Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	July 31, 2024, 7:25 a.m.	July 31, 2024, 7:30 a.m.

Size	1.8MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`037f916ac94fcc198a7253a0daf62777`
SHA256	`f0167568d478299cd5d6b6336d6b6f27123154776c5b89edc6faa3dfa0efb81a`
CRC32	`0A8BBE93`
ssdeep	`24576:XY/JCuINmBP3ZomWFOPtl26WbqRC+fxxTVfoOrx4MSqmzjCPsvjNt/Qfqr0S+iC6:6FftlTw+JJNoZXCkvjb/Wqr0qOa6k`
Yara	PE_Header_Zero - PE File Signature anti_vm_detect - Possibly employs anti-virtualization techniques IsPE32 - (no description)

sand.exe "C:\Users\test22\AppData\Local\Temp\sand.exe"
2556
- explorti.exe "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"
  2816
  - ab417aa83e.exe "C:\Users\test22\1000029002\ab417aa83e.exe"
    1264
  - 22fc86ad3a.exe "C:\Users\test22\AppData\Local\Temp\1000030001\22fc86ad3a.exe"
    2188
    - axplong.exe "C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe"
      2540
      - GOLD.exe "C:\Users\test22\AppData\Local\Temp\1000002001\GOLD.exe"
        2716
      - 4434.exe "C:\Users\test22\AppData\Local\Temp\1000003001\4434.exe"
        3020
      - crypteda.exe "C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe"
        1780
      - 25072023.exe "C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe"
        2452
      - pered.exe "C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe"
        1304
        
        pered.exe "C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe"
        920
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
coe.com.vn	A 103.28.36.182	103.28.36.182

IP Address	Status	Action
185.215.113.16	Active	Moloch
103.28.36.182	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.19	Active	Moloch
185.215.113.67	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.19:80 -> 192.168.56.101:49164	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49165 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49165	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 185.215.113.19:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49167	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.16:80 -> 192.168.56.101:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49167	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49167	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 103.28.36.182:443 -> 192.168.56.101:49187	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 103.28.36.182:443 -> 192.168.56.101:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49182 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49177 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 185.215.113.67:40960 -> 192.168.56.101:49191	2400032	ET DROP Spamhaus DROP Listed Traffic Inbound group 33	Misc Attack
TCP 192.168.56.101:49181 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 103.28.36.182:443 -> 192.168.56.101:49183	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 185.215.113.16:80 -> 192.168.56.101:49167	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.101:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49168 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49167 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.101:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 185.215.113.19:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49176 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49185 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 103.28.36.182:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2044623	ET MALWARE Amadey Bot Activity (POST)	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2044696	ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2	A Network Trojan was detected
TCP 192.168.56.101:49172 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA July 31, 2024, 7:26 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 106 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 31, 2024, 7:25 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:25 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:25 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:25 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:25 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:25 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:25 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:25 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:25 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:25 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:25 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:26 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:27 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:27 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:27 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:27 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:27 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:27 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:27 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:27 a.m.			0	0
IsDebuggerPresent July 31, 2024, 7:27 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (14 events)

Time & API	Arguments	Status	Return
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b1d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b158 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075b918 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 31, 2024, 7:26 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0075bad8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 31, 2024, 7:26 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	upgbvxgh
section	iqndoduh
section	.taggant

One or more processes crashed (50 out of 528 events)

