HÍèF-L¬$AÇHÄA_A^_^][ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ@VAVHì(HHòLñHÀu2HÁxHoèº)IHÀuHVH _è3ÀHÄ(A^^ÃVE3ÀIVHÈèZåÀy!LFHgH è«3ÀHÄ(A^^ÃNL\|$ è¤,LøHÀu DNLFH}H èqé°~H\$@Hl$HH\|$PLd$XuMÏE3ÀHÖIÎèÁüÿÿÀtmë`^IïHÛt`A¼ ffMI;ÜHûA¸IGüHÍH×è^áHør HïH+ßuÔë"LFHßH èÛIÏèÏ+E3ÿH\|$PHl$HH\$@Ld$XIHÉtè»ÝIÇIÇL\|$ HÄ(A^^ÃÌÌÌÌÌÌÌÌ@SWAVHì0HúLñè¬Røÿu HÄ0A^_[ÃHl$PIx0HoLd$`HÕè¡ULàHÀu LÅHH ´è3AD$ÿéIHÀu1INxHèÑ'IHÀuHÕH wè»ÿÿÿÿé7WE3ÀIVHÈèrãÀy LÅHH µèÄ»ÿÿÿÿéuE3ÉMÄH×IÎè#ûÿÿØéãLl$(3ÛA½ L\|$ AÍèLøHÀuLÅH(H }èdA_ÿéHÿHt$XffMI;ýH÷A¸IGõIÏHÖè~ßHør1MÌA¸HÖIÏè¤æHørH+þu½ë+H,H YëHÜH LÅèÕ»ÿÿÿÿHt$XIÏè¿)Ll$(L\|$ IHÉtè¸ÛIÇIÌè©ÛÃHl$PLd$`HÄ0A^_[ÃÌÌÌÌÌÌÌÌ@SHì LIHÚLYM;ËsDMÑIALÃL+ÀfD¶B¶+ÑuHÿÀÉuíÒt/IcIÁLÈI;Âr I;ÃrÆ3ÀHÄ [ÃH gè²3ÀHÄ [ÃIÁHÄ [ÃÌH\$Hl$Ht$WHì HYHêHñHÇÇÿÿÿÿHÿÇ<u÷HIH;ÙsT{ouHKLÇHÕèä(ÀtHNHcHÃHØH;FrH;ÁrÏë!HCHÇ8tHCHÇëH Êè3ÀH\$0Hl$8Ht$@HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌ@SHì HcHÙHÂH;AsH èÏHCHÄ [ÃÌÌÌÌÌH\$WHì0H?¸H3ÄHD$(HÙH HÉuHKxHaè¬$HHÈHÀtSH³HT$ HD$ A¸HÁèD$#è[YHøHÀt%HE3ÀHÐè9àÀyH"H è¸ÿÿÿÿégLHK ºXDB©èËÜHøsHH èV¸ÿÿÿÿé/K(E3ÀC,ÈC,C0ÈC0C4ÉÉH+ùK(ÈHÇXC4H{3ÿ»\|P²ÃS,HSHèßHcK0è'HCHÀuH®H óèÚGÿéµHcS0A¸LHÈèÜHøsH éIÿÿÿHcC0HCHHCègÙÀtH è'¸ÿÿÿÿëcHCH;CsGfDHÉHHÉHHÉHÊHcÊHÈHÁH;KrH;KrÍëH èÏ HHÉtè.ØH;3ÀHL$(H3ÌèH\$HHÄ0_ÃÌÌÌÌÌH\$Ht$WHì IØHòHùLLÊHÁxºè0=}vHxLËLØºè=}THx HÖHËèÅ 3ö·xP@f¶ H[ÀuïHÏèGýÿÿÀt"HHÉtèb×H73ÀH\$0Ht$8HÄ _ÃH\$0¸Ht$8HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌHÉt7SHì HÙHIHÉtè%HHÉtè×HÇHËèå$HÄ [ÃÌÌÌ@SHì ºP¹è¿$HØHÀuHäH è° HÃHÄ [ÃÌÌÌÌÌÌÌLD$LL$ SUVWHì8IðHl$xHÚHùèëôÿÿHl$(LÎLÃHÇD$ H×HHÉèÀ¹ÿÿÿÿHÁHÄ8_^][ÃÌÌÌÌÌH\$Hl$Ht$ WHìHR´H3ÄH$pHALlLIHùHÁ(HD$ ºèÿº2·ÈØDBÒÿ¨fZ request_handle: 0x00cc000c	1	1
