Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 28, 2024, 10:38 a.m.	July 28, 2024, 10:42 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`8c0430ee2841a6554d709869a81a375b`
SHA256	`1498a70a6f12ced4f590dda71ac978898dbe18955fc745c964f3e9379dd291da`
CRC32	`4005E7B6`
ssdeep	`49152:cpjkmmm/9iVwteCqO+fyphnWpoG9Z8PdmLy:crmy9iVBiXwKG9Zsd`
Yara	PE_Header_Zero - PE File Signature themida_packer - themida packer IsPE32 - (no description)

random.exe "C:\Users\test22\AppData\Local\Temp\random.exe"
2660
- axplong.exe "C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe"
  2940
  - build.exe "C:\Users\test22\AppData\Local\Temp\1000001001\build.exe"
    2068
  - crypted.exe "C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe"
    2260
  - 5447jsX.exe "C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe"
    2488
  - crypteda.exe "C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe"
    2596
  - 25072023.exe "C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe"
    2820
  - pered.exe "C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe"
    2452
    - pered.exe "C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe"
      2676
  - 2020.exe "C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe"
    2144
    - 2020.exe "C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe"
      2916
  - gawdth.exe "C:\Users\test22\AppData\Local\Temp\1000014001\gawdth.exe"
    2088
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat" "
      2372
      - clamer.exe clamer.exe -priverdD
        1964
        
        lofsawd.exe "C:\Users\test22\AppData\Local\Temp\RarSFX1\lofsawd.exe"
        2100
  - buildred.exe "C:\Users\test22\AppData\Local\Temp\1000027001\buildred.exe"
    2120
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
atlpvt.com	A 58.65.168.132	58.65.168.132
coe.com.vn	A 103.28.36.182	103.28.36.182
mktrex155.xyz

IP Address	Status	Action
103.28.36.182	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.16	Active	Moloch
185.215.113.67	Active	Moloch
185.215.113.9	Active	Moloch
58.65.168.132	Active	Moloch
45.33.6.223	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.16:80 -> 192.168.56.101:49164	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49164	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.16:80 -> 192.168.56.101:49164	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49164	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49164	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 103.28.36.182:443 -> 192.168.56.101:49216	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49179 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49185 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49215 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49211 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.28.36.182:443 -> 192.168.56.101:49212	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49214 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2022491	ET HUNTING Download Request Containing Suspicious Filename - Crypted	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 103.28.36.182:443 -> 192.168.56.101:49189	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49210 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.67:40960 -> 192.168.56.101:49220	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.101:49220	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.215.113.67:40960 -> 192.168.56.101:49220	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.215.113.9:9137 -> 192.168.56.101:49283	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 185.215.113.9:9137 -> 192.168.56.101:49283	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.101:49284 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49285 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 185.215.113.9:9137 -> 192.168.56.101:49283	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49293 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49295 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 58.65.168.132:443 -> 192.168.56.101:49297	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49283 -> 185.215.113.9:9137	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49302 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 58.65.168.132:443 -> 192.168.56.101:49303	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 58.65.168.132:443 -> 192.168.56.101:49286	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49301 -> 58.65.168.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 185.215.113.16:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.101:49220 -> 185.215.113.67:40960	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected

Suricata TLS

No Suricata TLS

Queries for the computername (25 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 28, 2024, 10:42 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 64 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:38 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0
IsDebuggerPresent July 28, 2024, 10:39 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (34 events)

Time & API	Arguments	Status	Return
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045b918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0045bad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052b238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052b238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:41 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0052b0f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083b918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0083bad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00907978 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00907978 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 28, 2024, 10:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00907ff8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 28, 2024, 10:41 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	efnzbsnu
section	dfucfsbq
section	.taggant

One or more processes crashed (50 out of 284 events)