Time & API	Arguments	Status
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: sand+0x31f0b9 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 3272889 exception.address: 0x4ef0b9 registers.esp: 9436744 registers.edi: 0 registers.eax: 1 registers.ebp: 9436760 registers.edx: 6901760 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 4e e7 92 6e 89 04 24 b8 00 29 fb exception.symbol: sand+0x6cdb6 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 445878 exception.address: 0x23cdb6 registers.esp: 9436708 registers.edi: 1968898280 registers.eax: 28758 registers.ebp: 3992367124 registers.edx: 1900544 registers.ebx: 902556667 registers.esi: 2346378 registers.ecx: 1969094656	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 31 c0 e9 cc f8 ff ff 05 b6 34 be 78 e9 30 00 exception.symbol: sand+0x6d7b0 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 448432 exception.address: 0x23d7b0 registers.esp: 9436712 registers.edi: 1968898280 registers.eax: 28758 registers.ebp: 3992367124 registers.edx: 1900544 registers.ebx: 902556667 registers.esi: 2375136 registers.ecx: 1969094656	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 51 e9 2d f9 ff ff 5a e9 e5 f8 ff ff b8 3c af exception.symbol: sand+0x6d818 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 448536 exception.address: 0x23d818 registers.esp: 9436712 registers.edi: 1968898280 registers.eax: 4294941264 registers.ebp: 3992367124 registers.edx: 233705 registers.ebx: 902556667 registers.esi: 2375136 registers.ecx: 1969094656	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 e9 5b 02 00 00 ff 34 24 58 81 c4 exception.symbol: sand+0x6dede exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 450270 exception.address: 0x23dede registers.esp: 9436712 registers.edi: 2379921 registers.eax: 29521 registers.ebp: 3992367124 registers.edx: 2145175296 registers.ebx: 758756352 registers.esi: 1259 registers.ecx: 4294940772	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 50 e9 b3 f7 ff ff 54 5e e9 06 fe ff ff 29 c1 exception.symbol: sand+0x1f14f9 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2036985 exception.address: 0x3c14f9 registers.esp: 9436708 registers.edi: 2385543 registers.eax: 30582 registers.ebp: 3992367124 registers.edx: 2130566132 registers.ebx: 45023919 registers.esi: 3918959 registers.ecx: 3935202	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 52 50 b8 e0 5a a9 04 89 44 24 04 8b 04 24 83 exception.symbol: sand+0x1f0c55 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2034773 exception.address: 0x3c0c55 registers.esp: 9436712 registers.edi: 2385543 registers.eax: 30582 registers.ebp: 3992367124 registers.edx: 2130566132 registers.ebx: 45023919 registers.esi: 3918959 registers.ecx: 3965784	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 68 d7 c2 47 5b 89 1c 24 bb 7f 5c f7 7f e9 0b exception.symbol: sand+0x1f108b exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2035851 exception.address: 0x3c108b registers.esp: 9436712 registers.edi: 512233 registers.eax: 30582 registers.ebp: 3992367124 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 3918959 registers.ecx: 3938016	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 68 7b 7c 46 72 89 34 24 e9 70 fa ff ff be cb exception.symbol: sand+0x1f3819 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2045977 exception.address: 0x3c3819 registers.esp: 9436712 registers.edi: 3942499 registers.eax: 32501 registers.ebp: 3992367124 registers.edx: 9041 registers.ebx: 3975964 registers.esi: 9041 registers.ecx: 0	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 68 00 38 6a 59 89 04 24 89 e0 51 e9 7f 08 00 exception.symbol: sand+0x1f2efb exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2043643 exception.address: 0x3c2efb registers.esp: 9436712 registers.edi: 3942499 registers.eax: 32501 registers.ebp: 3992367124 registers.edx: 4294938080 registers.ebx: 3975964 registers.esi: 50665 registers.ecx: 0	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 29 c9 e9 3a 00 00 00 68 aa e4 5d 7c 58 09 c1 exception.symbol: sand+0x1f5280 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2052736 exception.address: 0x3c5280 registers.esp: 9436712 registers.edi: 13250062 registers.eax: 27966 registers.ebp: 3992367124 registers.edx: 1994497242 registers.ebx: 132969275 registers.esi: 3979242 registers.ecx: 1969148396	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 55 e9 99 fe ff ff exception.symbol: sand+0x1f54de exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2053342 exception.address: 0x3c54de registers.esp: 9436712 registers.edi: 13250062 registers.eax: 27966 registers.ebp: 3992367124 registers.edx: 1994497242 registers.ebx: 1259 registers.esi: 3979242 registers.ecx: 4294941952	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 bf 18 00 00 42 81 ea exception.symbol: sand+0x1fe4d4 exception.instruction: in eax, dx exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2090196 exception.address: 0x3ce4d4 registers.esp: 9436704 registers.edi: 13250062 registers.eax: 1447909480 registers.ebp: 3992367124 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 3981226 registers.ecx: 20	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: sand+0x1fd38a exception.address: 0x3cd38a exception.module: sand.exe exception.exception_code: 0xc000001d exception.offset: 2085770 registers.esp: 9436704 registers.edi: 13250062 registers.eax: 1 registers.ebp: 3992367124 registers.edx: 22104 registers.ebx: 0 registers.esi: 3981226 registers.ecx: 20	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 a5 28 2d 12 01 exception.symbol: sand+0x1fdcde exception.instruction: in eax, dx exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2088158 exception.address: 0x3cdcde registers.esp: 9436704 registers.edi: 13250062 registers.eax: 1447909480 registers.ebp: 3992367124 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 3981226 registers.ecx: 10	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 51 e8 03 00 00 00 20 59 c3 59 exception.symbol: sand+0x204593 exception.instruction: int 1 exception.module: sand.exe exception.exception_code: 0xc0000005 exception.offset: 2114963 exception.address: 0x3d4593 registers.esp: 9436672 registers.edi: 0 registers.eax: 9436672 registers.ebp: 3992367124 registers.edx: 17596 registers.ebx: 4015913 registers.esi: 18217 registers.ecx: 4015292	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 68 34 69 99 1b 89 04 24 89 e0 e9 5d 00 00 00 exception.symbol: sand+0x204e5a exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2117210 exception.address: 0x3d4e5a registers.esp: 9436712 registers.edi: 13250062 registers.eax: 4048174 registers.ebp: 3992367124 registers.edx: 6379 registers.ebx: 4294938796 registers.esi: 2721715807 registers.ecx: 2088501248	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 50 e9 df 06 00 00 54 59 81 c1 04 00 00 00 81 exception.symbol: sand+0x213a53 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2177619 exception.address: 0x3e3a53 registers.esp: 9436712 registers.edi: 2339390 registers.eax: 30553 registers.ebp: 3992367124 registers.edx: 6 registers.ebx: 19261346 registers.esi: 4108303 registers.ecx: 0	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 16 8f de 5e 89 34 24 68 1a 30 3d exception.symbol: sand+0x213af3 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2177779 exception.address: 0x3e3af3 registers.esp: 9436712 registers.edi: 3923872081 registers.eax: 0 registers.ebp: 3992367124 registers.edx: 6 registers.ebx: 19261346 registers.esi: 4080943 registers.ecx: 0	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 52 89 1c 24 89 14 24 e9 81 fe ff ff 5c 53 50 exception.symbol: sand+0x219ec6 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2203334 exception.address: 0x3e9ec6 registers.esp: 9436700 registers.edi: 3923872081 registers.eax: 29815 registers.ebp: 3992367124 registers.edx: 1043012196 registers.ebx: 527383049 registers.esi: 4080943 registers.ecx: 4102103	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb e9 df 05 00 00 87 2c 24 5c 52 e9 b0 03 00 00 exception.symbol: sand+0x219969 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2201961 exception.address: 0x3e9969 registers.esp: 9436704 registers.edi: 3923872081 registers.eax: 29815 registers.ebp: 3992367124 registers.edx: 1043012196 registers.ebx: 527383049 registers.esi: 4080943 registers.ecx: 4131918	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 56 89 14 24 e9 9b 03 00 00 89 fe 5f 83 c6 ff exception.symbol: sand+0x219c4a exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2202698 exception.address: 0x3e9c4a registers.esp: 9436704 registers.edi: 3923872081 registers.eax: 4294940104 registers.ebp: 3992367124 registers.edx: 1043012196 registers.ebx: 322689 registers.esi: 4080943 registers.ecx: 4131918	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 53 e9 ec 01 00 00 ff 0c 24 87 3c 24 f7 d7 87 exception.symbol: sand+0x21a5fa exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2205178 exception.address: 0x3ea5fa registers.esp: 9436700 registers.edi: 3923872081 registers.eax: 4105149 registers.ebp: 3992367124 registers.edx: 1043012196 registers.ebx: 964290386 registers.esi: 4080943 registers.ecx: 1456481679	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 53 54 5b 56 be c0 5d f9 3e e9 47 f4 ff ff 89 exception.symbol: sand+0x21b0be exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2207934 exception.address: 0x3eb0be registers.esp: 9436704 registers.edi: 3923872081 registers.eax: 4133707 registers.ebp: 3992367124 registers.edx: 1043012196 registers.ebx: 964290386 registers.esi: 4080943 registers.ecx: 1456481679	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 56 68 f7 e1 cc 57 89 14 24 81 ec 04 00 00 00 exception.symbol: sand+0x21ab15 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2206485 exception.address: 0x3eab15 registers.esp: 9436704 registers.edi: 3923872081 registers.eax: 4108539 registers.ebp: 3992367124 registers.edx: 1043012196 registers.ebx: 0 registers.esi: 4080943 registers.ecx: 84201	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 55 89 34 24 be 83 88 3f 2b 81 ee b3 41 9f 3b exception.symbol: sand+0x21f6c7 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2225863 exception.address: 0x3ef6c7 registers.esp: 9436700 registers.edi: 3923872081 registers.eax: 4124993 registers.ebp: 3992367124 registers.edx: 2130566132 registers.ebx: 289296042 registers.esi: 4080943 registers.ecx: 2088501248	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb ba 4c 9b 9d 6f 83 ea 01 52 f7 14 24 5a 83 ea exception.symbol: sand+0x21f5c1 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2225601 exception.address: 0x3ef5c1 registers.esp: 9436704 registers.edi: 0 registers.eax: 4127852 registers.ebp: 3992367124 registers.edx: 2130566132 registers.ebx: 1783979243 registers.esi: 4080943 registers.ecx: 2088501248	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 52 ba 5c db df 6b 29 d0 5a 03 04 24 52 ba 1b exception.symbol: sand+0x22bc6e exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2276462 exception.address: 0x3fbc6e registers.esp: 9436700 registers.edi: 2147344213 registers.eax: 4176839 registers.ebp: 3992367124 registers.edx: 2130566132 registers.ebx: 2147483645 registers.esi: 4286854489 registers.ecx: 2134741213	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 89 3c 24 e9 1a 00 exception.symbol: sand+0x22c4fc exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2278652 exception.address: 0x3fc4fc registers.esp: 9436704 registers.edi: 2147344213 registers.eax: 4206169 registers.ebp: 3992367124 registers.edx: 2130566132 registers.ebx: 2147483645 registers.esi: 4286854489 registers.ecx: 2134741213	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 68 60 f3 ca 1d 89 04 24 83 ec 04 89 04 24 e9 exception.symbol: sand+0x22bf2c exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2277164 exception.address: 0x3fbf2c registers.esp: 9436704 registers.edi: 2147344213 registers.eax: 4180085 registers.ebp: 3992367124 registers.edx: 2130566132 registers.ebx: 0 registers.esi: 4286854489 registers.ecx: 1358981728	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb e9 ba ff ff ff c7 04 24 30 b5 c7 78 89 04 24 exception.symbol: sand+0x242342 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2368322 exception.address: 0x412342 registers.esp: 9436672 registers.edi: 4269709 registers.eax: 29942 registers.ebp: 3992367124 registers.edx: 0 registers.ebx: 4261495 registers.esi: 1459645024 registers.ecx: 2088501248	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 68 14 34 2f 2b e9 7d ff ff ff be e1 73 69 4f exception.symbol: sand+0x2433d1 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2372561 exception.address: 0x4133d1 registers.esp: 9436672 registers.edi: 232903481 registers.eax: 26518 registers.ebp: 3992367124 registers.edx: 62948 registers.ebx: 1911637819 registers.esi: 4269740 registers.ecx: 4297245	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 89 1c 24 50 51 e9 8f fe ff exception.symbol: sand+0x242c17 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2370583 exception.address: 0x412c17 registers.esp: 9436672 registers.edi: 232903481 registers.eax: 26518 registers.ebp: 3992367124 registers.edx: 62948 registers.ebx: 0 registers.esi: 15526224 registers.ecx: 4273613	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 51 b9 5b d6 c5 79 51 b9 f7 3a 7f 50 81 e9 7f exception.symbol: sand+0x2454ba exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2380986 exception.address: 0x4154ba registers.esp: 9436668 registers.edi: 232903481 registers.eax: 29054 registers.ebp: 3992367124 registers.edx: 62948 registers.ebx: 4279722 registers.esi: 244154116 registers.ecx: 4340849	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb e9 42 05 00 00 31 14 24 33 14 24 8b 24 24 e9 exception.symbol: sand+0x244dca exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2379210 exception.address: 0x414dca registers.esp: 9436672 registers.edi: 232903481 registers.eax: 29054 registers.ebp: 3992367124 registers.edx: 62948 registers.ebx: 4308776 registers.esi: 244154116 registers.ecx: 4340849	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb e9 68 02 00 00 31 d1 5a 81 f1 cd 66 c5 e8 89 exception.symbol: sand+0x244e9e exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2379422 exception.address: 0x414e9e registers.esp: 9436672 registers.edi: 232903481 registers.eax: 1342204512 registers.ebp: 3992367124 registers.edx: 62948 registers.ebx: 4282616 registers.esi: 244154116 registers.ecx: 0	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb e9 85 01 00 00 31 c6 58 53 89 e3 68 88 5a 32 exception.symbol: sand+0x246238 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2384440 exception.address: 0x416238 registers.esp: 9436672 registers.edi: 232903481 registers.eax: 31639 registers.ebp: 3992367124 registers.edx: 4316364 registers.ebx: 4282616 registers.esi: 244154116 registers.ecx: 0	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb e9 c6 01 00 00 50 b8 04 00 00 00 01 c2 e9 78 exception.symbol: sand+0x2462e3 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2384611 exception.address: 0x4162e3 registers.esp: 9436672 registers.edi: 232903481 registers.eax: 31639 registers.ebp: 3992367124 registers.edx: 4316364 registers.ebx: 4294938644 registers.esi: 44777 registers.ecx: 0	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 57 bf fe 7c fe 3f e9 c6 01 00 00 53 e9 00 00 exception.symbol: sand+0x24ab05 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2403077 exception.address: 0x41ab05 registers.esp: 9436668 registers.edi: 232903481 registers.eax: 32248 registers.ebp: 3992367124 registers.edx: 4302557 registers.ebx: 2349377 registers.esi: 44777 registers.ecx: 1971716238	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb b8 f0 b8 ea 0d 56 be 0a 2c f7 59 81 f6 77 e3 exception.symbol: sand+0x24af5b exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2404187 exception.address: 0x41af5b registers.esp: 9436672 registers.edi: 232903481 registers.eax: 32248 registers.ebp: 3992367124 registers.edx: 4334805 registers.ebx: 2349377 registers.esi: 44777 registers.ecx: 1971716238	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 e1 7d d9 65 58 40 e9 55 02 00 00 exception.symbol: sand+0x24aa0d exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2402829 exception.address: 0x41aa0d registers.esp: 9436672 registers.edi: 232903481 registers.eax: 4294937624 registers.ebp: 3992367124 registers.edx: 4334805 registers.ebx: 2349377 registers.esi: 101353 registers.ecx: 1971716238	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 81 c6 3f dd 7b 6f 81 ee 66 84 3f 76 e9 9d fa exception.symbol: sand+0x24db43 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2415427 exception.address: 0x41db43 registers.esp: 9436668 registers.edi: 4313292 registers.eax: 29135 registers.ebp: 3992367124 registers.edx: 2349378 registers.ebx: 2349378 registers.esi: 4313943 registers.ecx: 1732638305	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 55 bd c4 8a d6 08 55 55 bd 58 48 db 78 29 6c exception.symbol: sand+0x24d5d1 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2414033 exception.address: 0x41d5d1 registers.esp: 9436672 registers.edi: 4313292 registers.eax: 29135 registers.ebp: 3992367124 registers.edx: 2349378 registers.ebx: 2349378 registers.esi: 4343078 registers.ecx: 1732638305	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 50 e9 25 fc ff ff 68 ca 55 89 10 89 04 24 e9 exception.symbol: sand+0x24d7a1 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2414497 exception.address: 0x41d7a1 registers.esp: 9436672 registers.edi: 0 registers.eax: 29135 registers.ebp: 3992367124 registers.edx: 2349378 registers.ebx: 2349378 registers.esi: 4316810 registers.ecx: 21883218	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 57 e9 3c 00 00 00 ff 34 24 ff 34 24 5d 83 c4 exception.symbol: sand+0x24e2fe exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2417406 exception.address: 0x41e2fe registers.esp: 9436672 registers.edi: 0 registers.eax: 27653 registers.ebp: 3992367124 registers.edx: 4344905 registers.ebx: 1600371775 registers.esi: 4316810 registers.ecx: 2104113000	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb e9 1d f9 ff ff 4d 81 e5 69 3d d3 7f c1 e5 02 exception.symbol: sand+0x24ea04 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2419204 exception.address: 0x41ea04 registers.esp: 9436672 registers.edi: 0 registers.eax: 27653 registers.ebp: 3992367124 registers.edx: 4320457 registers.ebx: 157417 registers.esi: 4316810 registers.ecx: 2104113000	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 68 60 7a 0c 18 89 04 24 89 14 24 89 3c 24 68 exception.symbol: sand+0x26c99e exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2541982 exception.address: 0x43c99e registers.esp: 9436672 registers.edi: 0 registers.eax: 32126 registers.ebp: 3992367124 registers.edx: 4444713 registers.ebx: 1971716070 registers.esi: 3135853651 registers.ecx: 0	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 68 1a 99 c9 16 89 1c 24 50 b8 0d 1e 7f 7f 89 exception.symbol: sand+0x26dbb4 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2546612 exception.address: 0x43dbb4 registers.esp: 9436672 registers.edi: 4475010 registers.eax: 29864 registers.ebp: 3992367124 registers.edx: 28467384 registers.ebx: 1588778816 registers.esi: 3135853651 registers.ecx: 0	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb e9 ff fb ff ff 05 42 d1 27 1f e9 1c 02 00 00 exception.symbol: sand+0x26dab3 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2546355 exception.address: 0x43dab3 registers.esp: 9436672 registers.edi: 4475010 registers.eax: 29864 registers.ebp: 3992367124 registers.edx: 28467384 registers.ebx: 4294940420 registers.esi: 3135853651 registers.ecx: 82608470	1
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: fb 68 71 cd c1 27 89 2c 24 54 5d e9 59 01 00 00 exception.symbol: sand+0x2735f6 exception.instruction: sti exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2569718 exception.address: 0x4435f6 registers.esp: 9436672 registers.edi: 4472812 registers.eax: 0 registers.ebp: 3992367124 registers.edx: 2130566132 registers.ebx: 392254056 registers.esi: 3135853651 registers.ecx: 2088501248	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (11 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.19/Vi9leo/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/cost/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/steam/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/soka/random.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.16/Jo89Ku7d/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/GOLD.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/4434.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/crypteda.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/25072023.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/pered.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/inc/2020.exe