InternetReadFile July 26, 2024, 10:26 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ £XhcðXhcðXhcð`ñ_hcðfñìhcðgñRhcðëð[hcðë`ñQhcðëgñIhcðëfñphcðbñShcðXhbðÉhcðKìgñAhcðKìañYhcðRichXhcðPEdj¢fð"(ÐÀ@ÐÅ`ÁlÇx´+`"ÀhÀ@°P.text `.rdataB&°(@@.dataØsàÀ@À.pdata"`$Î@@.rsrc´+,ò@@.relochÀ@BHì(è/áHîÏè'áHHÝÏHHH ÒÏHÄ(é¹$ÌÌÌÌÌÌÌÌÌHqCÃÌÌÌÌÌÌÌÌH\$Hl$ LD$VWATAUAWHì Hò3íHý§DýIøHÙA½ÿÿÿÿèå.LàHÀuHVH Ú§èMéVE3ÀHIÌè7éÀyLFHä§H ¨èé¯Nè0LøHÀu DNLFH¨H ¦èXé~uMÏE3ÀHÖIÌèÌëW^Lt$PM÷HÛt;¸ DH;ØHûMÌA¸HGøIÎH×è^åHørhL÷¸ H+ßuÏÅH\|$`Lt$PÀtIÏèÓ/LýIÌèØáIïMÿtH×IÏèù.DèHÍèª/H\$XAÅHl$hHÄ A_A]A\_^ÃLFH!¦H N¦è}AÅëÌÌÌÌÌÌÌÌHT$HL$SUVWAVAWHì3ÀMðHÚHD$PHùHD$XA¸XHD$`H@¤D$(HL$ HD$ èIñèXDøÀt(HSDÀH #¤è¸ÿÿÿÿHÄA_A^_^][Ã¹ L¬$èç.LèHÀuLCH4¤H q¤è¸é\¹ è¹.HèHÀuLCHV¤H C¤èé.L¤$ÐA¿ÿÿÿÿDc¸ IÜL;àLÏºIÍHGØLÃèªãH;ÃæHÏè áÀÖL+ã\$(Ll$ f» Hl$03Ò\$8HL$ èøA¿ÿÿÿÿHùv\|øtrL$8H+ÙMöt)MÎLÃºHÍènêH;ÃuIÎèàÀtAÿëBHötLÃHÕHÎè}Hó\|$8{ÿÿÿÿtMätH¼$ÀéÿÿÿE3ÿë ¿ýÿÿÿH$ÈH {£HÂDÇèïL¤$ÐHL$ èmIÍèA-HÍè9-L¬$AÇHÄA_A^_^][ÃÌÌH\$ VAVAWHì HòHÙH¤E3öè +LøHÀu!HVH ¤èu3ÀH\$XHÄ A_A^^ÃVE3ÀHIÏèSåÀyLFH¤H 5¤è¤é»Nè§,LðHÀu DNLFH ¤H -¢èté~uMÎE3ÀHÖIÏèèüÿÿëc^Hl$@IîH\|$HLd$PHÛt8A¼ fDI;ÜHûMÏA¸IGüHÍH×ènáHørBHïH+ßuÔ3ÀH\|$HHl$@Ld$PÀtIÎèã+E3öIÏèèÝH\$XIÆHÄ A_A^^ÃLFHW¢H ¢è³¸ÿÿÿÿëªÌÌÌÌÌÌÌÌÌÌÌÌ@SWHì8znHúHÙu$èxúÿÿØÀyHWH _£èÃHÄ8_[ÃHn£Ld$`IÈèe)LàHÀu(LGHR£H £è6Ld$`¸ÿÿÿÿHÄ8_[ÃH2¢L\|$ HËè!)LøHÀuHWH ¢è»ÿÿÿÿéTWE3ÀHIÏènãÀy!LGH¢H P¢è¿»ÿÿÿÿéuE3ÉMÄH×IÏè.