Time & API	Arguments	Status
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x3090b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3182777 exception.address: 0xf490b9 registers.esp: 2292856 registers.edi: 0 registers.eax: 1 registers.ebp: 2292872 registers.edx: 17686528 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 81 c2 5f 9d 7f 7b 50 b8 91 4a 7c 43 e9 00 00 exception.symbol: random+0x6d977 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 448887 exception.address: 0xcad977 registers.esp: 2292820 registers.edi: 1968898280 registers.eax: 30600 registers.ebp: 4003311636 registers.edx: 13290883 registers.ebx: 1725195017 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb bb 46 b3 ff 4e f7 db 81 e3 5b 7f ff 77 e9 cd exception.symbol: random+0x6d090 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 446608 exception.address: 0xcad090 registers.esp: 2292824 registers.edi: 1968898280 registers.eax: 30600 registers.ebp: 4003311636 registers.edx: 13294071 registers.ebx: 242921 registers.esi: 0 registers.ecx: 1969094656	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 81 c7 0d 06 b5 1f 03 3c 24 e9 cb fd ff ff c1 exception.symbol: random+0x6e816 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 452630 exception.address: 0xcae816 registers.esp: 2292820 registers.edi: 13295432 registers.eax: 28880 registers.ebp: 4003311636 registers.edx: 1435545697 registers.ebx: 539488664 registers.esi: 0 registers.ecx: 1969094656	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 50 e9 9b ff ff ff 8b 14 24 81 c4 04 00 00 00 exception.symbol: random+0x6e512 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 451858 exception.address: 0xcae512 registers.esp: 2292824 registers.edi: 13324312 registers.eax: 28880 registers.ebp: 4003311636 registers.edx: 1435545697 registers.ebx: 539488664 registers.esi: 0 registers.ecx: 1969094656	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 57 81 ec 04 00 00 00 89 24 24 81 04 24 04 00 exception.symbol: random+0x6e89b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 452763 exception.address: 0xcae89b registers.esp: 2292824 registers.edi: 13298684 registers.eax: 0 registers.ebp: 4003311636 registers.edx: 1435545697 registers.ebx: 1259 registers.esi: 0 registers.ecx: 1969094656	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 55 e9 59 00 00 00 89 eb 5d e9 fa f8 ff ff 8b exception.symbol: random+0x1eaa1a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2009626 exception.address: 0xe2aa1a registers.esp: 2292824 registers.edi: 4294942504 registers.eax: 13101392 registers.ebp: 4003311636 registers.edx: 425984 registers.ebx: 425984 registers.esi: 14879786 registers.ecx: 1740832768	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 51 e9 b0 00 00 00 31 d3 5a 31 df 8b 1c 24 81 exception.symbol: random+0x1efa16 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2030102 exception.address: 0xe2fa16 registers.esp: 2292820 registers.edi: 4294942504 registers.eax: 27755 registers.ebp: 4003311636 registers.edx: 14873716 registers.ebx: 40960625 registers.esi: 14879786 registers.ecx: 625	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 55 89 14 24 e9 97 00 00 00 83 ea 01 83 ec 04 exception.symbol: random+0x1ef512 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2028818 exception.address: 0xe2f512 registers.esp: 2292824 registers.edi: 4294942504 registers.eax: 27755 registers.ebp: 4003311636 registers.edx: 14901471 registers.ebx: 40960625 registers.esi: 14879786 registers.ecx: 625	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 e2 3a 83 43 e9 b9 06 00 00 8b 14 exception.symbol: random+0x1ef68e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2029198 exception.address: 0xe2f68e registers.esp: 2292824 registers.edi: 0 registers.eax: 27755 registers.ebp: 4003311636 registers.edx: 14876603 registers.ebx: 40960625 registers.esi: 14879786 registers.ecx: 1549541099	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 56 50 57 bf b6 f3 ee 35 81 f7 77 d6 7e 6b 81 exception.symbol: random+0x1f6f7d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2060157 exception.address: 0xe36f7d registers.esp: 2292824 registers.edi: 14933480 registers.eax: 30308 registers.ebp: 4003311636 registers.edx: 95 registers.ebx: 14876629 registers.esi: 4294940384 registers.ecx: 202985	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 f8 c6 ff ff 87 3c 24 exception.symbol: random+0x1fe7a2 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2090914 exception.address: 0xe3e7a2 registers.esp: 2292816 registers.edi: 5844504 registers.eax: 1447909480 registers.ebp: 4003311636 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 14912929 registers.ecx: 20	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x1fe1bb exception.address: 0xe3e1bb exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 2089403 registers.esp: 2292816 registers.edi: 5844504 registers.eax: 1 registers.ebp: 4003311636 registers.edx: 22104 registers.ebx: 0 registers.esi: 14912929 registers.ecx: 20	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 6c 2b 2d 12 01 exception.symbol: random+0x1fc04a exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2080842 exception.address: 0xe3c04a registers.esp: 2292816 registers.edi: 5844504 registers.eax: 1447909480 registers.ebp: 4003311636 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 14912929 registers.ecx: 10	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 be 4f 54 b0 28 64 8f 05 00 00 00 00 exception.symbol: random+0x20186e exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 2103406 exception.address: 0xe4186e registers.esp: 2292784 registers.edi: 0 registers.eax: 2292784 registers.ebp: 4003311636 registers.edx: 2130566135 registers.ebx: 14948650 registers.esi: 14948437 registers.ecx: 2130527123	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 81 ea 59 ae df 40 56 e9 fc 01 00 00 50 b8 59 exception.symbol: random+0x2022f9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2106105 exception.address: 0xe422f9 registers.esp: 2292820 registers.edi: 5844504 registers.eax: 25659 registers.ebp: 4003311636 registers.edx: 14949469 registers.ebx: 33663499 registers.esi: 14948890 registers.ecx: 852948189	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 68 a5 6b 95 4b 89 1c 24 68 51 5b 5f 13 89 24 exception.symbol: random+0x202671 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2106993 exception.address: 0xe42671 registers.esp: 2292824 registers.edi: 5844504 registers.eax: 25659 registers.ebp: 4003311636 registers.edx: 14975128 registers.ebx: 33663499 registers.esi: 2283 registers.ecx: 4294944776	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 57 52 53 50 b8 48 80 97 7f 35 48 4c e8 41 89 exception.symbol: random+0x20fe82 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2162306 exception.address: 0xe4fe82 registers.esp: 2292820 registers.edi: 13287510 registers.eax: 30390 registers.ebp: 4003311636 registers.edx: 6 registers.ebx: 15006941 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb e9 c8 00 00 00 5e 01 df 5b 83 c7 04 51 e9 68 exception.symbol: random+0x21052c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2164012 exception.address: 0xe5052c registers.esp: 2292824 registers.edi: 4294939340 registers.eax: 30390 registers.ebp: 4003311636 registers.edx: 6 registers.ebx: 15037331 registers.esi: 1968968720 registers.ecx: 322689	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 e9 0c f8 ff ff c1 e2 06 e9 exception.symbol: random+0x2112d9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2167513 exception.address: 0xe512d9 registers.esp: 2292824 registers.edi: 4105686376 registers.eax: 28913 registers.ebp: 4003311636 registers.edx: 4294941312 registers.ebx: 1163956138 registers.esi: 1968968720 registers.ecx: 15038733	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 55 89 3c 24 51 68 a4 7a 1d 6e 8b 0c 24 83 c4 exception.symbol: random+0x21672b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2189099 exception.address: 0xe5672b registers.esp: 2292816 registers.edi: 0 registers.eax: 26010 registers.ebp: 4003311636 registers.edx: 1179202795 registers.ebx: 15036582 registers.esi: 1779687800 registers.ecx: 14995985	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb e9 ba 00 00 00 35 3f 07 f9 0b 01 c1 8b 04 24 exception.symbol: random+0x21c268 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2212456 exception.address: 0xe5c268 registers.esp: 2292816 registers.edi: 0 registers.eax: 84201 registers.ebp: 4003311636 registers.edx: 2130566132 registers.ebx: 1348702769 registers.esi: 15059591 registers.ecx: 1740832768	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 68 43 4a 03 43 89 04 24 53 89 14 24 ba b5 08 exception.symbol: random+0x238e65 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2330213 exception.address: 0xe78e65 registers.esp: 2292780 registers.edi: 15173367 registers.eax: 31191 registers.ebp: 4003311636 registers.edx: 2130566132 registers.ebx: 13284399 registers.esi: 15169261 registers.ecx: 1740832768	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 51 52 e9 b9 fd ff ff 8b 24 24 e9 91 04 00 00 exception.symbol: random+0x2389c4 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2329028 exception.address: 0xe789c4 registers.esp: 2292784 registers.edi: 15204558 registers.eax: 31191 registers.ebp: 4003311636 registers.edx: 2130566132 registers.ebx: 13284399 registers.esi: 15169261 registers.ecx: 1740832768	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 12 1b 03 79 ff 04 24 50 b8 ff ff exception.symbol: random+0x239243 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2331203 exception.address: 0xe79243 registers.esp: 2292784 registers.edi: 15176342 registers.eax: 0 registers.ebp: 4003311636 registers.edx: 2130566132 registers.ebx: 116969 registers.esi: 15169261 registers.ecx: 1740832768	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 50 e9 39 ff ff ff 41 81 f1 f1 32 0a 93 01 c8 exception.symbol: random+0x239e63 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2334307 exception.address: 0xe79e63 registers.esp: 2292784 registers.edi: 15180603 registers.eax: 26107 registers.ebp: 4003311636 registers.edx: 20470580 registers.ebx: 0 registers.esi: 2646566496 registers.ecx: 1740832768	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 68 44 88 72 19 89 1c 24 e9 07 00 00 00 01 fa exception.symbol: random+0x23b321 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2339617 exception.address: 0xe7b321 registers.esp: 2292784 registers.edi: 0 registers.eax: 30898 registers.ebp: 4003311636 registers.edx: 3514849120 registers.ebx: 1620185825 registers.esi: 15185408 registers.ecx: 0	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 50 e9 5a 02 00 00 89 04 24 e9 27 03 00 00 58 exception.symbol: random+0x23c369 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2343785 exception.address: 0xe7c369 registers.esp: 2292784 registers.edi: 322689 registers.eax: 0 registers.ebp: 4003311636 registers.edx: 3514849120 registers.ebx: 1553619598 registers.esi: 15185408 registers.ecx: 15190726	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 51 89 14 24 c7 04 24 77 bf d7 77 e9 21 00 00 exception.symbol: random+0x23d575 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2348405 exception.address: 0xe7d575 registers.esp: 2292784 registers.edi: 4294939668 registers.eax: 30690 registers.ebp: 4003311636 registers.edx: 1317623943 registers.ebx: 15221828 registers.esi: 29616464 registers.ecx: 210789999	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb e9 b8 01 00 00 31 f5 5e f7 d5 e9 9a 00 00 00 exception.symbol: random+0x241935 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2365749 exception.address: 0xe81935 registers.esp: 2292784 registers.edi: 15235189 registers.eax: 26457 registers.ebp: 4003311636 registers.edx: 4294943668 registers.ebx: 24811 registers.esi: 29616464 registers.ecx: 1971716238	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 55 89 34 24 55 51 68 28 a5 e5 73 8b 0c 24 81 exception.symbol: random+0x243f31 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2375473 exception.address: 0xe83f31 registers.esp: 2292784 registers.edi: 616256338 registers.eax: 30955 registers.ebp: 4003311636 registers.edx: 4294943668 registers.ebx: 15248974 registers.esi: 29616464 registers.ecx: 4294939400	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 68 ec ba 79 20 89 14 24 68 fc 4e 7a 2f 5a e9 exception.symbol: random+0x2449da exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2378202 exception.address: 0xe849da registers.esp: 2292780 registers.edi: 616256338 registers.eax: 15221484 registers.ebp: 4003311636 registers.edx: 4990640 registers.ebx: 1681337667 registers.esi: 29616464 registers.ecx: 4294939400	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb bb a3 b5 fd 5f e9 84 fd ff ff 83 ee 04 33 34 exception.symbol: random+0x244580 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2377088 exception.address: 0xe84580 registers.esp: 2292784 registers.edi: 616256338 registers.eax: 15251524 registers.ebp: 4003311636 registers.edx: 4990640 registers.ebx: 1681337667 registers.esi: 29616464 registers.ecx: 4294939400	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 f5 34 07 75 c1 24 24 04 c1 2c 24 exception.symbol: random+0x2444cb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2376907 exception.address: 0xe844cb registers.esp: 2292784 registers.edi: 616256338 registers.eax: 15224500 registers.ebp: 4003311636 registers.edx: 157417 registers.ebx: 0 registers.esi: 29616464 registers.ecx: 4294939400	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 97 d3 5c 64 89 1c 24 bb 27 29 f7 exception.symbol: random+0x24d8c9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2414793 exception.address: 0xe8d8c9 registers.esp: 2292784 registers.edi: 2298801283 registers.eax: 31506 registers.ebp: 4003311636 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 0 registers.ecx: 15261660	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb e9 c1 00 00 00 81 f1 70 e0 79 30 01 c8 e9 2e exception.symbol: random+0x25ab11 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2468625 exception.address: 0xe9ab11 registers.esp: 2292784 registers.edi: 15295071 registers.eax: 32541 registers.ebp: 4003311636 registers.edx: 2130566132 registers.ebx: 15346214 registers.esi: 15273194 registers.ecx: 0	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 68 60 e8 9d 07 89 3c 24 c7 04 24 93 62 f3 71 exception.symbol: random+0x25ac28 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2468904 exception.address: 0xe9ac28 registers.esp: 2292784 registers.edi: 15295071 registers.eax: 32541 registers.ebp: 4003311636 registers.edx: 2130566132 registers.ebx: 15346214 registers.esi: 4294938120 registers.ecx: 604292947	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 1d 00 00 00 83 c2 04 87 exception.symbol: random+0x2651b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2511289 exception.address: 0xea51b9 registers.esp: 2292784 registers.edi: 4294937976 registers.eax: 15385943 registers.ebp: 4003311636 registers.edx: 2130566132 registers.ebx: 15318461 registers.esi: 4374792 registers.ecx: 1894739	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 57 52 e9 ab 0a 00 00 01 d7 5a e9 3b 01 00 00 exception.symbol: random+0x270ad7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2558679 exception.address: 0xeb0ad7 registers.esp: 2292780 registers.edi: 15383829 registers.eax: 29855 registers.ebp: 4003311636 registers.edx: 15383829 registers.ebx: 15383829 registers.esi: 4374792 registers.ecx: 15403623	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb e9 c5 fd ff ff 55 89 0c 24 e9 b7 04 00 00 87 exception.symbol: random+0x270f89 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2559881 exception.address: 0xeb0f89 registers.esp: 2292784 registers.edi: 15383829 registers.eax: 29855 registers.ebp: 4003311636 registers.edx: 15383829 registers.ebx: 15383829 registers.esi: 4374792 registers.ecx: 15433478	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb bb 1a c0 c7 79 52 e9 ca 02 00 00 57 bf bb 03 exception.symbol: random+0x270b76 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2558838 exception.address: 0xeb0b76 registers.esp: 2292784 registers.edi: 15383829 registers.eax: 2304201554 registers.ebp: 4003311636 registers.edx: 15383829 registers.ebx: 15383829 registers.esi: 0 registers.ecx: 15406578	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 68 3e 3e 7b 65 8b 1c 24 57 54 5f 81 c7 04 00 exception.symbol: random+0x271934 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2562356 exception.address: 0xeb1934 registers.esp: 2292784 registers.edi: 604292945 registers.eax: 26342 registers.ebp: 4003311636 registers.edx: 15433295 registers.ebx: 4294944140 registers.esi: 0 registers.ecx: 15406578	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb e9 78 01 00 00 5a 83 c4 04 59 c1 ea 06 e9 2e exception.symbol: random+0x289fe3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2662371 exception.address: 0xec9fe3 registers.esp: 2292780 registers.edi: 15207767 registers.eax: 31055 registers.ebp: 4003311636 registers.edx: 15507165 registers.ebx: 16910336 registers.esi: 15207764 registers.ecx: 3738837507	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 53 51 e9 9f fa ff ff b9 02 7c df 7d 01 cf e9 exception.symbol: random+0x28a76a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2664298 exception.address: 0xeca76a registers.esp: 2292784 registers.edi: 15207767 registers.eax: 31055 registers.ebp: 4003311636 registers.edx: 15509856 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 2298801283	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb e9 bf 02 00 00 87 3c 24 e9 00 01 00 00 5d 81 exception.symbol: random+0x28aed8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2666200 exception.address: 0xecaed8 registers.esp: 2292780 registers.edi: 15510232 registers.eax: 26722 registers.ebp: 4003311636 registers.edx: 15509856 registers.ebx: 24786977 registers.esi: 0 registers.ecx: 2298801283	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 55 89 e5 51 89 04 24 50 c7 04 24 04 00 00 00 exception.symbol: random+0x28b2f2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2667250 exception.address: 0xecb2f2 registers.esp: 2292784 registers.edi: 15536954 registers.eax: 26722 registers.ebp: 4003311636 registers.edx: 15509856 registers.ebx: 24786977 registers.esi: 0 registers.ecx: 2298801283	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 3c 24 68 cf 15 7b 5f e9 92 00 00 exception.symbol: random+0x28b39a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2667418 exception.address: 0xecb39a registers.esp: 2292784 registers.edi: 15512958 registers.eax: 26722 registers.ebp: 4003311636 registers.edx: 15509856 registers.ebx: 24786977 registers.esi: 1964140625 registers.ecx: 0	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 89 3c 24 51 b9 93 33 3f 6a exception.symbol: random+0x28b958 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2668888 exception.address: 0xecb958 registers.esp: 2292784 registers.edi: 15512958 registers.eax: 0 registers.ebp: 4003311636 registers.edx: 15509856 registers.ebx: 15516346 registers.esi: 1964140625 registers.ecx: 13166929	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb b9 03 2b c7 5f 53 89 04 24 b8 00 a9 bf 6b 2d exception.symbol: random+0x28cb8b exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2673547 exception.address: 0xeccb8b registers.esp: 2292784 registers.edi: 15519612 registers.eax: 2736067432 registers.ebp: 4003311636 registers.edx: 0 registers.ebx: 1009009095 registers.esi: 1964140625 registers.ecx: 13166929	1
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: fb e9 1d 08 00 00 ff 74 24 04 8b 2c 24 57 51 e9 exception.symbol: random+0x290218 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2687512 exception.address: 0xed0218 registers.esp: 2292784 registers.edi: 15519612 registers.eax: 15564562 registers.ebp: 4003311636 registers.edx: 0 registers.ebx: 1009009095 registers.esi: 1964140625 registers.ecx: 1663438630	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (8 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.16/Jo89Ku7d/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/build.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/crypted.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/5447jsX.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/crypteda.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/25072023.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/pered.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/2020.exe