Performs some HTTP requests (11 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	GET http://185.215.113.16/cost/random.exe
request	GET http://185.215.113.16/steam/random.exe
request	GET http://185.215.113.16/soka/random.exe
request	POST http://185.215.113.16/Jo89Ku7d/index.php
request	GET http://185.215.113.16/inc/GOLD.exe
request	GET http://185.215.113.16/inc/4434.exe
request	GET http://185.215.113.16/inc/crypteda.exe
request	GET http://185.215.113.16/inc/25072023.exe
request	GET http://185.215.113.16/inc/pered.exe
request	GET http://185.215.113.16/inc/2020.exe

Sends data using the HTTP POST Method (2 events)

request	POST http://185.215.113.19/Vi9leo/index.php
request	POST http://185.215.113.16/Jo89Ku7d/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 259 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x001d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73402000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2556 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x032b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:26 a.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000046c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00321000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02230000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02240000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02250000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02330000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x023c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 31, 2024, 7:25 a.m.	process_identifier: 2816 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	axplong.exe tried to sleep 817 seconds, actually delayed analysis time by 817 seconds
description	explorti.exe tried to sleep 1149 seconds, actually delayed analysis time by 1149 seconds

Creates executable files on the filesystem (50 out of 54 events)

file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\_pytransform.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\1000012001\2020.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\libffi-7.dll
file	C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\1000029002\ab417aa83e.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\python310.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\VCRUNTIME140.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\libssl-1_1.dll
file	C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\ucrtbase.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\1000030001\22fc86ad3a.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Local\Temp\1000003001\4434.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\python3.dll
file	C:\Users\test22\AppData\Local\Temp\1000002001\GOLD.exe
file	C:\Users\test22\AppData\Local\Temp\_MEI13042\api-ms-win-core-libraryloader-l1-1-0.dll

Creates hidden or system file (4 events)

Time & API	Arguments	Return
NtCreateFile July 31, 2024, 7:26 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 31, 2024, 7:26 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 31, 2024, 7:26 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile July 31, 2024, 7:26 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525

Drops a binary and executes it (8 events)

file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\1000029002\ab417aa83e.exe
file	C:\Users\test22\AppData\Local\Temp\1000030001\22fc86ad3a.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\GOLD.exe
file	C:\Users\test22\AppData\Local\Temp\1000003001\4434.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe
file	C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\1000003001\4434.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\GOLD.exe
file	C:\Users\test22\AppData\Local\Temp\1000030001\22fc86ad3a.exe
file	C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
ShellExecuteExW July 31, 2024, 7:25 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe	1	1
ShellExecuteExW July 31, 2024, 7:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\1000029002\ab417aa83e.exe parameters: filepath: C:\Users\test22\1000029002\ab417aa83e.exe	1	1
ShellExecuteExW July 31, 2024, 7:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000030001\22fc86ad3a.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000030001\22fc86ad3a.exe	1	1
ShellExecuteExW July 31, 2024, 7:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe	1	1
ShellExecuteExW July 31, 2024, 7:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000002001\GOLD.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000002001\GOLD.exe	1	1
ShellExecuteExW July 31, 2024, 7:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\4434.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000003001\4434.exe	1	1
ShellExecuteExW July 31, 2024, 7:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe	1	1
ShellExecuteExW July 31, 2024, 7:26 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe	1	1
ShellExecuteExW July 31, 2024, 7:27 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe	1	1

An executable file was downloaded by the processes explorti.exe, axplong.exe (12 events)