ûÿÿØéôLl$03ÛA½ Lt$(AÍèLðHÀu!LGHÂ H è^»ÿÿÿÿé§Ht$XwHöHl$P@ffI;õHîMÏA¸IGíIÎHÕènßHør1MÌA¸HÕIÎèæHørH+õu½ë,H¼ H é ëHl H LGèÄ»ÿÿÿÿHl$PIÎè®)Ht$XLl$0Lt$(IÏè§ÛIÌèÛL\|$ ÃLd$`HÄ8_[ÃH\$Ht$WHì HHòHùH;spfffD¶CA@¦¨÷t:Aødt4Aønt.Aøxt(HCLÆL+À¶B¶+ÑuHÿÀÉuíÒëHKHÖèí)Àt HØH;r3ÀH\$0Ht$8HÄ _ÃHt$8HÃH\$0HÄ _ÃÌÌÌÌÌÌ@SHì HHÇHÛtHè(HËHÄ [é(HÄ [ÃÌÌÌÌÌÌÌÌÌÌÌÌHÂÃÌÌÌÌÌÌÌÌÌÌH\$Hl$ WHìH7ÇH3ÄH$HYHé3ÛèK&HøHÀH ºH$H$A¸HÁèHÏH´$¨$è5]HðHÀ7E3ÀHÐHÏèoàÀyH H UèÄ é LÏHL$ ºXA¸èÝHøsH H _è é×º`¹èn'HØHÀuHûH ( è_ é¨LÍL ºHËèÓD$(H ÈD$(LL$8D$,LîÈD$,º@D$0ÈD$0D$4ÈD$4èD$(E3ÀH+ðHÏHFXHT$,HÐèhßL$0èÛ&HHÀuHH eè¬éõT$0LÏA¸HÈèîÛHøsH}H JèyéÂD$0HÏHHèÙÀtH gèÚ éHH;DâÄfo Rf3ÀAø\|óof8ÁóëfÉHÿÀHø\|ï¶JA¦¨÷tùdtùnt ùxt2Àë° ÀHÐH;rHÏè¶×H´$¨HÃH$H3ÌèL$I[ Ik(Iã_ÃÌÌÌÌÌÌÌÌÌÌLD$LL$ SUVWH request_handle: 0x00cc000c	1	1
InternetReadFile July 26, 2024, 10:27 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚ}à0ìÐ¹ @ @H¹O ÄÉ,¹ H.texté ì `.rsrcÄÉ Ìð@@.reloc¼@B\|¹HT-àM4ø0 1s, ~Ï%-&~Îþls- %Ï(+o/ 8Ðo0 ±%rprYp~1 (2 ¢%rqpr¯p~1 (2 ¢%rÇprp~1 (2 ¢%r!prap~1 (2 ¢( o3 81(4 s_sm~1 }Í~1 s5 (6 o7 }Í{ÍrqprÑp~1 (2 o8 ,rãprp~1 (2 +;rprap~1 (2 o8 -{Í(+{Í((9 þ 9:o: (; o< o= (> {Í((9 þ 9ñs? s? s? þ`s@ ~Ð%-&~ÎþmsA %Ð(+þas@ ~Ñ%-&~ÎþnsA %Ñ(+þbs@ ~Ò%-&~ÎþosA %Ò(+oB þ9E{Í±%rip¢oC r}p(> (C(+oE sF (N(+oToG #>@(H (I ioJ &ÞÞ(K þ9þcs@ ~Ó%-&~ÎþpsA %Ó(+þds@ ~Ô%-&~ÎþqsA %Ô(+þes@ ~Õ%-&~ÎþrsA %Õ(+ÞÞo_oaþfsL ~Ö%-&~ÎþssM %Ö(+ocoiþgsN ~×%-&~ÎþtsO %×(+oeþhsP ~Ø%-&~ÎþusQ %Ø(+ogþisR ~Ù%-&~ÎþvsS %Ù(+ok( +,dsm%o_%r£p(> oa%sU oc%oi%ok%sV oe%sW ogoX ( +,dsm%o_%rµp(> oa%sU oc%oi%ok%sV