Performs some HTTP requests (8 events)

request	POST http://185.215.113.16/Jo89Ku7d/index.php
request	GET http://185.215.113.16/inc/build.exe
request	GET http://185.215.113.16/inc/crypted.exe
request	GET http://185.215.113.16/inc/5447jsX.exe
request	GET http://185.215.113.16/inc/crypteda.exe
request	GET http://185.215.113.16/inc/25072023.exe
request	GET http://185.215.113.16/inc/pered.exe
request	GET http://185.215.113.16/inc/2020.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.16/Jo89Ku7d/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 212 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00af0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ae0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2660 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02fb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:32 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00361000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02490000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 28, 2024, 10:38 a.m.	process_identifier: 2940 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

axplong.exe tried to sleep 1169 seconds, actually delayed analysis time by 1169 seconds

Steals private information from local Internet browsers (7 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (50 out of 73 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX1\lofsawd.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2068_133666212567898750\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\build.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI21442\python3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\python310.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2068_133666212567898750\python3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\clamer.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2068_133666212567898750\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\1000027001\buildred.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI21442\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2068_133666212567898750\stub.exe
file	C:\Users\test22\AppData\Local\Temp\1000014001\gawdth.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI21442\python311.dll
file	C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\onefile_2068_133666212567898750\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI21442\libcrypto-3.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI21442\Blsvr.exe

Creates hidden or system file (8 events)

Time & API	Arguments	Return
NtCreateFile July 28, 2024, 10:41 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 28, 2024, 10:41 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 28, 2024, 10:41 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 28, 2024, 10:41 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 28, 2024, 10:42 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 28, 2024, 10:42 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 28, 2024, 10:42 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 28, 2024, 10:42 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk

Drops a binary and executes it (14 events)

file	C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe
file	C:\Users\test22\AppData\Local\Temp\1000001001\build.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe
file	C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe
file	C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe
file	C:\Users\test22\AppData\Local\Temp\1000014001\gawdth.exe
file	C:\Users\test22\AppData\Local\Temp\1000027001\buildred.exe
file	C:\Users\test22\AppData\Local\Temp\onefile_2068_133666212567898750\stub.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\clamer.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX1\lofsawd.exe

Drops an executable to the user AppData folder (7 events)

file	C:\Users\test22\AppData\Local\Temp\1000027001\buildred.exe
file	C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX1\lofsawd.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe

Executes one or more WMI queries (1 event)

wmi	SELECT * FROM Win32_Process

A process created a hidden window (10 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 28, 2024, 10:38 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe	1	1
ShellExecuteExW July 28, 2024, 10:38 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000001001\build.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000001001\build.exe	1	1
ShellExecuteExW July 28, 2024, 10:38 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe	1	1
ShellExecuteExW July 28, 2024, 10:38 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000003001\5447jsX.exe	1	1
ShellExecuteExW July 28, 2024, 10:38 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe	1	1
ShellExecuteExW July 28, 2024, 10:38 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe	1	1
ShellExecuteExW July 28, 2024, 10:39 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe	1	1
ShellExecuteExW July 28, 2024, 10:39 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe	1	1
ShellExecuteExW July 28, 2024, 10:39 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000014001\gawdth.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000014001\gawdth.exe	1	1
ShellExecuteExW July 28, 2024, 10:39 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000027001\buildred.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000027001\buildred.exe	1	1

An executable file was downloaded by the process axplong.exe (9 events)