Time & API	Arguments	Status	Return
InternetReadFile July 31, 2024, 7:25 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELb@]à2V0@ \|qÈpt,.codeð78 `.textÂÒPÔ< `.rdata304@@.data,pD@À.rsrcV@@h¬hhAè\@ÄhèU@£AhhhèB@£Aè¼?¸pA£4AèÝÍèIËèCèÇèZèÔèøèx}è@CèÃ¶èk¡º.pA AèÓ?hõÿÿÿèã?£<A¸P¸AP1ÀPhhèÿ5 AèhhxpA APhè_ÿ5¨AèæhhppA¨APhè9hAhpAhh¡hèÊº:pA lAè+?ÿ5°AèhhppA°APhèå;@PèÁRèÍZPèÅhHAè:Íè XAûuèfèS,hèè±Ìÿ5AèÎ>èÏ>èµAèèçè½èìÀèSÃUSWºìÇ$JuóT$X$èa>ÿ4$èùDD$ÿt$èLD$T$RhhhhèÉT$RhhhhèvÉÇD$ÇD$ ÇD$$ÇD$(ÇD$,ÇD$0ÇD$ ÇD$ ÿt$XD$4ÿt$XD$8ÇD$ë¸ÿ;D$\|Tÿt$l$8XE\$4Ã\$4l$8¾]!Ûu ÿt$XD$8l$8¾EP\$ l$ÁãXD\$8C\$8ÿD$q¡ÇD$ ÇD$ë¸ÿ;D$\|m\$ \|$l$Áç\=\|$l$Áç\=ãÿ\$ \$l$ÁãÿtXD$,\$ Áãÿt\$ ÁãXDÿt$,\$$ÁãXDÿD$qÇD$ÇD$ ÿt$PXD$<ÇD$(ë\$TK;\$(Ã\$Cãÿ\$\$ \|$l$Áç\=ãÿ\$ \$ÁãÿtXD$,\$ Áãÿt\$ ÁãXDÿt$,\$$ÁãXD\$Áã\\|$ Áç\|=çÿûãÿ\$$\$$ÁãÿtXD$0l$<¾]3\$0Sl$@XE\$<C\$<ÿD$(.ÿÿÿT$RhhhhèÇT$RhhhhèÇÿt$èD$Pë1Àÿ4$èmÊPÿt$è0Èÿt$è'ÈXÄ@_[]ÂUSºìÇ$Juóè§ÊAû2\|AûuhAût¸ë1À!À¸&pAPÿ5AèB$ÇD$ë$;D$RèÉZPRèøÈZP¸fpAPÿt$ÿ5AèQBD$PèÉÿt$èé!ÀtLRèÄÈZPÿt$è3D$PèïÈT$Rè¥ÈZPRè=ÊT$Rè3ÊºfpARè(ÊD$Pè¾ÈÿD$aÿÿÿÿt$èë@D$hD$Pÿt$è4Pÿt$ ÿ5<AèX:ÿt$è;º$pA Aè:éÎÇAÇD$RèÈZPRèÈZP¸.pAPÿt$(ÿ5$Aè_AD$Pè%È¸2pAPÿt$èCD$ \|$ t\RèÅÇZPRè½ÇZP¸2pAPhÿt$ èAD$(PèÝÇRèÇZPRèÇZP¸2pAPhÿt$ èé@D$Pè¯ÇT$1Éè:î\$Ø¹÷ùÓ!Ûu+ÿt$è¡BP\$-AkÛÝXE\$C\$éRèÇZPRèÇZPhÿt$è¡CèüÈº6pAYQèÐ9Áè9´PARè×ÆZPRèoÈlARècÈRè½ÆZPRèµÆZP¸6pAPÿt$ èÄEXD$,PèÙÆÿt$(èÕAûuÿt$$èÜAPÿt$,è7ÿt$(è'$ARè]ÆZPRèõÇT$,RèëÇºfpARèàÇAPètÆé½Rè)ÆZPRè!ÆZP¸6pAPÿt$è0ED$PèFÆT$RèüÅZPRèÇ\$-AkÛÝEPèÆÿt$$è3AP\$-AkÛÝXEARè³ÅZPRèKÇPARè?ÇlARè3ÇT$Rè)ÇºfpARèÇAPè²Åëë\$C\$éLýÿÿD$ë1Àÿt$èÆÿt$(èÆÿt$è Æÿt$$èÆÿt$èûÅÄ,[]ÃS1ÀPPPPPPèWÆ¸qA£4AÇ$ë¸;$\|d¡4A¾D$ÿ4ARèâÄZPRèÚÄZP\$kÛÿSèDD$PèÅT$Rè·ÄZPRèOÆT$RèEÆD$PèÛÄÿ$qhè¬D$RèÄZPRèzÄZPèID$Pè©Äÿt$h¸$pAPÿt$ èk6RèKÄZPRèCÄZPÿt$èxxAPèlÄÿ5xAèÿ5xAè[ÿt$h¸$pAPÿ5xAè6RèöÃZPRèîÃZPÿt$è#,APèÄÿ5,Aè3ÿ5,Aèÿt$h¸$pAPÿ5,AèÁ5ÿ5,Aèw8RèÃZPRèÃZPÿt$èÃ@APè·Ãÿ5@AèÓÿt$ÿ5@Aè>8ÿt$h¸$pAPÿ5,Aè]5Rè=ÃZPRè5ÃZPÿt$èjpAPè^Ãÿt$èë1Àÿt$èØÃÿt$èÏÃÿt$èÆÃÄ[ÃUS1ÀPPPPPPè"ÄRèÜÂZPhhRèÊÂZPRèÂÂZPèÓzè¸5$èÎ4èÉ5$h !@Pÿt$è·4ÿ4$èµ4ÿ5°AèA request_handle: 0x00cc000c	1	1
InternetReadFile July 31, 2024, 7:25 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELb@]à2V0@ \|qÈpt,.codeð78 `.textÂÒPÔ< `.rdata304@@.data,pD@À.rsrcV@@h¬hhAè\@ÄhèU@£AhhhèB@£Aè¼?¸pA£4AèÝÍèIËèCèÇèZèÔèøèx}è@CèÃ¶èk¡º.pA AèÓ?hõÿÿÿèã?£<A¸P¸AP1ÀPhhèÿ5 AèhhxpA APhè_ÿ5¨AèæhhppA¨APhè9hAhpAhh¡hèÊº:pA lAè+?ÿ5°AèhhppA°APhèå;@PèÁRèÍZPèÅhHAè:Íè XAûuèfèS,hèè±Ìÿ5AèÎ>èÏ>èµAèèçè½èìÀèSÃUSWºìÇ$JuóT$X$èa>ÿ4$èùDD$ÿt$èLD$T$RhhhhèÉT$RhhhhèvÉÇD$ÇD$ ÇD$$ÇD$(ÇD$,ÇD$0ÇD$ ÇD$ ÿt$XD$4ÿt$XD$8ÇD$ë¸ÿ;D$\|Tÿt$l$8XE\$4Ã\$4l$8¾]!Ûu ÿt$XD$8l$8¾EP\$ l$ÁãXD\$8C\$8ÿD$q¡ÇD$ ÇD$ë¸ÿ;D$\|m\$ \|$l$Áç\=\|$l$Áç\=ãÿ\$ \$l$ÁãÿtXD$,\$ Áãÿt\$ ÁãXDÿt$,\$$ÁãXDÿD$qÇD$ÇD$ ÿt$PXD$<ÇD$(ë\$TK;\$(Ã\$Cãÿ\$\$ \|$l$Áç\=ãÿ\$ \$ÁãÿtXD$,\$ Áãÿt\$ ÁãXDÿt$,\$$ÁãXD\$Áã\\|$ Áç\|=çÿûãÿ\$$\$$ÁãÿtXD$0l$<¾]3\$0Sl$@XE\$<C\$<ÿD$(.ÿÿÿT$RhhhhèÇT$RhhhhèÇÿt$èD$Pë1Àÿ4$èmÊPÿt$è0Èÿt$è'ÈXÄ@_[]ÂUSºìÇ$Juóè§ÊAû2\|AûuhAût¸ë1À!À¸&pAPÿ5AèB$ÇD$ë$;D$RèÉZPRèøÈZP¸fpAPÿt$ÿ5AèQBD$PèÉÿt$èé!ÀtLRèÄÈZPÿt$è3D$PèïÈT$Rè¥ÈZPRè=ÊT$Rè3ÊºfpARè(ÊD$Pè¾ÈÿD$aÿÿÿÿt$èë@D$hD$Pÿt$è4Pÿt$ ÿ5<AèX:ÿt$è;º$pA Aè:éÎÇAÇD$RèÈZPRèÈZP¸.pAPÿt$(ÿ5$Aè_AD$Pè%È¸2pAPÿt$èCD$ \|$ t\RèÅÇZPRè½ÇZP¸2pAPhÿt$ èAD$(PèÝÇRèÇZPRèÇZP¸2pAPhÿt$ èé@D$Pè¯ÇT$1Éè:î\$Ø¹÷ùÓ!Ûu+ÿt$è¡BP\$-AkÛÝXE\$C\$éRèÇZPRèÇZPhÿt$è¡CèüÈº6pAYQèÐ9Áè9´PARè×ÆZPRèoÈlARècÈRè½ÆZPRèµÆZP¸6pAPÿt$ èÄEXD$,PèÙÆÿt$(èÕAûuÿt$$èÜAPÿt$,è7ÿt$(è'$ARè]ÆZPRèõÇT$,RèëÇºfpARèàÇAPètÆé½Rè)ÆZPRè!ÆZP¸6pAPÿt$è0ED$PèFÆT$RèüÅZPRèÇ\$-AkÛÝEPèÆÿt$$è3AP\$-AkÛÝXEARè³ÅZPRèKÇPARè?ÇlARè3ÇT$Rè)ÇºfpARèÇAPè²Åëë\$C\$éLýÿÿD$ë1Àÿt$èÆÿt$(èÆÿt$è Æÿt$$èÆÿt$èûÅÄ,[]ÃS1ÀPPPPPPèWÆ¸qA£4AÇ$ë¸;$\|d¡4A¾D$ÿ4ARèâÄZPRèÚÄZP\$kÛÿSèDD$PèÅT$Rè·ÄZPRèOÆT$RèEÆD$PèÛÄÿ$qhè¬D$RèÄZPRèzÄZPèID$Pè©Äÿt$h¸$pAPÿt$ èk6RèKÄZPRèCÄZPÿt$èxxAPèlÄÿ5xAèÿ5xAè[ÿt$h¸$pAPÿ5xAè6RèöÃZPRèîÃZPÿt$è#,APèÄÿ5,Aè3ÿ5,Aèÿt$h¸$pAPÿ5,AèÁ5ÿ5,Aèw8RèÃZPRèÃZPÿt$èÃ@APè·Ãÿ5@AèÓÿt$ÿ5@Aè>8ÿt$h¸$pAPÿ5,Aè]5Rè=ÃZPRè5ÃZPÿt$èjpAPè^Ãÿt$èë1Àÿt$èØÃÿt$èÏÃÿt$èÆÃÄ[ÃUS1ÀPPPPPPè"ÄRèÜÂZPhhRèÊÂZPRèÂÂZPèÓzè¸5$èÎ4èÉ5$h !@Pÿt$è·4ÿ4$èµ4ÿ5°AèA request_handle: 0x00cc000c	1	1