oe%sW ogoX ÞÞolþ,oX (Y :ÃúÿÿÞþoZ Üo[ :%úÿÿÞ,oZ ÜÞ&Þ + Añ,:ÕåäÉµDù4â$0sr rËp(\ (] þ , Ýî(srÝpo&8oo^ oo^ (rùpo8 ,4sr ³%-o_ oo oq +sr%oo%oq ÞÞXoþ:NÿÿÿÞ ÞÞÞ+ALPà1Ó 0sU ³%Ð°(` sa (\ (] þ , ÝS(s³%Ð\|(` sa o&8òsoo^ ooo^ oo(oÞÞÞoo(K - o+rýpoo(K - o+rýpoo(K - o+rýpoÜorýp(b ,oc Xoþ :úþÿÿÞÞÞÞ+*AdzJÄzRÌoC8{}0Ìs? (\ (] þ , Ý£(s³%Ð(` sa o&8Css%oo^ ov%oo^ o: .þox%oo^ oz%oo: 1þo\|%oo^ (d @Bj[!¶Yo~%oo^ o%r po(oo}jþ,-(e (f (g request_handle: 0x00cc000c	1	1
InternetReadFile July 26, 2024, 10:27 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $$2â`å\±`å\±`å\±Ôy±hå\±Ôy¯±ëå\±Ôy®±må\±à¡±bå\±àX°rå\±à_°jå\±àY°Yå\±iß±iå\±iÛ±bå\±iÏ±gå\±`å]±Cä\±îY°Rå\±î\°aå\±î£±aå\±î^°aå\±Rich`å\±PEd#@fð"!hà.@`Á 4ÔP\|ÿ l0p À6T7(ð³@¼ .textngh `.rdataÄ(*l@@.data\ç°@À.pdatal0 2°@@.didat`àâ@À_RDATA\ðæ@@.rsrc\|ÿè@@.relocp è@BH 9¹éÌÌÌÌH Éùé¸¤ÌÌÌÌHì(H 5ùèdH ÉeHÄ(é¸H Éeé¬ÌÌÌÌHì(èÌájHÄ(ÃÌÌÌÌÌÌÌÌÌÌÌÌH éjéûÌÌÌÌH ÙeélÌÌÌÌH Ùeé\ÌÌÌÌHì(H lèØ¦H ÉeHÄ(é8H Éeé,ÌÌÌÌH ÉeéÌÌÌÌH ÉeéÌÌÌÌHì(H ¥kèTH éeHÄ(éèH )féÜÌÌÌÌHì(H ÅlèH fHÄ(é¸H fé¬ÌÌÌÌH\$Hl$Ht$WHì0HñIØIÈHú3íèhLÀHÓHÏè¯DE H.HÐHnHÎHnHØè$HkHÆHt$Pf+Hl$HHÇCH\$@HÄ0_ÃÌÌÌH\$Ht$WHì0Hù3öHJHÚH;Js!HzHAHBHÂrHfDHftHëE·ÈºDÆHËè"A¸ H7HÓHwHÏHwè$HsHÇf3Ht$HHÇCH\$@HÄ0_ÃHì(HA'H;Áv'HÈè[HÈHÀtHÀ'HààHHøHÄ(ÃèqfÌèçÌÌÌH\$Hl$Ht$WAVAWHì I¾þÿÿÿÿÿÿIØLúHùM;ÆÌHÇAHûsHYHÛLÃèS#3öf4;éHÃ3öHÈI;ÆvH¸ÿÿÿÿÿÿÿHë.