Time & API	Arguments	Status	Return
InternetReadFile July 28, 2024, 10:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEd*¨fð.)®ê«ö@ ` P@à©(p@ã(hS.text¸¬®``.dataÀ²@À.rdataP+Ð,´@@.eh_framà@À.pdata( â@@.xdataø ì@@.bss0À.idataPö@À.CRT``@À.tlsp@À.rsrc@à©â© @@.relocpì«@BUHåHMHULE DM(]ÃUHåHì èTöHÚÀt¹èO©ë ¹èC©èÞ H7ÛèÞ HÛè¾2HgÙøuH)ÛHÁèË;¸HÄ ]ÃUHåHì0HÛwHÈÚHgHD$ AÑL@H1HÂH#HÁè·¨)HÄ0]ÃUHåHì0ÇEüÿH¤ÙÇè=EüEüHÄ0]ÃUHåHì0ÇEüÿHuÙÇèEüEüHÄ0]ÃUHåHìpHÇEðÇEä0EäeHHEØHEØH@HEèÇEüë!HEðH;Eèu ÇEüëE¹èHCÿÐHMÙHEÐHEèHEÈHÇEÀHMÈHEÀHUÐðH± HEðH}ðu¨H&Ùøu¹è§ë?HÙÀu(HÿØÇHBÙHÂH(ÙHÁè§ë ÇèHÍØøu&HïØHÂHÕØHÁè]§H¦ØÇ}üuHØHE¸HÇE°HU°HE¸HH×HHÀtH×HA¸º¹ÿÐè8HÕØHÁHËAÿÐHØHHýÿÿHÁèèK0 HÁèsè©,H[×HHñHH çHØÎIÈÁè ,ÖÔÀu ÆÁè«¦ÁÀuèD¦ªHÄp]ÃUHåHì H9×ÇH<×ÇH?×ÇH¢ÖHEøHEø·f=MZt ¸éHEø@<HcÐHEøHÐHEðHEð=PEt ¸éHEðHÀHEèHEè··À=t =t)ëVHEè@\øw¸ëHHEèÐÀÀ¶Àë4HEèHEàHEà@løw¸ëHEààÀÀ¶Àë¸HÄ ]ÃUSHìHHl$@M HU(E ÀHHÁàHÁè¥HEðHE(HHEèÇEüéEüHHÅHEèHÐHHÁè¬¥HÀHÀHEàEüHHÅHEðHHEàHÁè0¥HEüHHÅHEèHÐHEüHHÅHEðHÈHHMàIÈHÁè¥EüEü;E eÿÿÿEüHHÅHEðHÐHÇHE(HUðHHÄH[]ÃUHåHì HMHEHÁè2¤HÀt¸ë¸ÿÿÿÿHÄ ]ÃÃff.@1ÀÃff.fUWVSHì(Hl$ H5ºHñÿ>HÃHÀtkHñÿR>H=>H÷¹HÙHÿ×Hú¹HÙHÆÿ×HÂ©HötHH ¯éÿÖH 6HÄ([^_]éÿÿÿfHYÿÿÿH5BÿÿÿH{©ë¼fUHåHì Ha©HÀt H UéÿÐH HÉtHÄ ]Hÿ%û<HÄ ]Ãf.fDUWVSHºÅgV/ëÔ'IÊHI(EJHMBMIÉLÂIûIZIRH¿OëÔ'=®²ÂIB HÞH¯ßHÕHÑÂHÁÆH¯ïHòLÆHÁÆL¯ÇHòHÆHÁÅHÁÆH¯ÇHòIÁÀH¾Êë±y7H¯îL¯ÆH1êHÝH»c®²ÂwÊëH¯ÖHÁÅH¯îHÚH1êH¯ÖHÚI1ÐHÂL¯ÆHÁÂH¯ÖIH1ÂH¯ÖHÚIr0LÚI9ñr`H»OëÔ'=®²ÂHñI¸Êë±y7I»c®²ÂwÊëfDHAøHÁH¯ÃHÁÀI¯ÀH1ÐHÁÀI¯ÀJI9ÉsØLÈL)ÐHHÐHáøHñLAM9Ár5H¹Êë±y7H¯ÁLÁH1ÐHºOëÔ'=®²ÂHÁÀH¯ÂHºùy7±gVHÂL9És2IºÅgV/ëÔ'I¸Êë±y7¶HÁI¯ÂH1ÐHÁÀI¯ÀHÂI9ÉuâHÐHÁè!H1ÐHºOëÔ'=®²ÂH¯ÂHÂHÁêH1ÐHºùy7±gVH¯ÂHÂHÁê H1Ð[^_]ÃHì8LD$PLD$PLL$XLD$(è³=HÄ8Ãff.Hì8LL$XLL$XLL$(èø=HÄ8ÃAWAVAUATUWVSL\$hA;IÊIÔMÉ=C¶DÿIùv1HÇÂÿÿÿÿÀâ½Ð¸)ÐIù%KtøHë@HÉ¶A¶JcHÙÿá@A¶HHÁá0HÊA¶HHÁá(HÊA¶HHÁá HÊA¶HHÁáHÊA¶HHÁáHÊA¶HHÁáHÊÀQ½È¸ LÆD)ÈÁà)ÈÁïK,"MK@¶ÿMhLuýû÷Ûã?éÁfI9ð?ÂHñÁêAÓL)ÙL9ÁÁâHÎ)ÐHM9ò¬ÁIÓIÂIÓãÙIÓëKYD¶YD¶9AÃHÐEzüDÙHÓàÙHÓèIA¶¶@DØAJýIÓÁIÓãÙIÓëKYD¶YD¶9AÃHÐEzþDÙHÓàÙHÓèIA¶¶@DØAJÿø@w!L9î8ÿÿÿÂàÁêH)ÖHM9òUÿÿÿI9ês/÷ßç?ÁIÓIÂIÓãùIÓëOYA¶E¶[AJÿDØL9ÕuÖI9ðt4HÇÂìÿÿÿHÐ[^_]A\A]A^A_ÃHòL)ÂÑÁâH)Î)ÐHëI9êrLâø@uÄëÉfHÇÂ¸ÿÿÿHÐ[^_]A\A]A^A_ÃLÊë¤@AVAUATUWVSL\$`A3HÕMÉBC¶DÿIùv6HÇÂÿÿÿÿÀä½Ð¸)ÐIù(K\ request_handle: 0x00cc000c	1	1
InternetReadFile July 28, 2024, 10:38 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $Àýxl???Wî>?Wî>.?Wî>?F>?Wî>???F>Ø?F>?w>?wé??w>?Rich?PEL³fà'rdºá@ @ª <°àÀÜP°1 TÀ2 ð0 @.textöpr `.rdatal'(v@@.dataøçÀ Ð @À.rsrcà°n@@.relocÜPÀRp@Bj¸ELHèêÑ¸ÄÀIÇEðhÀIEìeüÇÄÀIHÇEühlIPhtÀIèn\|MüÿhVHè}ÎÄènÑÃj¸LHèÑ¸\ÀIÇEðÀIEìeüÇ\ÀIðHÇEüh\lIPhÀIè\|MüÿhYHè&ÎÄèÑÃhPNè Ç$\HèÎYÃj¹Nè`hhHèïÍYÃ¹LNèöh~HèÙÍYÃhtHèÍÍYÃ¹NèÔhHè·ÍYÃjjh8N¹èNèðhHèÍYÃVWjèÑ³Y¿8NðÏè4jVÏÇ8NDHèÛhHè`ÍY_^Ã¹áNéû¹àNè[h¦Hè>ÍYÃhºHè2ÍYÃh°Hè&ÍYÃjjhàN¹8Nè®©hÄHèÍYÃVWjè@³Y¿àNðÏè£jVÏÇàNDHèJhÎHèÏÌY_^Ã¡8NÇØN8NH¡ÜNtNÃ¹ØNè¶hØHèÌYÃ¹øNè hìHèÌYÃhâHèwÌYÃÌÌÌÌÌÌÌÌÌÌD$Ã¸Ø§NÃÿt$jRQèíÿÿÿÿpÿ0èiPÄÃD$Pjè}²T$ÈèÎÿÿÿYYÃUìQQEVñEøEøÆEüVÇäH"bRPèðÞYYÆ^ÉÂD$ÇäHaaAÁÂVñFÇäH `PD$ÀPè¬ÞYYÆ^ÂAÇäHPèøÞYÃy¸Ä,IEAÃVñFÇäHPèÖÞöD$Yt jVèËYYÆ^ÂaaD$AÁÇHÂVñFÇäHPèÞöD$Yt jVèCËYYÆ^ÂAÇäHPèkÞYÃaÁaÇAØ,IÇDHÃVñFÇäHPè?ÞöD$Yt jVèðÊYYÆ^ÂAÇäHPèÞYÃVñV&fèpyYÆ^ÃQèPzYÃVÿt$ñV&fèyYYÆ^ÂVÿt$ñVèÛxYYÆ^ÂQè{YÃVñV&fèyVè#yYYÆ^ÃD$PèþyÌ¸ÿÿÿÃUììMôèÿÿÿhªIEôPèëÌVÿt$ñè:þÿÿÇDHÆ^ÂVÿt$ñè"þÿÿÇHÆ^ÂéIÆD$L$#Pü+ÂÀüøwÃéxpÂÂÂÁÂÂhð,IèIÌVÿt$ñèxýÿÿÇ°HÆ^ÂVñFÇäHPèÙÜöD$Yt jVèÉYYÆ^ÂAÇäHPè²ÜYÃD$VñxvPèýÿÿÇPHÆ^ÂVÿt$ñèýÿÿÇPHÆ^ÂVñFÇäHPèeÜöD$Yt jVèÉYYÆ^ÂAÇäHPè>ÜYÃVÿt$ñèýÿÿÇPHÆ^Âjÿqÿ1ÿTHÀ£¦ÃÂD$I;HÀÂÂD$D$AÁÂÃAÃAÿ1Èÿt$ÿRD$ÂD$D$AÁÂÃAÃT$Vt$BN@;Au ;u°^Ã2À^ÃD$T$HÂUìQQÿuUøÿuRÿPPè±ÿÿÿYYÉÂAVt$V;Bu;D$u°ë2À^ÂÁÇA°ËIÃD$L$Ç@¨tNÃUìì$¡ÁI3ÅEø}$VuWt¿-IWèRYPWMèÁ5MUàÿuRÿP}ôEàÿuðGEàMPè5Màè 5EÎPèg/Mèö4MøÆ_3Í^èÂÉÃUìì¡ÁI3ÅEüVÿuñUäMRÿP}øEäÎGEäPèäúÿÿMäÇPHè£4MÆUNMüÇ\H3ÍV^è'ÂÉÂUìì ¡ÁI3ÅEøEVìñÌPèE/ÿuEàÿuPèèþÿÿÄ$ÎPèGýÿÿMàè=4MÆUNMøÇ\H3ÍV^èÁÁÉÂVñFÇäHPèºÙöD$Yt jVèkÆYYÆ^ÂAÇäHPèÙYÃVÿt$ñÿt$èéþÿÿÇhHÆ^ÂUìäøì¡ÁI3ÄD$EVñL$Pè,.D$ÎPÿuÿuè ÿÿÿL$è3L$ÆÇhH^3ÌèÁå]ÂVñFÇäHPè ÙöD$Yt jVè»ÅYYÆ^ÂAÇäHPèãØYÃUìì ÑMøèýÿÿMäÿpÿ0è3ÿÿÿh\|¨IEäPèÛæÌVÿt$ñèÇhHÆ^ÂVt$WVùè_ùÿÿÇ\HFVGÇW_^Â¸-IÃÿt$è£YL$Pè7-D$ÂöD$Vñt jVèÅYYÆ^ÂÂ¸-IÃUì}uMjh\|/Iè&-ëÿuè©¢YMPèá,E]ÂöD$Vñt jVè®ÄYYÆ^ÂÂ¸°ËIÃ¸¨tNÃaÁaÇA-IÇPHÃVñFÇäHPè¬×öD$Yt jVè]ÄYYÆ^ÂAÇäHPè×YÃUììMôèÿÿÿh`©IEôPèåÌVÿt$ñè*øÿÿÇPHÆ^ÂÂVqÒtJÂð±;Ât ÐÀuí2À^Ã°^ÃðÿAÃðÿAÃVWÏÿñÇðÁFuÿðÁ~Ou Î_^ÿ`_^ÃÈÿðÁAuÿ`Ã3ÀÂ3À@AAÁÃÇ\HÃöD$VñÇ\Ht jVèuÃYYÆ^ÂSV3ÛñSèz3À^^^^^fF^fF ^$^(^,^09D$tÿt$Vè2YYÆ^[Âh$-IèÌVñWVè_~,Yt ÿv,èWNY3ÿ~,9~$t ÿv$èDNY~$9~t request_handle: 0x00cc000c	1	1