InternetReadFile July 31, 2024, 7:25 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELb@]à2V0@ \|qÈpt,.codeð78 `.textÂÒPÔ< `.rdata304@@.data,pD@À.rsrcV@@h¬hhAè\@ÄhèU@£AhhhèB@£Aè¼?¸pA£4AèÝÍèIËèCèÇèZèÔèøèx}è@CèÃ¶èk¡º.pA AèÓ?hõÿÿÿèã?£<A¸P¸AP1ÀPhhèÿ5 AèhhxpA APhè_ÿ5¨AèæhhppA¨APhè9hAhpAhh¡hèÊº:pA lAè+?ÿ5°AèhhppA°APhèå;@PèÁRèÍZPèÅhHAè:Íè XAûuèfèS,hèè±Ìÿ5AèÎ>èÏ>èµAèèçè½èìÀèSÃUSWºìÇ$JuóT$X$èa>ÿ4$èùDD$ÿt$èLD$T$RhhhhèÉT$RhhhhèvÉÇD$ÇD$ ÇD$$ÇD$(ÇD$,ÇD$0ÇD$ ÇD$ ÿt$XD$4ÿt$XD$8ÇD$ë¸ÿ;D$\|Tÿt$l$8XE\$4Ã\$4l$8¾]!Ûu ÿt$XD$8l$8¾EP\$ l$ÁãXD\$8C\$8ÿD$q¡ÇD$ ÇD$ë¸ÿ;D$\|m\$ \|$l$Áç\=\|$l$Áç\=ãÿ\$ \$l$ÁãÿtXD$,\$ Áãÿt\$ ÁãXDÿt$,\$$ÁãXDÿD$qÇD$ÇD$ ÿt$PXD$<ÇD$(ë\$TK;\$(Ã\$Cãÿ\$\$ \|$l$Áç\=ãÿ\$ \$ÁãÿtXD$,\$ Áãÿt\$ ÁãXDÿt$,\$$ÁãXD\$Áã\\|$ Áç\|=çÿûãÿ\$$\$$ÁãÿtXD$0l$<¾]3\$0Sl$@XE\$<C\$<ÿD$(.ÿÿÿT$RhhhhèÇT$RhhhhèÇÿt$èD$Pë1Àÿ4$èmÊPÿt$è0Èÿt$è'ÈXÄ@_[]ÂUSºìÇ$Juóè§ÊAû2\|AûuhAût¸ë1À!À¸&pAPÿ5AèB$ÇD$ë$;D$RèÉZPRèøÈZP¸fpAPÿt$ÿ5AèQBD$PèÉÿt$èé!ÀtLRèÄÈZPÿt$è3D$PèïÈT$Rè¥ÈZPRè=ÊT$Rè3ÊºfpARè(ÊD$Pè¾ÈÿD$aÿÿÿÿt$èë@D$hD$Pÿt$è4Pÿt$ ÿ5<AèX:ÿt$è;º$pA Aè:éÎÇAÇD$RèÈZPRèÈZP¸.pAPÿt$(ÿ5$Aè_AD$Pè%È¸2pAPÿt$èCD$ \|$ t\RèÅÇZPRè½ÇZP¸2pAPhÿt$ èAD$(PèÝÇRèÇZPRèÇZP¸2pAPhÿt$ èé@D$Pè¯ÇT$1Éè:î\$Ø¹÷ùÓ!Ûu+ÿt$è¡BP\$-AkÛÝXE\$C\$éRèÇZPRèÇZPhÿt$è¡CèüÈº6pAYQèÐ9Áè9´PARè×ÆZPRèoÈlARècÈRè½ÆZPRèµÆZP¸6pAPÿt$ èÄEXD$,PèÙÆÿt$(èÕAûuÿt$$èÜAPÿt$,è7ÿt$(è'$ARè]ÆZPRèõÇT$,RèëÇºfpARèàÇAPètÆé½Rè)ÆZPRè!ÆZP¸6pAPÿt$è0ED$PèFÆT$RèüÅZPRèÇ\$-AkÛÝEPèÆÿt$$è3AP\$-AkÛÝXEARè³ÅZPRèKÇPARè?ÇlARè3ÇT$Rè)ÇºfpARèÇAPè²Åëë\$C\$éLýÿÿD$ë1Àÿt$èÆÿt$(èÆÿt$è Æÿt$$èÆÿt$èûÅÄ,[]ÃS1ÀPPPPPPèWÆ¸qA£4AÇ$ë¸;$\|d¡4A¾D$ÿ4ARèâÄZPRèÚÄZP\$kÛÿSèDD$PèÅT$Rè·ÄZPRèOÆT$RèEÆD$PèÛÄÿ$qhè¬D$RèÄZPRèzÄZPèID$Pè©Äÿt$h¸$pAPÿt$ èk6RèKÄZPRèCÄZPÿt$èxxAPèlÄÿ5xAèÿ5xAè[ÿt$h¸$pAPÿ5xAè6RèöÃZPRèîÃZPÿt$è#,APèÄÿ5,Aè3ÿ5,Aèÿt$h¸$pAPÿ5,AèÁ5ÿ5,Aèw8RèÃZPRèÃZPÿt$èÃ@APè·Ãÿ5@AèÓÿt$ÿ5@Aè>8ÿt$h¸$pAPÿ5,Aè]5Rè=ÃZPRè5ÃZPÿt$èjpAPè^Ãÿt$èë1Àÿt$èØÃÿt$èÏÃÿt$èÆÃÄ[ÃUS1ÀPPPPPPè"ÄRèÜÂZPhhRèÊÂZPRèÂÂZPèÓzè¸5$èÎ4èÉ5$h !@Pÿt$è·4ÿ4$èµ4ÿ5°AèA request_handle: 0x00cc000c	1	1
InternetReadFile July 31, 2024, 7:26 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $_´Vå1çVå1çVå1ç9çOå1ç9¯çwå1ç9ç+å1ç_¢ç]å1çVå0çå1ç9çWå1ç9«çWå1ç9¬çWå1çRichVå1çPEL·×jeà ¤^@,ÞÀ@0Þ ¼.0/¼àBÔ\|°B@à@?ÀF@àBN@àBN@àÀ B N@à.rsrcàB~X@@x`C(Ö@à.data@"ð»2"þ@àW¦<Iië ß4=@Ú{Óy÷F~}¦´09;v BÙeö§É~±Ó3Eì}¡~ù¾Þ,yÌÙÖM A)å@;¦µÓï¿¹oüÙ!³3¥³ K`Ü26È Ò× ½AÀ$Èå½j¹f§%ÓÈ~.L3ë9_°B`pú'i)d¥sã¥¨WÝgówº'%!uEÞ¹É _ªi»KÿS7úÆË0ë9ÏX}nü£à!¨ÎÖew@@¨UAaÓ£ëúº³òNÈ\s@sÜ.ö(Å_TQÌ¾\|Qº«µ}ÞÍ¼T0Iu·Ïþôgú´¦lÁýÞ³³X>ÑÄmX1×ð71 B§Á·Å®ÂrÍÔ¢¶~ ÍÝ6ÞïÚC\x ø¨"ërº³(Ôp¤@Û!¦×%B¶ëÌÒÚy`pOW?\|Ãá}è6¾0·~@óî¾SýI½'»/Ó¡Ù0gÌG«dô¹ß#¾×¹>!öwéÌbUÛ¨ew¶(vá¬;Zä¯CCBøÈàncûËJNSª\|âábUFÄsQv¦¡fy9 Ý:üsíéçx,å¦^½ Å¥âåPP,Ø Ç6hgÝü÷®KEÙJgñO+ì¦.y±DÔ_ØÀY Ô¤'Õt3¬Axf£>ÎÉìäP{²¹ÔÅ[Z'DuÃÿÇf¾×7©Çq:1¤à¿O(Æ×?&AÓÐ¢ðõNßà° Ê.¥û½<©2{«ý¯÷¢/~íÞVì¸¶²ðC§(Uõ)o±jTÅxÃí#LçôG`óm_ú´ç¹#à¸·ñ mO&\VÙ7ë0<ª±²c-eE9´ÂËY; ÓÄ ÅºD×_ëØqÔ0;`Eµ1ÒóhÑO ØéðÄ8nA0F$9CÇûðþÛÈ²RY»+÷àÉ^ û¾uØúÓP}í¹ãöÊ]E¤gU=}ú¬ÌØu"üdùÄV8aCÀ6_¤Oîþz¥s¹hjT=1±òä¾ýGe{_¨,£1ûïMG·îï1¶RSÒ»n;ôÂ=ÊjXVÄÁn·¨~×$ÎO¯å_GýR\ì; Ýü%)Õu8Rc×ML¦_£·éë¼MûÆ¨ìî¥§¿}:ÇÐy3o´»{û¸\|höç[õÖÆZq[ºl9Ìëjt}ëO°W[Ïç\ó:a«©vçç¼qH²¬4úóà¿ä¶Í´¯¡ ª¿ µµp5;=`jSh])¸ôeðÊ§qXWm@¨ÐÆz<¿Ð.c'q_þºfñ(Ò2k÷hWäÞcÛÞ¡öc¶½û?öö^¸o9ÄpÝ»·UJHohÌ(l})¹]éú»dÇÐyGV9Ï÷;·wª\ëëû+uFSÓG¨^V#ÂNèÇ8ð!4>°eËút&l['ñZ ãÀ'ÍyzL£Ä'lL»Mv²Hñìf#æÁJìãºÒZú¹Õöñ¸wñé0EW\+.üL)öÁeËØvV¥uöÂ×¿i¼<¾3êWÈ{Å_z2ÇÇ²vâO¢ãþ¿çÊÅW' ÉÿÄ¼ÖQÝ'¿7õ³æ: ¡ò¡}µ-"ï·9À`á¹SjSvâjçÎ $Z8\_½Ï%¶:AdQj&Öjý «©Üzï¹©ºC»ÃgÚ"!DUª·4²í_ö6ì&èúM©lËQ4 3 ¦Zl#oÍ»®9ÆqgÔÓ}@VÖ!æßí&ÃêäÿÏÜÍ Æ¶D$tÀ3ÖÁl¹¹õÌãÖõ9'l+ÙÔl=¸aR£[+ÈÃé:5^®·´ÝBK\|±µtp/[0«T»à\|Î¾WÔ·+öôÃáÖÈvñEm9oÙgÿ-ÏX V0à±+®_"}ø'IäÄªæÞ<?6ÚwñTNz5(µõÅÑ. \|Ó2R:ë¡Î¯ Ê¸N%Ý»®4íö×Ðýôú×úø_1wê8WtÅ æ:fãxw¼oY5îí{µ ³öK\|Ñ)s¶¯Iöðdx?=".Mï')aÉ¾GçØÑ4° §þ×wÛ¾ÒøþJ®PEä¦jgErÌÄþíR(¹Ti@$ïhÿ¼Q=ÉL¸ôI£±Øîj, ?m\|ðôºÎ4\|EÏÏTôÕ2¸oþËb:±1W`?×í99^¥¬õK½Y_©ÇÃÙä,8?lgÕ^.jëpXêFo°ÈHKôýPRùï2ð=X¾ÔUäDBÌ)´ö%M`À<=´ÛÃÌÑdSÙÄýn©éÃÒ m[¸ÍfÚAÅ!äoGeÎÁOó3$®X wÖÓ\5]Ou$7u`ë;,tÞñ§ÌÕE;£ (fxöÚ[d¾âùÔ~eWdª-/½>:-^UíÊ&ìåËG¾ø=òz>ÃH y}<RE:e×ò±)Jÿ:÷Ñ¼Cã¸jpÌ×ry ¯@NZKÞ°UÀJË°_;N Vª}{s¿%4¡ÍøàóR¯ÜD2fÀUH«ÎÔöëÍR»ú<¼íekÓn;ÉÐ§¥TëÇßx5JOIW!ÐÕúM<3ªfÌJÞî+OÌhkð½¤VÎäªúbèGß tæc=²ÐÈÝù½IÅÇ!Ô°ä»úú«ôyfX7näg»KÈu{zLÆry°!Ã}>Nøs£-Ìý¯%°. ç"Z¢HÚåë¿$µÜyîï¾Ó>!¯Ü_êïÅÈlvâ²Ö}ËóH®ã¸¬¿ekóêÞ/ªzF=ÖcÖÕz@¡ZöS«2oÅÔ£·ùS¸®\¤üÆ »×Ò°h+W,nÒÁèpLÙÈòÏ§Ã(×î{>á¯a YºªGøù2xíß6)Mðgq];Ï±ªn¾Ñ¨¥qAÉ@P1iØÿ·ê¼&[üùLQÉÙüú&@tTÄ(=> ÚÉ.ÂèèK¤ËÔVO~Bþb?(Ée=Øñ2X§û-\| 9ücÁ÷->±\|ÏN-±èÿJõÍ! Ãõ¾o0´¶=:gù{í.wL&øêBÃ$§èûsºc¹öZÿ=¹p%itÿ°õ?¹}f#ÿgúiì5ä¢üçpâÛpE^^'àw¦îà!¼`kqÿ2ØÕ!èðOùS½G~²>Ãò:`¹S ÐÞé¹VB´-ÖxÙYS=·Ôä± tÞ8¼Z@¬á6J}©Î¸xð½pTîWÙAlï#åßÃõ÷¸RÃ_Jµ(ÜÔ¢«·1À£þMOV¸¤½<Q«ú\|Y5µ9PG8àT9Æ;gJV¶Ñ8TfõwÞï]mÓ¥Æ´c?V¬8»ýbRª^¢I¸¼EhbÐ+µâ¬ã\|f`¹-Ê·?²Ûý±r`L^¿wI/å§òJÓ®Åàïd[¶?®ÿ&5«FÁ<¦ÖÝÏe ` Túx¯pÏÂÿºl$¨SmJ«ìè\|SÒK 8n¿KËÄ°j®¹l'Ö ü .¼¥®¿\|'4;ß,ðÚìÐK²\|_pq request_handle: 0x00cc000c	1	1