¹ LðH;ÁH¸ÿÿÿÿÿÿÿLBñINH;Èw^HÉHùr èÿÿÿHèëHÉtèxëïHîH_I×HÛH/LÃLwHÍèÇ"f4+H\$@Hl$HHt$PHÄ A_A^_ÃèåÌècÌÌÌHÒH\$Ht$WHì H¸ÿÿÿÿÿÿÿHñH;ÐwoHHûr HËè}þÿÿHøëHÛt HËèÛ ëì3ÿH>H;H~LÃ3ÒHFHÏèÛ(Hd$0H;HL$0HFèOH\$8Ht$@HÄ _ÃèÖÌÌH\$WHì HÚIøH+ÙHÑLÃHÏèÛ!H;H\$0HÄ _ÃHÄHXHhHpHx ATAVAWHì H»þÿÿÿÿÿÿMùLòHùH;ÓHiHÊE3äH;ÓwHÍHÃHÑéH+ÁH;èvH¸ÿÿÿÿÿÿÿHë1H)HÚH;ÐHBØH¸ÿÿÿÿÿÿÿHKH;È HÉHùr èLýÿÿHðëHÉtèëïIôH_I×K6LwLÃHÎèþ fD$3Hýr1HHmHúrLAøHÂ'I+ÈHAøHøw3IÈèH7HÇH\$@Hl$HHt$PH\|$XHÄ A_A^A\ÃèØ ÌèVcÌèP ÌÌÌÌH\$Hl$Ht$WATAUAVAWHì LqH»þÿÿÿÿÿÿHÃMéI+ÆHñH;Â@HiM<I×E3ÀHÊH;ÓwHÍHÃHÑéH+ÁH;èvH¸ÿÿÿÿÿÿÿHë1H)HÚH;ÐHBØH¸ÿÿÿÿÿÿÿHKH;ÈéHÉHùr èûûÿÿHøëHÉtè\ëïIøHD$pO6LðL~H^M$8HÏL<HýrSHHÓèMÇIÕIÌè3ÀHmfBwHúrHKøHÂ'H+ÙHCøHøwMHÙHËèëHÖèGMÇIÕIÌè93ÀfBwH>HÆH\$PHl$XHt$`HÄ A_A^A]A\_ÃèÎaÌèÈÌè>ÌÌH\$Hl$Ht$WATAUAVAWHì LqH¿þÿÿÿÿÿÿHÇE·ùI+ÆHñH;ÂHiM$IÔE3íHÊH;×wHÍHÇHÑéH+ÁH;èvH¸ÿÿÿÿÿÿÿHë1H)HúH;ÐHBøH¸ÿÿÿÿÿÿÿHOH;ÈÇHÉHùr ènúÿÿHØëHÉtèÏ ëïIÝMöLfH~MÆHËHýrIH>H×èHmfE<fElHúrHOøHÂ'H+ùHGøHøwCHùHÏè¨ ëHÖèÒfE<fElHHÆH\$PHl$XHt$`HÄ A_A^A]A\_Ãèc`Ìè]ÌèÓÌÌÌ@SHì HÙHÂH ÅWÀHHSHHèsHÀHHÃHÄ [Ã@SHì HÙHÂH WÀHHSHHè7HHHÃHÄ [ÃHaHLpHAHùHHÁÃÌÌ@SHì HÙHÂH -WÀHHSHHèÛHÃHÄ [ÃÌÌ@SHì HHÛtIHHÉtAHSH+ÑHÑúHÒHúrLAøHÂ'I+ÈHAøHøwIÈèGH#HcHcHÄ [Ãè&_ÌÌé»ÌÌÌ@SHì HÙH HÉtAHSH+ÑHÑúHÒHúrLAøHÂ'I+ÈHAøHøwIÈèàH#HcHcHÄ [Ãè¿^ÌÌÌH9HHÁéÌÌÌÌÌH\$WHì HHùHÚHÁèZöÃt ºHÏèxH\$0HÇHÄ _ÃÌÌ@USVWAUAVAWH¬$PÿÿÿHì°H³£H3ÄH IÙIðLúLñE3íLmfoÖnóEfDm¿MÉÊLmàWÀóEðHËèf^LÀHÓHMàèw÷ÿÿE3ÀHUàHM`èöÿÿLÃHÐHM@è öÿÿE3ÀHÐHM èvöÿÿHÐHxrHL@HMèÃHM è%HM@èHM`èHUøHúr2HUHMàHÁH;×rHÂ'HIøH+ÁHÀøHøèè@¹£è HØLmàWÀóEðHÈè]LÀHÓHMàè öÿÿE3À request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002de00', u'virtual_address': u'0x00001000', u'entropy': 7.9800556437402745, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98005564374