InternetReadFile July 28, 2024, 10:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ègX¬ô¬ô¬ôt÷ ôtñ ôtð ¹ôtõ ¯ô¬õ.ônð ¾ônñ ÷ôn÷ ´ô_ñ ô_ô ô_ö ôRich¬ôPELk\¢fà':ôA`@p@À ¸x (@\ HßßÞ@`l.textG12 `.zzZ P6 `.rdataò²`´>@@.data\| ò@À.reloc\ @"@B¹ ,Fè'=hÅ@Bè)pYÃj¸ü<Bèq¸¤FÇEðHFEìeüÇ¤FHbBÇEühýBPhTFèPGMüÿhÏ@BèÙoÄè©pÃj¸;=Bè¿p¸<FÇEðàFEìeüÇ<FgBÇEühøCPhìFèùFMüÿhÒ@BèoÄèRpÃhß@BèooYÃhÕ@BècoYÃhh/Fè?GÇ$é@BèKoYÃj¹4/Fè hõ@Bè3oYÃ¹d/Fè<hABèoYÃhABèoYÃjjhð/F¹ /FèÖUhABèònYÃVWjèÿÃY¿ð/FðÏèVjVÏÇð/FxsBèÀZhABèºnY_^Ã¹/Fé_V¹/Fè;h)ABènYÃ¹0Fè;h=ABènYÃh3ABèvnYÃÌÌÌÌÌÌÌVÿt$ñ3Àÿt$@FFFPÇ eBèfÄÆ^ÂVÿt$ñÇfBèÒYPNèa^Vÿt$ñ3Àÿt$@NFFÇeBèWÆ^ÂVÿt$ñf$NÇÄeBè¦=v$Æ^Âì$SUl$43ÀVWñD$ìÌUFèÖ}j[ÿtðÿGÇëÃPÎèw"ÿtÏè+}tEL$(D$$E Pèc3ÛD$$Cë3ÀD$D$D$ D$4D$D$Pèó-öÃtL$ãýÉtD$ +ÁàüPQèîYYöÃt L$(è0D$8ÎPè´ _Æ^][Ä$ÂVjñè¹D$Ç4fBb$ÇfBBÆR$^ÂUìQQVWÿuñè½ÿÿÿì0ÇlfB¾¨Ì'gè¯EøVPè¼ Ä8;øtPÏè·MüÉtèê!_ÆFvÆ^ÉÂj ¸":BèÊm]3ÿÇEèÿuèwÝYÈMä@t D$;Ç\|;÷v;Ç\|;ñv+ñÇëWÀfEÜEàuÜEìSMÔèN}Øu j^Öé}üAD%Àø@t<Eì;Ç\|3;÷v-H¶D@PL8èª7øÿtsÆÿuÜEìÐÿEìEàëÉAL8WÿuäÿuÿP$;EäuE;×uAEì;Ç\|3;÷v-H¶D@PL8èR7øÿtÆÿuÜEìÐÿEìEàëÉj^×ëj^ÖUè@\| \|$Müÿë;MPÑBj^Æj3É9J8EñðVÊè0¸6@ÃMüÿ3ÿj^]UèHËW3À9y8EðqòVèe0MÔè²Ãè¦kÃÌÌÌÌÌÃD$=rPèYÃÀtPè)hYÃ3ÀÃD$H#;È,QèhYÈÉt A#ààHüÃéÊ³SÙVW\|$C3+ÆÁø;øvWèa3VWÿt$è÷Äë<Uk+îÁýV;ýv t$UVèÙ®+ýsVWPèÉÄë Wÿt$èºÄ]¾_^C[Âj,è{gY@@fÇ@ÃS\$Ué¹ÿÿÿ;ÙwZjX;ØwSÿt$]UEèè/ÄÆ+ë4VWQPSè»ðNQèÞþÿÿSÿt$(ø]W}uè´/ÄÆ_^][ÂèZ.ÌSÙ¹ÿÿÿW\|$;ùwQjX;øwjÿt${SCèrvÄë.VQPWèNðNQèqþÿÿOQÿt$${PsèG/Ä^_[Âèò-ÌVt$WùNÉtèA#ÀtFG°ë2À_^ÂìÌÿt$èõD$L$ÿ0èa Ã\|$Vñt#ÿt$è\|D$Vÿ6ÿ0D$ÿ0èÄF^ÂT$BÀtðÿ@BAÂVt$W\|$+\|$Wÿt$VèuÄ7_^ÃL$D$ÿt$PQèÈÿÿÿÄÃUìE=rEPEPè¨EYYPÿuèÆeYY]ÃÑJ;JtD$BHJëÿt$QÊèËÂj¸?:Bè=iñuà]Ã+EF+=ÿÿÿ@EèPèîEìPèâüÿÿYø}äeüEÇEM N;ÙuÇ]ëVWSRèÄÓN]CVPQRèpÄMüÿÿuìÿuèWÎèäÃèhÂÿuìÿuäMàè-jjèMzè,ÌÌÌÌÌÌj¸\:Bèuhñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèLEìPÎèí+Ø]äeü<»M F9EuÓëVSÿuQèÄMFWVRPQèÄMüÿÿuìÿuèSÎèTÇèWgÂÿuìÿuäMàèÞ,jjèyèK+ÌÌÌÌÌÌj¸y:Bè²gñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèEìPÎè+Ø]äeü<»EV9UuÃëVSÿuQèÚÄMVGVPRQèÅÄMüÿÿuìÿuèSÎèÇèfÂÿuìÿuäMàè,jjèÇxèÌÌÌÌÌÌVñÿpÿt$èj,ÿ6è.cYY^ÂVt$WùëÿvÏÿt$èèÿÿÿVÿt$6è YY~ tÞ_^ÂVt$Nè(j,VèâbYY^ÃD$èt0èu+Vh¨èbðYötÿt$Îèÿ÷ÿÿÇPfBë3öÆ^Ãh°èkbYÀtÿt$Èè øÿÿÃ3ÀÃVj0èObðYÿt$NÇüeBèÆ^ÃVqÈèk:L$,Ét#SÿPÈØèP:L$è'Ã[^Â(èÑ2ÌQSÙºÿÿÿL$ÂUk+Å;ÁrlCVWR<)D$PWèUðNQèxùÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile July 28, 2024, 10:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ègX¬ô¬ô¬ôt÷ ôtñ ôtð ¹ôtõ ¯ô¬õ.ônð ¾ônñ ÷ôn÷ ´ô_ñ ô_ô ô_ö ôRich¬ôPELº]¢fà':,A`@°@À ¸x (d HßßÞ@`l.textG12 `.zzZ P6 `.rdataò²`´>@@.data¼T Fò@À.relocd "8@B¹àdVè'=hÅ@Bè)pYÃj¸ü<Bèq¸ÄKVÇEðhKVEìeüÇÄKVHbBÇEühýBPhtKVèPGMüÿhÏ@BèÙoÄè©pÃj¸;=Bè¿p¸\KVÇEðKVEìeüÇ\KVgBÇEühøCPhKVèùFMüÿhÒ@BèoÄèRpÃhß@BèooYÃhÕ@BècoYÃh¨gVè?GÇ$é@BèKoYÃj¹tgVè hõ@Bè3oYÃ¹¤gVè<hABèoYÃhABèoYÃjjh0hV¹àgVèÖUhABèònYÃVWjèÿÃY¿0hVðÏèVjVÏÇ0hVxsBèÀZhABèºnY_^Ã¹ÙgVé_V¹ØgVè;h)ABènYÃ¹ÄhVè;h=ABènYÃh3ABèvnYÃÌÌÌÌÌÌÌVÿt$ñ3Àÿt$@FFFPÇ eBèfÄÆ^ÂVÿt$ñÇfBèÒYPNèa^Vÿt$ñ3Àÿt$@NFFÇeBèWÆ^ÂVÿt$ñf$NÇÄeBè¦=v$Æ^Âì$SUl$43ÀVWñD$ìÌUFèÖ}j[ÿtðÿGÇëÃPÎèw"ÿtÏè+}tEL$(D$$E Pèc3ÛD$$Cë3ÀD$D$D$ D$4D$D$Pèó-öÃtL$ãýÉtD$ +ÁàüPQèîYYöÃt L$(è0D$8ÎPè´ _Æ^][Ä$ÂVjñè¹D$Ç4fBb$ÇfBBÆR$^ÂUìQQVWÿuñè½ÿÿÿì0ÇlfB¾¨Ì'gè¯EøVPè¼ Ä8;øtPÏè·MüÉtèê!_ÆFvÆ^ÉÂj ¸":BèÊm]3ÿÇEèÿuèwÝYÈMä@t D$;Ç\|;÷v;Ç\|;ñv+ñÇëWÀfEÜEàuÜEìSMÔèN}Øu j^Öé}üAD%Àø@t<Eì;Ç\|3;÷v-H¶D@PL8èª7øÿtsÆÿuÜEìÐÿEìEàëÉAL8WÿuäÿuÿP$;EäuE;×uAEì;Ç\|3;÷v-H¶D@PL8èR7øÿtÆÿuÜEìÐÿEìEàëÉj^×ëj^ÖUè@\| \|$Müÿë;MPÑBj^Æj3É9J8EñðVÊè0¸6@ÃMüÿ3ÿj^]UèHËW3À9y8EðqòVèe0MÔè²Ãè¦kÃÌÌÌÌÌÃD$=rPèYÃÀtPè)hYÃ3ÀÃD$H#;È,QèhYÈÉt A#ààHüÃéÊ³SÙVW\|$C3+ÆÁø;øvWèa3VWÿt$è÷Äë<Uk+îÁýV;ýv t$UVèÙ®+ýsVWPèÉÄë Wÿt$èºÄ]¾_^C[Âj,è{gY@@fÇ@ÃS\$Ué¹ÿÿÿ;ÙwZjX;ØwSÿt$]UEèè/ÄÆ+ë4VWQPSè»ðNQèÞþÿÿSÿt$(ø]W}uè´/ÄÆ_^][ÂèZ.ÌSÙ¹ÿÿÿW\|$;ùwQjX;øwjÿt${SCèrvÄë.VQPWèNðNQèqþÿÿOQÿt$${PsèG/Ä^_[Âèò-ÌVt$WùNÉtèA#ÀtFG°ë2À_^ÂìÌÿt$èõD$L$ÿ0èa Ã\|$Vñt#ÿt$è\|D$Vÿ6ÿ0D$ÿ0èÄF^ÂT$BÀtðÿ@BAÂVt$W\|$+\|$Wÿt$VèuÄ7_^ÃL$D$ÿt$PQèÈÿÿÿÄÃUìE=rEPEPè¨EYYPÿuèÆeYY]ÃÑJ;JtD$BHJëÿt$QÊèËÂj¸?:Bè=iñuà]Ã+EF+=ÿÿÿ@EèPèîEìPèâüÿÿYø}äeüEÇEM N;ÙuÇ]ëVWSRèÄÓN]CVPQRèpÄMüÿÿuìÿuèWÎèäÃèhÂÿuìÿuäMàè-jjèMzè,ÌÌÌÌÌÌj¸\:Bèuhñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèLEìPÎèí+Ø]äeü<»M F9EuÓëVSÿuQèÄMFWVRPQèÄMüÿÿuìÿuèSÎèTÇèWgÂÿuìÿuäMàèÞ,jjèyèK+ÌÌÌÌÌÌj¸y:Bè²gñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèEìPÎè+Ø]äeü<»EV9UuÃëVSÿuQèÚÄMVGVPRQèÅÄMüÿÿuìÿuèSÎèÇèfÂÿuìÿuäMàè,jjèÇxèÌÌÌÌÌÌVñÿpÿt$èj,ÿ6è.cYY^ÂVt$WùëÿvÏÿt$èèÿÿÿVÿt$6è YY~ tÞ_^ÂVt$Nè(j,VèâbYY^ÃD$èt0èu+Vh¨èbðYötÿt$Îèÿ÷ÿÿÇPfBë3öÆ^Ãh°èkbYÀtÿt$Èè øÿÿÃ3ÀÃVj0èObðYÿt$NÇüeBèÆ^ÃVqÈèk:L$,Ét#SÿPÈØèP:L$è'Ã[^Â(èÑ2ÌQSÙºÿÿÿL$ÂUk+Å;ÁrlCVWR<)D$PWèUðNQèxùÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile July 28, 2024, 10:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELB½à0ìÐÆ¹ @ @t¹O ÄÉX¹ H.text¬é ì `.rsrcÄÉ Ìð@@.reloc¼@B¨¹HT-M`ø0 1s, ~Ï%-&~Îþls- %Ï(+o/ 8Ðo0 ±%rprYp~1 (2 ¢%rqpr¯p~1 (2 ¢%rÇprp~1 (2 ¢%r!prap~1 (2 ¢( o3 81(4 s_sm~1 }Í~1 s5 (6 o7 }Í{ÍrqprÑp~1 (2 o8 ,rãprp~1 (2 +;rprap~1 (2 o8 -{Í(+{Í((9 þ 9:o: (; o< o= (> {Í((9 þ 9ñs? s? s? þ`s@ ~Ð%-&~ÎþmsA %Ð(+þas@ ~Ñ%-&~ÎþnsA %Ñ(+þbs@ ~Ò%-&~ÎþosA %Ò(+oB þ9E{Í±%rip¢oC r}p(> (C(+oE sF (N(+oToG #>@(H (I ioJ &ÞÞ(K þ9þcs@ ~Ó%-&~ÎþpsA %Ó(+þds@ ~Ô%-&~ÎþqsA %Ô(+þes@ ~Õ%-&~ÎþrsA %Õ(+ÞÞo_oaþfsL ~Ö%-&~ÎþssM %Ö(+ocoiþgsN ~×%-&~ÎþtsO %×(+oeþhsP ~Ø%-&~ÎþusQ %Ø(+ogþisR ~Ù%-&~ÎþvsS %Ù(+ok( +,dsm%o_%r£p(> oa%sU oc%oi%ok%sV oe%sW ogoX ( +,dsm%o_%rµp(> oa%sU oc%oi%ok%sV oe%sW ogoX ÞÞolþ,oX (Y :ÃúÿÿÞþoZ Üo[ :%úÿÿÞ,oZ ÜÞ&Þ + Añ,:ÕåäÉµDù4â$0sr rËp(\ (] þ , Ýî(srÝpo&8oo^ oo^ (rùpo8 ,4sr ³%-o_ oo oq +sr%oo%oq ÞÞXoþ:NÿÿÿÞ ÞÞÞ+ALPà1Ó 0sU ³%Ð°(` sa (\ (] þ , ÝS(s³%Ð\|(` sa o&8òsoo^ ooo^ oo(oÞÞÞoo(K - o+rýpoo(K - o+rýpoo(K - o+rýpoÜorýp(b ,oc Xoþ :úþÿÿÞÞÞÞ+*AdzJÄzRÌoC8{}0Ìs? (\ (] þ , Ý£(s³%Ð(` sa o&8Css%oo^ ov%oo^ o: .þox%oo^ oz%oo: 1þo\|%oo^ (d @Bj[!¶Yo~%oo^ o%r po(oo}jþ,-(e (f (g request_handle: 0x00cc000c	1	1
InternetReadFile July 28, 2024, 10:38 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¨:ìf}iìf}iìf}i§~hëf}i§xhSf}i§yhæf}iièf}ixhÄf}iyhýf}i~håf}i§\|hçf}iìf\|igf}iyhøf}ihíf}iRichìf}iPEdpZ¢fð" \°¯@0pÊ®`Á¼x ôàÄ X à@ .text `.rdata* ,@@.dataèÐ¸@À.pdataÄ à"Æ@@_RDATA\è@@.rsrc ô öê@@.relocX à@B@SHì è¥ßHèßHÓèSeHØèßHÓHÄ [éÜ%ÌÌÌÌÌÌÌÌÌÌÌÌHÃÃÌÌÌÌÌÌÌÌHT$HL$SUVWAVAWHì3ÀMðHÚHD$PHùHD$XH¿HD$`D@XD$(HL$ HD$ Iñèè DøÀt&HSDÀH è°EÿHÄA_A^_^][Ã¹ L¬$èû.LèHÀuLCH¨H åèÌéc¹ èÍ.HèHÀuLCHÊH ·èé5L¤$ÐDc@fL¸ L;àIÜºIÍHGØLÃèºãH;ÃãHèáÀÓL+ã\$(Ll$ f» Hl$03Ò\$8HL$ èfkøA¿ÿÿÿÿHùvwøtmL$8H+ÙMöt(MÎAWLÃHÍèêH;ÃuIÎè¦àÀtAÿë>HötLÃHÕHÎè¨Hó\|$8tÿtMätH¼$ÀéÿÿÿE3ÿë(¿ýÿÿÿH$ÈH ðHÂDÇèëA¿ÿÿÿÿL¤$ÐHL$ èIÍèN-HÍèF-L¬$AÇHÄA_A^_^][ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ@VAVHì(HHòLñHÀu2HÁxHoèº)IHÀuHVH _è3ÀHÄ(A^^ÃVE3ÀIVHÈèZåÀy!LFHgH è«3ÀHÄ(A^^ÃNL\|$ è¤,LøHÀu DNLFH}H èqé°~H\$@Hl$HH\|$PLd$XuMÏE3ÀHÖIÎèÁüÿÿÀtmë`^IïHÛt`A¼ ffMI;ÜHûA¸IGüHÍH×è^áHør HïH+ßuÔë"LFHßH èÛIÏèÏ+E3ÿH\|$PHl$HH\$@Ld$XIHÉtè»ÝIÇIÇL\|$ HÄ(A^^ÃÌÌÌÌÌÌÌÌ@SWAVHì0HúLñè¬Røÿu HÄ0A^_[ÃHl$PIx0HoLd$`HÕè¡ULàHÀu LÅHH ´è3AD$ÿéIHÀu1INxHèÑ'IHÀuHÕH wè»ÿÿÿÿé7WE3ÀIVHÈèrãÀy LÅHH µèÄ»ÿÿÿÿéuE3ÉMÄH×IÎè#ûÿÿØéãLl$(3ÛA½ L\|$ AÍèLøHÀuLÅH(H }èdA_ÿéHÿHt$XffMI;ýH÷A¸IGõIÏHÖè~ßHør1MÌA¸HÖIÏè¤æHørH+þu½ë+H,H YëHÜH LÅèÕ»ÿÿÿÿHt$XIÏè¿)Ll$(L\|$ IHÉtè¸ÛIÇIÌè©ÛÃHl$PLd$`HÄ0A^_[ÃÌÌÌÌÌÌÌÌ@SHì LIHÚLYM;ËsDMÑIALÃL+ÀfD¶B¶+ÑuHÿÀÉuíÒt/IcIÁLÈI;Âr I;ÃrÆ3ÀHÄ [ÃH gè²3ÀHÄ [ÃIÁHÄ [ÃÌH\$Hl$Ht$WHì HYHêHñHÇÇÿÿÿÿHÿÇ<u÷HIH;ÙsT{ouHKLÇHÕèä(ÀtHNHcHÃHØH;FrH;ÁrÏë!HCHÇ8tHCHÇëH Êè3ÀH\$0Hl$8Ht$@HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌ@SHì HcHÙHÂH;AsH èÏHCHÄ [ÃÌÌÌÌÌH\$WHì0H?¸H3ÄHD$(HÙH HÉuHKxHaè¬$HHÈHÀtSH³HT$ HD$ A¸HÁèD$#è[YHøHÀt%HE3ÀHÐè9àÀyH"H è¸ÿÿÿÿégLHK ºXDB©èËÜHøsHH èV¸ÿÿÿÿé/K(E3ÀC,ÈC,C0ÈC0C4ÉÉH+ùK(ÈHÇXC4H{3ÿ»\|P²ÃS,HSHèßHcK0è'HCHÀuH®H óèÚGÿéµHcS0A¸LHÈèÜHøsH éIÿÿÿHcC0HCHHCègÙÀtH è'¸ÿÿÿÿëcHCH;CsGfDHÉHHÉHHÉHÊHcÊHÈHÁH;KrH;KrÍëH èÏ HHÉtè.ØH;3ÀHL$(H3ÌèH\$HHÄ0_ÃÌÌÌÌÌH\$Ht$WHì IØHòHùLLÊHÁxºè0=}vHxLËLØºè=}THx HÖHËèÅ 3ö·xP@f¶ H[ÀuïHÏèGýÿÿÀt"HHÉtèb×H73ÀH\$0Ht$8HÄ _ÃH\$0¸Ht$8HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌHÉt7SHì HÙHIHÉtè%HHÉtè×HÇHËèå$HÄ [ÃÌÌÌ@SHì ºP¹è¿$HØHÀuHäH è° HÃHÄ [ÃÌÌÌÌÌÌÌLD$LL$ SUVWHì8IðHl$xHÚHùèëôÿÿHl$(LÎLÃHÇD$ H×HHÉèÀ¹ÿÿÿÿHÁHÄ8_^][ÃÌÌÌÌÌH\$Hl$Ht$ WHìHR´H3ÄH$pHALlLIHùHÁ(HD$ ºèÿº2·ÈØDBÒÿ¨fZ request_handle: 0x00cc000c	1	1
InternetReadFile July 28, 2024, 10:39 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ £XhcðXhcðXhcð`ñ_hcðfñìhcðgñRhcðëð[hcðë`ñQhcðëgñIhcðëfñphcðbñShcðXhbðÉhcðKìgñAhcðKìañYhcðRichXhcðPEdj¢fð"(ÐÀ@ÐÅ`ÁlÇx´+`"ÀhÀ@°P.text `.rdataB&°(@@.dataØsàÀ@À.pdata"`$Î@@.rsrc´+,ò@@.relochÀ@BHì(è/áHîÏè'áHHÝÏHHH ÒÏHÄ(é¹$ÌÌÌÌÌÌÌÌÌHqCÃÌÌÌÌÌÌÌÌH\$Hl$ LD$VWATAUAWHì Hò3íHý§DýIøHÙA½ÿÿÿÿèå.LàHÀuHVH Ú§èMéVE3ÀHIÌè7éÀyLFHä§H ¨èé¯Nè0LøHÀu DNLFH¨H ¦èXé~uMÏE3ÀHÖIÌèÌëW^Lt$PM÷HÛt;¸ DH;ØHûMÌA¸HGøIÎH×è^åHørhL÷¸ H+ßuÏÅH\|$`Lt$PÀtIÏèÓ/LýIÌèØáIïMÿtH×IÏèù.DèHÍèª/H\$XAÅHl$hHÄ A_A]A\_^ÃLFH!¦H N¦è}AÅëÌÌÌÌÌÌÌÌHT$HL$SUVWAVAWHì3ÀMðHÚHD$PHùHD$XA¸XHD$`H@¤D$(HL$ HD$ èIñèXDøÀt(HSDÀH #¤è¸ÿÿÿÿHÄA_A^_^][Ã¹ L¬$èç.LèHÀuLCH4¤H q¤è¸é\¹ è¹.HèHÀuLCHV¤H C¤èé.L¤$ÐA¿ÿÿÿÿDc¸ IÜL;àLÏºIÍHGØLÃèªãH;ÃæHÏè áÀÖL+ã\$(Ll$ f» Hl$03Ò\$8HL$ èøA¿ÿÿÿÿHùv\|øtrL$8H+ÙMöt)MÎLÃºHÍènêH;ÃuIÎèàÀtAÿëBHötLÃHÕHÎè}Hó\|$8{ÿÿÿÿtMätH¼$ÀéÿÿÿE3ÿë ¿ýÿÿÿH$ÈH {£HÂDÇèïL¤$ÐHL$ èmIÍèA-HÍè9-L¬$AÇHÄA_A^_^][ÃÌÌH\$ VAVAWHì HòHÙH¤E3öè +LøHÀu!HVH ¤èu3ÀH\$XHÄ A_A^^ÃVE3ÀHIÏèSåÀyLFH¤H 5¤è¤é»Nè§,LðHÀu DNLFH ¤H -¢èté~uMÎE3ÀHÖIÏèèüÿÿëc^Hl$@IîH\|$HLd$PHÛt8A¼ fDI;ÜHûMÏA¸IGüHÍH×ènáHørBHïH+ßuÔ3ÀH\|$HHl$@Ld$PÀtIÎèã+E3öIÏèèÝH\$XIÆHÄ A_A^^ÃLFHW¢H ¢è³¸ÿÿÿÿëªÌÌÌÌÌÌÌÌÌÌÌÌ@SWHì8znHúHÙu$èxúÿÿØÀyHWH _£èÃHÄ8_[ÃHn£Ld$`IÈèe)LàHÀu(LGHR£H £è6Ld$`¸ÿÿÿÿHÄ8_[ÃH2¢L\|$ HËè!)LøHÀuHWH ¢è»ÿÿÿÿéTWE3ÀHIÏènãÀy!LGH¢H P¢è¿»ÿÿÿÿéuE3ÉMÄH×IÏè.