InternetReadFile July 31, 2024, 7:26 a.m.	buffer: MZÿÿ¸@àº´ Í!¸LÍ!This program cannot be run in DOS mode. $_´Vå1çVå1çVå1ç9çOå1ç9¯çwå1ç9ç+å1ç_¢ç]å1çVå0çå1ç9çWå1ç9«çWå1ç9¬çWå1çRichVå1çPEL·×jeà ¤^@,ÞÀ@0Þ ¼.0/¼àBÔ\|°B@à@?ÀF@àBN@àBN@àÀ B N@à.rsrcàB~X@@x`C(Ö@à.data@"ð»2"þ@àW¦<Iië ß4=@Ú{Óy÷F~}¦´09;v BÙeö§É~±Ó3Eì}¡~ù¾Þ,yÌÙÖM A)å@;¦µÓï¿¹oüÙ!³3¥³ K`Ü26È Ò× ½AÀ$Èå½j¹f§%ÓÈ~.L3ë9_°B`pú'i)d¥sã¥¨WÝgówº'%!uEÞ¹É _ªi»KÿS7úÆË0ë9ÏX}nü£à!¨ÎÖew@@¨UAaÓ£ëúº³òNÈ\s@sÜ.ö(Å_TQÌ¾\|Qº«µ}ÞÍ¼T0Iu·Ïþôgú´¦lÁýÞ³³X>ÑÄmX1×ð71 B§Á·Å®ÂrÍÔ¢¶~ ÍÝ6ÞïÚC\x ø¨"ërº³(Ôp¤@Û!¦×%B¶ëÌÒÚy`pOW?\|Ãá}è6¾0·~@óî¾SýI½'»/Ó¡Ù0gÌG«dô¹ß#¾×¹>!öwéÌbUÛ¨ew¶(vá¬;Zä¯CCBøÈàncûËJNSª\|âábUFÄsQv¦¡fy9 Ý:üsíéçx,å¦^½ Å¥âåPP,Ø Ç6hgÝü÷®KEÙJgñO+ì¦.y±DÔ_ØÀY Ô¤'Õt3¬Axf£>ÎÉìäP{²¹ÔÅ[Z'DuÃÿÇf¾×7©Çq:1¤à¿O(Æ×?&AÓÐ¢ðõNßà° Ê.¥û½<©2{«ý¯÷¢/~íÞVì¸¶²ðC§(Uõ)o±jTÅxÃí#LçôG`óm_ú´ç¹#à¸·ñ mO&\VÙ7ë0<ª±²c-eE9´ÂËY; ÓÄ ÅºD×_ëØqÔ0;`Eµ1ÒóhÑO ØéðÄ8nA0F$9CÇûðþÛÈ²RY»+÷àÉ^ û¾uØúÓP}í¹ãöÊ]E¤gU=}ú¬ÌØu"üdùÄV8aCÀ6_¤Oîþz¥s¹hjT=1±òä¾ýGe{_¨,£1ûïMG·îï1¶RSÒ»n;ôÂ=ÊjXVÄÁn·¨~×$ÎO¯å_GýR\ì; Ýü%)Õu8Rc×ML¦_£·éë¼MûÆ¨ìî¥§¿}:ÇÐy3o´»{û¸\|höç[õÖÆZq[ºl9Ìëjt}ëO°W[Ïç\ó:a«©vçç¼qH²¬4úóà¿ä¶Í´¯¡ ª¿ µµp5;=`jSh])¸ôeðÊ§qXWm@¨ÐÆz<¿Ð.c'q_þºfñ(Ò2k÷hWäÞcÛÞ¡öc¶½û?öö^¸o9ÄpÝ»·UJHohÌ(l})¹]éú»dÇÐyGV9Ï÷;·wª\ëëû+uFSÓG¨^V#ÂNèÇ8ð!4>°eËút&l['ñZ ãÀ'ÍyzL£Ä'lL»Mv²Hñìf#æÁJìãºÒZú¹Õöñ¸wñé0EW\+.üL)öÁeËØvV¥uöÂ×¿i¼<¾3êWÈ{Å_z2ÇÇ²vâO¢ãþ¿çÊÅW' ÉÿÄ¼ÖQÝ'¿7õ³æ: ¡ò¡}µ-"ï·9À`á¹SjSvâjçÎ $Z8\_½Ï%¶:AdQj&Öjý «©Üzï¹©ºC»ÃgÚ"!DUª·4²í_ö6ì&èúM©lËQ4 3 ¦Zl#oÍ»®9ÆqgÔÓ}@VÖ!æßí&ÃêäÿÏÜÍ Æ¶D$tÀ3ÖÁl¹¹õÌãÖõ9'l+ÙÔl=¸aR£[+ÈÃé:5^®·´ÝBK\|±µtp/[0«T»à\|Î¾WÔ·+öôÃáÖÈvñEm9oÙgÿ-ÏX V0à±+®_"}ø'IäÄªæÞ<?6ÚwñTNz5(µõÅÑ. \|Ó2R:ë¡Î¯ Ê¸N%Ý»®4íö×Ðýôú×úø_1wê8WtÅ æ:fãxw¼oY5îí{µ ³öK\|Ñ)s¶¯Iöðdx?=".Mï')aÉ¾GçØÑ4° §þ×wÛ¾ÒøþJ®PEä¦jgErÌÄþíR(¹Ti@$ïhÿ¼Q=ÉL¸ôI£±Øîj, ?m\|ðôºÎ4\|EÏÏTôÕ2¸oþËb:±1W`?×í99^¥¬õK½Y_©ÇÃÙä,8?lgÕ^.jëpXêFo°ÈHKôýPRùï2ð=X¾ÔUäDBÌ)´ö%M`À<=´ÛÃÌÑdSÙÄýn©éÃÒ m[¸ÍfÚAÅ!äoGeÎÁOó3$®X wÖÓ\5]Ou$7u`ë;,tÞñ§ÌÕE;£ (fxöÚ[d¾âùÔ~eWdª-/½>:-^UíÊ&ìåËG¾ø=òz>ÃH y}<RE:e×ò±)Jÿ:÷Ñ¼Cã¸jpÌ×ry ¯@NZKÞ°UÀJË°_;N Vª}{s¿%4¡ÍøàóR¯ÜD2fÀUH«ÎÔöëÍR»ú<¼íekÓn;ÉÐ§¥TëÇßx5JOIW!ÐÕúM<3ªfÌJÞî+OÌhkð½¤VÎäªúbèGß tæc=²ÐÈÝù½IÅÇ!Ô°ä»úú«ôyfX7näg»KÈu{zLÆry°!Ã}>Nøs£-Ìý¯%°. ç"Z¢HÚåë¿$µÜyîï¾Ó>!¯Ü_êïÅÈlvâ²Ö}ËóH®ã¸¬¿ekóêÞ/ªzF=ÖcÖÕz@¡ZöS«2oÅÔ£·ùS¸®\¤üÆ »×Ò°h+W,nÒÁèpLÙÈòÏ§Ã(×î{>á¯a YºªGøù2xíß6)Mðgq];Ï±ªn¾Ñ¨¥qAÉ@P1iØÿ·ê¼&[üùLQÉÙüú&@tTÄ(=> ÚÉ.ÂèèK¤ËÔVO~Bþb?(Ée=Øñ2X§û-\| 9ücÁ÷->±\|ÏN-±èÿJõÍ! Ãõ¾o0´¶=:gù{í.wL&øêBÃ$§èûsºc¹öZÿ=¹p%itÿ°õ?¹}f#ÿgúiì5ä¢üçpâÛpE^^'àw¦îà!¼`kqÿ2ØÕ!èðOùS½G~²>Ãò:`¹S ÐÞé¹VB´-ÖxÙYS=·Ôä± tÞ8¼Z@¬á6J}©Î¸xð½pTîWÙAlï#åßÃõ÷¸RÃ_Jµ(ÜÔ¢«·1À£þMOV¸¤½<Q«ú\|Y5µ9PG8àT9Æ;gJV¶Ñ8TfõwÞï]mÓ¥Æ´c?V¬8»ýbRª^¢I¸¼EhbÐ+µâ¬ã\|f`¹-Ê·?²Ûý±r`L^¿wI/å§òJÓ®Åàïd[¶?®ÿ&5«FÁ<¦ÖÝÏe ` Túx¯pÏÂÿºl$¨SmJ«ìè\|SÒK 8n¿KËÄ°j®¹l'Ö ü .¼¥®¿\|'4;ß,ðÚìÐK²\|_pq request_handle: 0x00cc000c	1	1
InternetReadFile July 31, 2024, 7:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÌPJr>r>r>Ó=r>Ó;(r>]:r>]=r>];ýr>Ó:r>Ó?r>r?^r>7r>Ár><r>Richr>PEL¾@¢fàæÊ`J@J@W kàPMJMJ Þ@à.rsrcàî@À.idata ð@À *°ò@àiicmdrrkÐ0ô@àaehhwvonPJt@à.taggant0`J"x@à request_handle: 0x00cc000c	1	1