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a5e00', u'virtual_address': u'0x00323000', u'entropy': 7.954783026578697, u'name': u'bauryisr', u'virtual_size': u'0x001a6000'}

entropy

7.95478302658

description

A section with a high entropy has been found

entropy

0.994155154091

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 26, 2024, 10:27 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW July 26, 2024, 10:27 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Queries for potentially installed applications (50 out of 102 events)

Time & API	Arguments	Status
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000434 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: 7-Zip base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: AddressBook base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: Adobe AIR base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: Connection Manager base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: EditPlus base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: Fontcore base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: Google Chrome base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: IE40 base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: IE4Data base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: IEData base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: Office15.PROPLUSR base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: WIC base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1
RegOpenKeyExW July 26, 2024, 10:27 a.m.	regkey_r: {BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x00000434 key_handle: 0x0000044c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT * FROM Win32_Processor

Communicates with host for which no DNS query was performed (3 events)

host	185.215.113.16
host	185.215.113.67
host	38.180.203.208

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 361 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 26, 2024, 10:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 26, 2024, 10:25 a.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (2 events)

file	C:\Windows\Tasks\axplong.job
file	C:\Windows\Tasks\Test Task17.job

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Executes one or more WMI queries (8 events)

wmi	SELECT * FROM Win32_VideoController
wmi	SELECT * FROM AntivirusProduct
wmi	SELECT * FROM Win32_OperatingSystem
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM Win32_Process
wmi	SELECT * FROM AntiSpyWareProduct
wmi	SELECT * FROM FirewallProduct
wmi	SELECT * FROM Win32_Processor

Collects information about installed applications (50 out of 76 events)

Time & API	Arguments	Status
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x0000044c regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExW July 26, 2024, 10:27 a.m.	key_handle: 0x00000178 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 119 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI18962\cryptography-42.0.8.dist-info\RECORD
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\bcrypt\_bcrypt.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\cryptography-42.0.8.dist-info\top_level.txt
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\_socket.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\_ctypes.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\python3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\certifi\cacert.pem
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\cryptography-42.0.8.dist-info\LICENSE.BSD
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\_decimal.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\base_library.zip
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\python310.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\_hashlib.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\cryptography\hazmat\bindings\_rust.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\_ssl.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\cryptography-42.0.8.dist-info\METADATA
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\cryptography-42.0.8.dist-info\LICENSE
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\_queue.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\cryptography-42.0.8.dist-info\INSTALLER
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\_bz2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\select.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\unicodedata.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI18962\api-ms-win-core-processthreads-l1-1-0.dll

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1596 resumed a thread in remote process 2684
NtResumeThread July 26, 2024, 10:20 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 2684	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 26, 2024, 10:25 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 81 ec 04 00 00 00 89 0c exception.symbol: random+0x1f94ea exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2069738 exception.address: 0x4b94ea registers.esp: 9043612 registers.edi: 9907952 registers.eax: 1447909480 registers.ebp: 3993350164 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 4949616 registers.ecx: 20	1	0	0

Generates some ICMP traffic

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
BitDefender	Gen:Variant.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!25DB2D5AC24B
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.25db2d5ac24b8e34
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=89)
Kingsoft	malware.kb.a.857
Gridinsoft	Trojan.Heur!.038120A1
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36810.1DWaa4f3fDji
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
Fortinet	W32/Themida.HZB!tr
CrowdStrike	win/malicious_confidence_100% (D)

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All