ûÿÿØéôLl$03ÛA½ Lt$(AÍèLðHÀu!LGHÂ H è^»ÿÿÿÿé§Ht$XwHöHl$P@ffI;õHîMÏA¸IGíIÎHÕènßHør1MÌA¸HÕIÎèæHørH+õu½ë,H¼ H é ëHl H LGèÄ»ÿÿÿÿHl$PIÎè®)Ht$XLl$0Lt$(IÏè§ÛIÌèÛL\|$ ÃLd$`HÄ8_[ÃH\$Ht$WHì HHòHùH;spfffD¶CA@¦¨÷t:Aødt4Aønt.Aøxt(HCLÆL+À¶B¶+ÑuHÿÀÉuíÒëHKHÖèí)Àt HØH;r3ÀH\$0Ht$8HÄ _ÃHt$8HÃH\$0HÄ _ÃÌÌÌÌÌÌ@SHì HHÇHÛtHè(HËHÄ [é(HÄ [ÃÌÌÌÌÌÌÌÌÌÌÌÌHÂÃÌÌÌÌÌÌÌÌÌÌH\$Hl$ WHìH7ÇH3ÄH$HYHé3ÛèK&HøHÀH ºH$H$A¸HÁèHÏH´$¨$è5]HðHÀ7E3ÀHÐHÏèoàÀyH H UèÄ é LÏHL$ ºXA¸èÝHøsH H _è é×º`¹èn'HØHÀuHûH ( è_ é¨LÍL ºHËèÓD$(H ÈD$(LL$8D$,LîÈD$,º@D$0ÈD$0D$4ÈD$4èD$(E3ÀH+ðHÏHFXHT$,HÐèhßL$0èÛ&HHÀuHH eè¬éõT$0LÏA¸HÈèîÛHøsH}H JèyéÂD$0HÏHHèÙÀtH gèÚ éHH;DâÄfo Rf3ÀAø\|óof8ÁóëfÉHÿÀHø\|ï¶JA¦¨÷tùdtùnt ùxt2Àë° ÀHÐH;rHÏè¶×H´$¨HÃH$H3ÌèL$I[ Ik(Iã_ÃÌÌÌÌÌÌÌÌÌÌLD$LL$ SUVWH request_handle: 0x00cc000c	1	1
InternetReadFile July 28, 2024, 10:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $$2â`å\±`å\±`å\±Ôy±hå\±Ôy¯±ëå\±Ôy®±må\±à¡±bå\±àX°rå\±à_°jå\±àY°Yå\±iß±iå\±iÛ±bå\±iÏ±gå\±`å]±Cä\±îY°Rå\±î\°aå\±î£±aå\±î^°aå\±Rich`å\±PEd#@fð"!hà.@`Á 4ÔP\|ÿ l0p À6T7(ð³@¼ .textngh `.rdataÄ(*l@@.data\ç°@À.pdatal0 2°@@.didat`àâ@À_RDATA\ðæ@@.rsrc\|ÿè@@.relocp è@BH 9¹éÌÌÌÌH Éùé¸¤ÌÌÌÌHì(H 5ùèdH ÉeHÄ(é¸H Éeé¬ÌÌÌÌHì(èÌájHÄ(ÃÌÌÌÌÌÌÌÌÌÌÌÌH éjéûÌÌÌÌH ÙeélÌÌÌÌH Ùeé\ÌÌÌÌHì(H lèØ¦H ÉeHÄ(é8H Éeé,ÌÌÌÌH ÉeéÌÌÌÌH ÉeéÌÌÌÌHì(H ¥kèTH éeHÄ(éèH )féÜÌÌÌÌHì(H ÅlèH fHÄ(é¸H fé¬ÌÌÌÌH\$Hl$Ht$WHì0HñIØIÈHú3íèhLÀHÓHÏè¯DE H.HÐHnHÎHnHØè$HkHÆHt$Pf+Hl$HHÇCH\$@HÄ0_ÃÌÌÌH\$Ht$WHì0Hù3öHJHÚH;Js!HzHAHBHÂrHfDHftHëE·ÈºDÆHËè"A¸ H7HÓHwHÏHwè$HsHÇf3Ht$HHÇCH\$@HÄ0_ÃHì(HA'H;Áv'HÈè[HÈHÀtHÀ'HààHHøHÄ(ÃèqfÌèçÌÌÌH\$Hl$Ht$WAVAWHì I¾þÿÿÿÿÿÿIØLúHùM;ÆÌHÇAHûsHYHÛLÃèS#3öf4;éHÃ3öHÈI;ÆvH¸ÿÿÿÿÿÿÿHë.¹ LðH;ÁH¸ÿÿÿÿÿÿÿLBñINH;Èw^HÉHùr èÿÿÿHèëHÉtèxëïHîH_I×HÛH/LÃLwHÍèÇ"f4+H\$@Hl$HHt$PHÄ A_A^_ÃèåÌècÌÌÌHÒH\$Ht$WHì H¸ÿÿÿÿÿÿÿHñH;ÐwoHHûr HËè}þÿÿHøëHÛt HËèÛ ëì3ÿH>H;H~LÃ3ÒHFHÏèÛ(Hd$0H;HL$0HFèOH\$8Ht$@HÄ _ÃèÖÌÌH\$WHì HÚIøH+ÙHÑLÃHÏèÛ!H;H\$0HÄ _ÃHÄHXHhHpHx ATAVAWHì H»þÿÿÿÿÿÿMùLòHùH;ÓHiHÊE3äH;ÓwHÍHÃHÑéH+ÁH;èvH¸ÿÿÿÿÿÿÿHë1H)HÚH;ÐHBØH¸ÿÿÿÿÿÿÿHKH;È HÉHùr èLýÿÿHðëHÉtèëïIôH_I×K6LwLÃHÎèþ fD$3Hýr1HHmHúrLAøHÂ'I+ÈHAøHøw3IÈèH7HÇH\$@Hl$HHt$PH\|$XHÄ A_A^A\ÃèØ ÌèVcÌèP ÌÌÌÌH\$Hl$Ht$WATAUAVAWHì LqH»þÿÿÿÿÿÿHÃMéI+ÆHñH;Â@HiM<I×E3ÀHÊH;ÓwHÍHÃHÑéH+ÁH;èvH¸ÿÿÿÿÿÿÿHë1H)HÚH;ÐHBØH¸ÿÿÿÿÿÿÿHKH;ÈéHÉHùr èûûÿÿHøëHÉtè\ëïIøHD$pO6LðL~H^M$8HÏL<HýrSHHÓèMÇIÕIÌè3ÀHmfBwHúrHKøHÂ'H+ÙHCøHøwMHÙHËèëHÖèGMÇIÕIÌè93ÀfBwH>HÆH\$PHl$XHt$`HÄ A_A^A]A\_ÃèÎaÌèÈÌè>ÌÌH\$Hl$Ht$WATAUAVAWHì LqH¿þÿÿÿÿÿÿHÇE·ùI+ÆHñH;ÂHiM$IÔE3íHÊH;×wHÍHÇHÑéH+ÁH;èvH¸ÿÿÿÿÿÿÿHë1H)HúH;ÐHBøH¸ÿÿÿÿÿÿÿHOH;ÈÇHÉHùr ènúÿÿHØëHÉtèÏ ëïIÝMöLfH~MÆHËHýrIH>H×èHmfE<fElHúrHOøHÂ'H+ùHGøHøwCHùHÏè¨ ëHÖèÒfE<fElHHÆH\$PHl$XHt$`HÄ A_A^A]A\_Ãèc`Ìè]ÌèÓÌÌÌ@SHì HÙHÂH ÅWÀHHSHHèsHÀHHÃHÄ [Ã@SHì HÙHÂH WÀHHSHHè7HHHÃHÄ [ÃHaHLpHAHùHHÁÃÌÌ@SHì HÙHÂH -WÀHHSHHèÛHÃHÄ [ÃÌÌ@SHì HHÛtIHHÉtAHSH+ÑHÑúHÒHúrLAøHÂ'I+ÈHAøHøwIÈèGH#HcHcHÄ [Ãè&_ÌÌé»ÌÌÌ@SHì HÙH HÉtAHSH+ÑHÑúHÒHúrLAøHÂ'I+ÈHAøHøwIÈèàH#HcHcHÄ [Ãè¿^ÌÌÌH9HHÁéÌÌÌÌÌH\$WHì HHùHÚHÁèZöÃt ºHÏèxH\$0HÇHÄ _ÃÌÌ@USVWAUAVAWH¬$PÿÿÿHì°H³£H3ÄH IÙIðLúLñE3íLmfoÖnóEfDm¿MÉÊLmàWÀóEðHËèf^LÀHÓHMàèw÷ÿÿE3ÀHUàHM`èöÿÿLÃHÐHM@è öÿÿE3ÀHÐHM èvöÿÿHÐHxrHL@HMèÃHM è%HM@èHM`èHUøHúr2HUHMàHÁH;×rHÂ'HIøH+ÁHÀøHøèè@¹£è HØLmàWÀóEðHÈè]LÀHÓHMàè öÿÿE3À request_handle: 0x00cc000c	1	1
InternetReadFile July 28, 2024, 10:39 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELG¢ôà0ìÐ¢¹ @ @P¹O ÄÉ4¹ H.texté ì `.rsrcÄÉ Ìð@@.reloc¼@B¹HT-èM<ø0 1s, ~Ï%-&~Îþls- %Ï(+o/ 8Ðo0 ±%rprYp~1 (2 ¢%rqpr¯p~1 (2 ¢%rÇprp~1 (2 ¢%r!prap~1 (2 ¢( o3 81(4 s_sm~1 }Í~1 s5 (6 o7 }Í{ÍrqprÑp~1 (2 o8 ,rãprp~1 (2 +;rprap~1 (2 o8 -{Í(+{Í((9 þ 9:o: (; o< o= (> {Í((9 þ 9ñs? s? s? þ`s@ ~Ð%-&~ÎþmsA %Ð(+þas@ ~Ñ%-&~ÎþnsA %Ñ(+þbs@ ~Ò%-&~ÎþosA %Ò(+oB þ9E{Í±%rip¢oC r}p(> (C(+oE sF (N(+oToG #>@(H (I ioJ &ÞÞ(K þ9þcs@ ~Ó%-&~ÎþpsA %Ó(+þds@ ~Ô%-&~ÎþqsA %Ô(+þes@ ~Õ%-&~ÎþrsA %Õ(+ÞÞo_oaþfsL ~Ö%-&~ÎþssM %Ö(+ocoiþgsN ~×%-&~ÎþtsO %×(+oeþhsP ~Ø%-&~ÎþusQ %Ø(+ogþisR ~Ù%-&~ÎþvsS %Ù(+ok( +,dsm%o_%r£p(> oa%sU oc%oi%ok%sV oe%sW ogoX ( +,dsm%o_%rµp(> oa%sU oc%oi%ok%sV oe%sW ogoX ÞÞolþ,oX (Y :ÃúÿÿÞþoZ Üo[ :%úÿÿÞ,oZ ÜÞ&Þ + Añ,:ÕåäÉµDù4â$0sr rËp(\ (] þ , Ýî(srÝpo&8oo^ oo^ (rùpo8 ,4sr ³%-o_ oo oq +sr%oo%oq ÞÞXoþ:NÿÿÿÞ ÞÞÞ+ALPà1Ó 0sU ³%Ð°(` sa (\ (] þ , ÝS(s³%Ð\|(` sa o&8òsoo^ ooo^ oo(oÞÞÞoo(K - o+rýpoo(K - o+rýpoo(K - o+rýpoÜorýp(b ,oc Xoþ :úþÿÿÞÞÞÞ+*AdzJÄzRÌoC8{}0Ìs? (\ (] þ , Ý£(s³%Ð(` sa o&8Css%oo^ ov%oo^ o: .þox%oo^ oz%oo: 1þo\|%oo^ (d @Bj[!¶Yo~%oo^ o%r po(oo}jþ,-(e (f (g request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002de00', u'virtual_address': u'0x00001000', u'entropy': 7.984723801335668, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.98472380134