InternetReadFile July 31, 2024, 7:26 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $J^ò?Ý?Ý?ÝÝMÜ?ÝÝMÜ£?ÝÝMÜ?ÝÝMÜ ?Ý?Ý?ÝÌ¾Ü?ÝÌ¾ÜS?ÝÌ¾Ü?Ýý½Ü?Ýý½Ü?ÝRich?ÝPEL±§fà'Ð~¼ @@ÌO(`@#ø @!8 @ t.textvx `.Bqqå \| `.rdatar¸ º@@.datatñ`â@@À.reloc@#`$"@B¹Ø@Hè;^hÿBè¦YÃj¸©Bè§¸¬%HÇEðP%HEìeüÇ¬%HH¢BÇEühBCPh\%HèÛhMüÿh BèJ¦Äè§Ãj¸èBè0§¸D%HÇEðè$HEìeüÇD%Hô§BÇEühDFCPhô$HèhMüÿhBèó¥ÄèÃ¦ÃhBèà¥YÃhBèÔ¥YÃh¨CHèÊhÇ$#Bè¼¥YÃj¹tCHè\|h/Bè¤¥YÃ¹¤CHè/]hEBè¥YÃh;Bè¥YÃjjh0DH¹àCHè{{hOBèc¥YÃVWjèãY¿0DHðÏè¿{jVÏÇ0DHP´BèfhYBè+¥Y_^Ã¹ÙCHé\|¹ØCHèª\hcBè ¥YÃ¹DHéÍ¹DHè\hmBèé¤YÃjjhðDH¹ DHèhwBèÊ¤YÃVWjèJY¿ðDHðÏèØÏÇðDH(µBÆ8EHÆ.EHè?¡HEH LEH%(EHhB5<EH£0EH 4EHèd¤Y_^Ã¹EHèí[hBèL¤YÃhBè@¤YÃVÿt$ñ3Àÿt$@FFFPÇd¦Bè ÄÆ^ÂVÿt$ñÇL§Bè!YPNèÄ^Vÿt$ñ3Àÿt$@NFFÇH¦BèÆ^ÂVÿt$ñf$NÇ¦Bè}v$Æ^Âì$SUl$43ÀVWñD$ìÌUFèª}j[ÿtðÿGÇëÃPÎè²/ÿtÏè{?}tEL$(D$$E Pè3ÛD$$Cë3ÀD$D$D$ D$4D$D$PèBöÃtL$ãýÉtD$ +ÁàüPQèYYöÃt L$(èîDD$8ÎPè._Æ^][Ä$ÂVjñèD$Çø¦Bb$ÇL§BBÆR$^ÂUìQQVWÿuñè½ÿÿÿì0Ç0§B¾¨Ì'gèEøVPèÄ8;øtPÏèÚ"MüÉtè=/_ÆFvÆ^ÉÂj ¸²~Bè£]3ÿÇEèÿuè7YÈMä@t D$;Ç\|;÷v;Ç\|;ñv+ñÇëWÀfEÜEàuÜEìSMÔè"}Øu j^Öé}üAD%Àø@t<Eì;Ç\|3;÷v-H¶D@PL8è¶WøÿtsÆÿuÜEìÐÿEìEàëÉAL8WÿuäÿuÿP$;EäuE;×uAEì;Ç\|3;÷v-H¶D@PL8è^WøÿtÆÿuÜEìÐÿEìEàëÉj^×ëj^ÖUè@\| \|$Müÿë;MPÑBj^Æj3É9J8EñðVÊèF¸Ö@ÃMüÿ3ÿj^]UèHËW3À9y8EðqòVèæEMÔè¯ Ãèw¡ÃÌÌÌÌÌÃUììE@EüEMø@EôEøPEðMðPèYYÉÃL$T$A;B\|;s°Ã2ÀÃD$S3ÛSh@Bÿpÿ0è`£ÈD$9P\|9s³Ã[ÃD$S3ÛSh@Bÿpÿ0è2£ÈD$;P\|;s³Ã[ÃD$=rPèYÃÀtPèMYÃ3ÀÃD$H#;È¥@Qè3YÈÉt A#ààHüÃéMêSÙVW\|$C3+ÆÁø;øvWèï*3VWÿt$èíÄë<Uk+îÁýV;ýv t$UVèÏ®+ýsVWPè¿Äë Wÿt$è°Ä]¾_^C[Âj,èY@@fÇ@ÃS\$Ué¹ÿÿÿ;ÙwZjX;ØwSÿt$]UEè¼DÄÆ+ë4VWQPSè'ðNQèÞþÿÿSÿt$(ø]W}uèDÄÆ_^][Âè«BÌS\$Ué¹þÿÿ;ÙwdjX;ØwSÿt$]UEèdDÄ3ÀfD]ë;VWQPSèÕ&ðÄNQÍèµBSÿt$ø]W}uè(DÄ3Àf__^][Âè0BÌSÙ¹ÿÿÿW\|$;ùwQjX;øwjÿt${SCè¬Äë.VQPWè0&ðNQèöýÿÿOQÿt$${Psè CÄ^_[ÂèÈAÌS\$Ué¹þÿÿ;ÙwdjX;ØwSÿt$]UEèþTÄ3ÀfD]ë;VWQPSèò%ðÄNQÍèÒASÿt$ø]W}uèÂTÄ3Àf__^][ÂèMAÌVt$WùNÉtè«1ÀtFG°ë2À_^ÂìÌÿt$è&D$L$ÿ0è!Ã\|$Vñt#ÿt$èã$D$Vÿ6ÿ0D$ÿ0èïÄF^ÂT$BÀtðÿ@BAÂVt$W\|$+\|$Wÿt$Vè «Ä7_^ÃL$D$ÿt$PQèÈÿÿÿÄÃUìE=rEPEPè$EYYPÿuèôYY]ÃÑJ;JtD$BHJëÿt$QÊèËÂj¸Ï~Bèkñuà]Ã+EF+=ÿÿÿ@EèPè$EìPèìûÿÿYø}äeüEÇEM N;ÙuÇ]ëVWSRèê ÄÓN]CVPQRèÓ ÄMüÿÿuìÿuèWÎè\|&ÃèHÂÿuìÿuäMàèAjjèD±èi?ÌÌÌÌÌÌj¸ì~Bè£ñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèä#EìPÎèS?Ø]äeü<»M F9EuÓëVSÿuQè ÄMFWVRPQèë ÄMüÿÿuìÿuèSÎèì%Çè request_handle: 0x00cc000c	1	1
InternetReadFile July 31, 2024, 7:26 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $J^ò?Ý?Ý?ÝÝMÜ?ÝÝMÜ£?ÝÝMÜ?ÝÝMÜ ?Ý?Ý?ÝÌ¾Ü?ÝÌ¾ÜS?ÝÌ¾Ü?Ýý½Ü?Ýý½Ü?ÝRich?ÝPELzý¨fà'þ~¼ @°@ÌO(4#ø @!8 @ t.textvx `.Bqqå \| `.rdatar¸ º@@.datat`@@À.reloc4#$P@B¹ØnFè;^hÿBè¦YÃj¸©Bè§¸ÌSFÇEðpSFEìeüÇÌSFH¢BÇEühBCPh\|SFèÛhMüÿh BèJ¦Äè§Ãj¸èBè0§¸dSFÇEðSFEìeüÇdSFô§BÇEühDFCPhSFèhMüÿhBèó¥ÄèÃ¦ÃhBèà¥YÃhBèÔ¥YÃh¨qFèÊhÇ$#Bè¼¥YÃj¹tqFè\|h/Bè¤¥YÃ¹¤qFè/]hEBè¥YÃh;Bè¥YÃjjh0rF¹àqFè{{hOBèc¥YÃVWjèãY¿0rFðÏè¿{jVÏÇ0rFP´BèfhYBè+¥Y_^Ã¹ÙqFé\|¹ØqFèª\hcBè ¥YÃ¹rFéÍ¹rFè\hmBèé¤YÃjjhðrF¹ rFèhwBèÊ¤YÃVWjèJY¿ðrFðÏèØÏÇðrF(µBÆ8sFÆ.sFè?¡HsF LsF%(sFhB5<sF£0sF 4sFèd¤Y_^Ã¹sFèí[hBèL¤YÃhBè@¤YÃVÿt$ñ3Àÿt$@FFFPÇd¦Bè ÄÆ^ÂVÿt$ñÇL§Bè!YPNèÄ^Vÿt$ñ3Àÿt$@NFFÇH¦BèÆ^ÂVÿt$ñf$NÇ¦Bè}v$Æ^Âì$SUl$43ÀVWñD$ìÌUFèª}j[ÿtðÿGÇëÃPÎè²/ÿtÏè{?}tEL$(D$$E Pè3ÛD$$Cë3ÀD$D$D$ D$4D$D$PèBöÃtL$ãýÉtD$ +ÁàüPQèYYöÃt L$(èîDD$8ÎPè._Æ^][Ä$ÂVjñèD$Çø¦Bb$ÇL§BBÆR$^ÂUìQQVWÿuñè½ÿÿÿì0Ç0§B¾¨Ì'gèEøVPèÄ8;øtPÏèÚ"MüÉtè=/_ÆFvÆ^ÉÂj ¸²~Bè£]3ÿÇEèÿuè7YÈMä@t D$;Ç\|;÷v;Ç\|;ñv+ñÇëWÀfEÜEàuÜEìSMÔè"}Øu j^Öé}üAD%Àø@t<Eì;Ç\|3;÷v-H¶D@PL8è¶WøÿtsÆÿuÜEìÐÿEìEàëÉAL8WÿuäÿuÿP$;EäuE;×uAEì;Ç\|3;÷v-H¶D@PL8è^WøÿtÆÿuÜEìÐÿEìEàëÉj^×ëj^ÖUè@\| \|$Müÿë;MPÑBj^Æj3É9J8EñðVÊèF¸Ö@ÃMüÿ3ÿj^]UèHËW3À9y8EðqòVèæEMÔè¯ Ãèw¡ÃÌÌÌÌÌÃUììE@EüEMø@EôEøPEðMðPèYYÉÃL$T$A;B\|;s°Ã2ÀÃD$S3ÛSh@Bÿpÿ0è`£ÈD$9P\|9s³Ã[ÃD$S3ÛSh@Bÿpÿ0è2£ÈD$;P\|;s³Ã[ÃD$=rPèYÃÀtPèMYÃ3ÀÃD$H#;È¥@Qè3YÈÉt A#ààHüÃéMêSÙVW\|$C3+ÆÁø;øvWèï*3VWÿt$èíÄë<Uk+îÁýV;ýv t$UVèÏ®+ýsVWPè¿Äë Wÿt$è°Ä]¾_^C[Âj,èY@@fÇ@ÃS\$Ué¹ÿÿÿ;ÙwZjX;ØwSÿt$]UEè¼DÄÆ+ë4VWQPSè'ðNQèÞþÿÿSÿt$(ø]W}uèDÄÆ_^][Âè«BÌS\$Ué¹þÿÿ;ÙwdjX;ØwSÿt$]UEèdDÄ3ÀfD]ë;VWQPSèÕ&ðÄNQÍèµBSÿt$ø]W}uè(DÄ3Àf__^][Âè0BÌSÙ¹ÿÿÿW\|$;ùwQjX;øwjÿt${SCè¬Äë.VQPWè0&ðNQèöýÿÿOQÿt$${Psè CÄ^_[ÂèÈAÌS\$Ué¹þÿÿ;ÙwdjX;ØwSÿt$]UEèþTÄ3ÀfD]ë;VWQPSèò%ðÄNQÍèÒASÿt$ø]W}uèÂTÄ3Àf__^][ÂèMAÌVt$WùNÉtè«1ÀtFG°ë2À_^ÂìÌÿt$è&D$L$ÿ0è!Ã\|$Vñt#ÿt$èã$D$Vÿ6ÿ0D$ÿ0èïÄF^ÂT$BÀtðÿ@BAÂVt$W\|$+\|$Wÿt$Vè «Ä7_^ÃL$D$ÿt$PQèÈÿÿÿÄÃUìE=rEPEPè$EYYPÿuèôYY]ÃÑJ;JtD$BHJëÿt$QÊèËÂj¸Ï~Bèkñuà]Ã+EF+=ÿÿÿ@EèPè$EìPèìûÿÿYø}äeüEÇEM N;ÙuÇ]ëVWSRèê ÄÓN]CVPQRèÓ ÄMüÿÿuìÿuèWÎè\|&ÃèHÂÿuìÿuäMàèAjjèD±èi?ÌÌÌÌÌÌj¸ì~Bè£ñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèä#EìPÎèS?Ø]äeü<»M F9EuÓëVSÿuQè ÄMFWVRPQèë ÄMüÿÿuìÿuèSÎèì%Çè request_handle: 0x00cc000c	1	1