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00193600', u'virtual_address': u'0x00309000', u'entropy': 7.952774004070317, u'name': u'efnzbsnu', u'virtual_size': u'0x00194000'}

entropy

7.95277400407

description

A section with a high entropy has been found

entropy

0.993915929204

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 28, 2024, 10:41 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Yara rule detected in process memory (32 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Queries for potentially installed applications (50 out of 78 events)

Time & API	Arguments	Status
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000594 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: AddressBook base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: Connection Manager base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: EditPlus base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: ENTERPRISE base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: Fontcore base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: Google Chrome base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: IE40 base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: IE4Data base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: IE5BAKEX base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: IEData base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: MobileOptionPack base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: SchedulingAgent base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: WIC base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-0015-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-0016-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-0018-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-0019-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-001A-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-001B-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-001F-0409-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-001F-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-0028-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-002C-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-0030-0000-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-0044-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-006E-0409-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-006E-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-00A1-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-00BA-0409-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {90120000-0114-0412-0000-0000000FF1CE} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1
RegOpenKeyExW July 28, 2024, 10:41 a.m.	regkey_r: {d992c12e-cab2-426f-bde3-fb8c53950b0d} base_handle: 0x00000594 key_handle: 0x00000598 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}	1
RegOpenKeyExW July 28, 2024, 10:42 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000444 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1
RegOpenKeyExW July 28, 2024, 10:42 a.m.	regkey_r: AddressBook base_handle: 0x00000444 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1
RegOpenKeyExW July 28, 2024, 10:42 a.m.	regkey_r: Connection Manager base_handle: 0x00000444 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1
RegOpenKeyExW July 28, 2024, 10:42 a.m.	regkey_r: DirectDrawEx base_handle: 0x00000444 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1
RegOpenKeyExW July 28, 2024, 10:42 a.m.	regkey_r: EditPlus base_handle: 0x00000444 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1
RegOpenKeyExW July 28, 2024, 10:42 a.m.	regkey_r: ENTERPRISE base_handle: 0x00000444 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE	1
RegOpenKeyExW July 28, 2024, 10:42 a.m.	regkey_r: Fontcore base_handle: 0x00000444 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1
RegOpenKeyExW July 28, 2024, 10:42 a.m.	regkey_r: Google Chrome base_handle: 0x00000444 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1
RegOpenKeyExW July 28, 2024, 10:42 a.m.	regkey_r: Haansoft HWord 80 Korean base_handle: 0x00000444 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1
RegOpenKeyExW July 28, 2024, 10:42 a.m.	regkey_r: IE40 base_handle: 0x00000444 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1
RegOpenKeyExW July 28, 2024, 10:42 a.m.	regkey_r: IE4Data base_handle: 0x00000444 key_handle: 0x00000440 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1

Communicates with host for which no DNS query was performed (4 events)

host	185.215.113.16
host	185.215.113.67
host	185.215.113.9
host	45.33.6.223

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 358 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 28, 2024, 10:38 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 28, 2024, 10:38 a.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (2 events)

file	C:\Windows\Tasks\axplong.job
file	C:\Windows\Tasks\Test Task17.job

Harvests credentials from local FTP client softwares (2 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Collects information about installed applications (50 out of 54 events)

Time & API	Arguments	Status
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:41 a.m.	key_handle: 0x00000598 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 한컴오피스 한글 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Access MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Excel MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office PowerPoint MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Publisher MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Outlook MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Word MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proof (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office IME (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Enterprise 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office InfoPath MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OneNote MUI (Korean) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExW July 28, 2024, 10:42 a.m.	key_handle: 0x00000440 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Groove MUI (English) 2007 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName	1

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob

Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 120 events)

file	C:\Users\test22\AppData\Local\Temp\RarSFX0\clamer.exe
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\__tmp_rar_sfx_access_check_16952343
file	C:\Users\test22\AppData\Local\Temp\RarSFX0\1.bat
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\_decimal.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\_ctypes.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\_queue.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\_cffi_backend.cp310-win_amd64.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\cryptography-42.0.8.dist-info\INSTALLER
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\unicodedata.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\cryptography-42.0.8.dist-info\top_level.txt
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\_lzma.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\certifi\cacert.pem
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\base_library.zip
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\cryptography-42.0.8.dist-info\WHEEL
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\cryptography-42.0.8.dist-info\REQUESTED
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\_pytransform.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\cryptography-42.0.8.dist-info\LICENSE.APACHE
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\_brotli.cp310-win_amd64.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\cryptography-42.0.8.dist-info\RECORD
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\certifi\py.typed
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\_bz2.pyd
file	C:\Users\test22\AppData\Local\Temp\_MEI24522\api-ms-win-core-interlocked-l1-1-0.dll

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2372 resumed a thread in remote process 1964
NtResumeThread July 28, 2024, 10:42 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 1964	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 28, 2024, 10:38 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 f8 c6 ff ff 87 3c 24 exception.symbol: random+0x1fe7a2 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2090914 exception.address: 0xe3e7a2 registers.esp: 2292816 registers.edi: 5844504 registers.eax: 1447909480 registers.ebp: 4003311636 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 14912929 registers.ecx: 20	1	0	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
Sangfor	Trojan.Win32.Kryptik.Vl55
BitDefender	Gen:Variant.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
McAfee	Artemis!8C0430EE2841
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
Alibaba	Packed:Win32/Themida.1e4423b8
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
TrendMicro	Trojan.Win32.PRIVATELOADER.YXEG1Z
McAfeeD	Real Protect-LS!8C0430EE2841
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.8c0430ee2841a655
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=86)
Kingsoft	Win32.HeurC.KVMH008.a
Gridinsoft	Trojan.Win32.Amadey.tr
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36810.XDWaa81ut1oi
DeepInstinct	MALICIOUS
Malwarebytes	Malware.Heuristic.2025
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	Trojan.Win32.PRIVATELOADER.YXEG1Z
Tencent	Win32.Trojan.Generic.Kjgl
Fortinet	W32/PossibleThreat
AVG	Win32:TrojanX-gen [Trj]
Paloalto	generic.ml
CrowdStrike	win/malicious_confidence_100% (W)

random.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All