InternetReadFile July 31, 2024, 7:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ègX¬ô¬ô¬ôt÷ ôtñ ôtð ¹ôtõ ¯ô¬õ.ônð ¾ônñ ÷ôn÷ ´ô_ñ ô_ô ô_ö ôRich¬ôPELº]¢fà':,A`@°@À ¸x (d HßßÞ@`l.textG12 `.zzZ P6 `.rdataò²`´>@@.data¼T Fò@À.relocd "8@B¹àdVè'=hÅ@Bè)pYÃj¸ü<Bèq¸ÄKVÇEðhKVEìeüÇÄKVHbBÇEühýBPhtKVèPGMüÿhÏ@BèÙoÄè©pÃj¸;=Bè¿p¸\KVÇEðKVEìeüÇ\KVgBÇEühøCPhKVèùFMüÿhÒ@BèoÄèRpÃhß@BèooYÃhÕ@BècoYÃh¨gVè?GÇ$é@BèKoYÃj¹tgVè hõ@Bè3oYÃ¹¤gVè<hABèoYÃhABèoYÃjjh0hV¹àgVèÖUhABèònYÃVWjèÿÃY¿0hVðÏèVjVÏÇ0hVxsBèÀZhABèºnY_^Ã¹ÙgVé_V¹ØgVè;h)ABènYÃ¹ÄhVè;h=ABènYÃh3ABèvnYÃÌÌÌÌÌÌÌVÿt$ñ3Àÿt$@FFFPÇ eBèfÄÆ^ÂVÿt$ñÇfBèÒYPNèa^Vÿt$ñ3Àÿt$@NFFÇeBèWÆ^ÂVÿt$ñf$NÇÄeBè¦=v$Æ^Âì$SUl$43ÀVWñD$ìÌUFèÖ}j[ÿtðÿGÇëÃPÎèw"ÿtÏè+}tEL$(D$$E Pèc3ÛD$$Cë3ÀD$D$D$ D$4D$D$Pèó-öÃtL$ãýÉtD$ +ÁàüPQèîYYöÃt L$(è0D$8ÎPè´ _Æ^][Ä$ÂVjñè¹D$Ç4fBb$ÇfBBÆR$^ÂUìQQVWÿuñè½ÿÿÿì0ÇlfB¾¨Ì'gè¯EøVPè¼ Ä8;øtPÏè·MüÉtèê!_ÆFvÆ^ÉÂj ¸":BèÊm]3ÿÇEèÿuèwÝYÈMä@t D$;Ç\|;÷v;Ç\|;ñv+ñÇëWÀfEÜEàuÜEìSMÔèN}Øu j^Öé}üAD%Àø@t<Eì;Ç\|3;÷v-H¶D@PL8èª7øÿtsÆÿuÜEìÐÿEìEàëÉAL8WÿuäÿuÿP$;EäuE;×uAEì;Ç\|3;÷v-H¶D@PL8èR7øÿtÆÿuÜEìÐÿEìEàëÉj^×ëj^ÖUè@\| \|$Müÿë;MPÑBj^Æj3É9J8EñðVÊè0¸6@ÃMüÿ3ÿj^]UèHËW3À9y8EðqòVèe0MÔè²Ãè¦kÃÌÌÌÌÌÃD$=rPèYÃÀtPè)hYÃ3ÀÃD$H#;È,QèhYÈÉt A#ààHüÃéÊ³SÙVW\|$C3+ÆÁø;øvWèa3VWÿt$è÷Äë<Uk+îÁýV;ýv t$UVèÙ®+ýsVWPèÉÄë Wÿt$èºÄ]¾_^C[Âj,è{gY@@fÇ@ÃS\$Ué¹ÿÿÿ;ÙwZjX;ØwSÿt$]UEèè/ÄÆ+ë4VWQPSè»ðNQèÞþÿÿSÿt$(ø]W}uè´/ÄÆ_^][ÂèZ.ÌSÙ¹ÿÿÿW\|$;ùwQjX;øwjÿt${SCèrvÄë.VQPWèNðNQèqþÿÿOQÿt$${PsèG/Ä^_[Âèò-ÌVt$WùNÉtèA#ÀtFG°ë2À_^ÂìÌÿt$èõD$L$ÿ0èa Ã\|$Vñt#ÿt$è\|D$Vÿ6ÿ0D$ÿ0èÄF^ÂT$BÀtðÿ@BAÂVt$W\|$+\|$Wÿt$VèuÄ7_^ÃL$D$ÿt$PQèÈÿÿÿÄÃUìE=rEPEPè¨EYYPÿuèÆeYY]ÃÑJ;JtD$BHJëÿt$QÊèËÂj¸?:Bè=iñuà]Ã+EF+=ÿÿÿ@EèPèîEìPèâüÿÿYø}äeüEÇEM N;ÙuÇ]ëVWSRèÄÓN]CVPQRèpÄMüÿÿuìÿuèWÎèäÃèhÂÿuìÿuäMàè-jjèMzè,ÌÌÌÌÌÌj¸\:Bèuhñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèLEìPÎèí+Ø]äeü<»M F9EuÓëVSÿuQèÄMFWVRPQèÄMüÿÿuìÿuèSÎèTÇèWgÂÿuìÿuäMàèÞ,jjèyèK+ÌÌÌÌÌÌj¸y:Bè²gñuà}+>ÁÿF+Áø=ÿÿÿ?@EèPèEìPÎè+Ø]äeü<»EV9UuÃëVSÿuQèÚÄMVGVPRQèÅÄMüÿÿuìÿuèSÎèÇèfÂÿuìÿuäMàè,jjèÇxèÌÌÌÌÌÌVñÿpÿt$èj,ÿ6è.cYY^ÂVt$WùëÿvÏÿt$èèÿÿÿVÿt$6è YY~ tÞ_^ÂVt$Nè(j,VèâbYY^ÃD$èt0èu+Vh¨èbðYötÿt$Îèÿ÷ÿÿÇPfBë3öÆ^Ãh°èkbYÀtÿt$Èè øÿÿÃ3ÀÃVj0èObðYÿt$NÇüeBèÆ^ÃVqÈèk:L$,Ét#SÿPÈØèP:L$è'Ã[^Â(èÑ2ÌQSÙºÿÿÿL$ÂUk+Å;ÁrlCVWR<)D$PWèUðNQèxùÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile July 31, 2024, 7:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELB½à0ìÐÆ¹ @ @t¹O ÄÉX¹ H.text¬é ì `.rsrcÄÉ Ìð@@.reloc¼@B¨¹HT-M`ø0 1s, ~Ï%-&~Îþls- %Ï(+o/ 8Ðo0 ±%rprYp~1 (2 ¢%rqpr¯p~1 (2 ¢%rÇprp~1 (2 ¢%r!prap~1 (2 ¢( o3 81(4 s_sm~1 }Í~1 s5 (6 o7 }Í{ÍrqprÑp~1 (2 o8 ,rãprp~1 (2 +;rprap~1 (2 o8 -{Í(+{Í((9 þ 9:o: (; o< o= (> {Í((9 þ 9ñs? s? s? þ`s@ ~Ð%-&~ÎþmsA %Ð(+þas@ ~Ñ%-&~ÎþnsA %Ñ(+þbs@ ~Ò%-&~ÎþosA %Ò(+oB þ9E{Í±%rip¢oC r}p(> (C(+oE sF (N(+oToG #>@(H (I ioJ &ÞÞ(K þ9þcs@ ~Ó%-&~ÎþpsA %Ó(+þds@ ~Ô%-&~ÎþqsA %Ô(+þes@ ~Õ%-&~ÎþrsA %Õ(+ÞÞo_oaþfsL ~Ö%-&~ÎþssM %Ö(+ocoiþgsN ~×%-&~ÎþtsO %×(+oeþhsP ~Ø%-&~ÎþusQ %Ø(+ogþisR ~Ù%-&~ÎþvsS %Ù(+ok( +,dsm%o_%r£p(> oa%sU oc%oi%ok%sV oe%sW ogoX ( +,dsm%o_%rµp(> oa%sU oc%oi%ok%sV oe%sW ogoX ÞÞolþ,oX (Y :ÃúÿÿÞþoZ Üo[ :%úÿÿÞ,oZ ÜÞ&Þ + Añ,:ÕåäÉµDù4â$0sr rËp(\ (] þ , Ýî(srÝpo&8oo^ oo^ (rùpo8 ,4sr ³%-o_ oo oq +sr%oo%oq ÞÞXoþ:NÿÿÿÞ ÞÞÞ+ALPà1Ó 0sU ³%Ð°(` sa (\ (] þ , ÝS(s³%Ð\|(` sa o&8òsoo^ ooo^ oo(oÞÞÞoo(K - o+rýpoo(K - o+rýpoo(K - o+rýpoÜorýp(b ,oc Xoþ :úþÿÿÞÞÞÞ+*AdzJÄzRÌoC8{}0Ìs? (\ (] þ , Ý£(s³%Ð(` sa o&8Css%oo^ ov%oo^ o: .þox%oo^ oz%oo: 1þo\|%oo^ (d @Bj[!¶Yo~%oo^ o%r po(oo}jþ,-(e (f (g request_handle: 0x00cc000c	1	1
InternetReadFile July 31, 2024, 7:26 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $¨:ìf}iìf}iìf}i§~hëf}i§xhSf}i§yhæf}iièf}ixhÄf}iyhýf}i~håf}i§\|hçf}iìf\|igf}iyhøf}ihíf}iRichìf}iPEdpZ¢fð" \°¯@0pÊ®`Á¼x ôàÄ X à@ .text `.rdata* ,@@.dataèÐ¸@À.pdataÄ à"Æ@@_RDATA\è@@.rsrc ô öê@@.relocX à@B@SHì è¥ßHèßHÓèSeHØèßHÓHÄ [éÜ%ÌÌÌÌÌÌÌÌÌÌÌÌHÃÃÌÌÌÌÌÌÌÌHT$HL$SUVWAVAWHì3ÀMðHÚHD$PHùHD$XH¿HD$`D@XD$(HL$ HD$ Iñèè DøÀt&HSDÀH è°EÿHÄA_A^_^][Ã¹ L¬$èû.LèHÀuLCH¨H åèÌéc¹ èÍ.HèHÀuLCHÊH ·èé5L¤$ÐDc@fL¸ L;àIÜºIÍHGØLÃèºãH;ÃãHèáÀÓL+ã\$(Ll$ f» Hl$03Ò\$8HL$ èfkøA¿ÿÿÿÿHùvwøtmL$8H+ÙMöt(MÎAWLÃHÍèêH;ÃuIÎè¦àÀtAÿë>HötLÃHÕHÎè¨Hó\|$8tÿtMätH¼$ÀéÿÿÿE3ÿë(¿ýÿÿÿH$ÈH ðHÂDÇèëA¿ÿÿÿÿL¤$ÐHL$ èIÍèN-HÍèF-L¬$AÇHÄA_A^_^][ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌ@VAVHì(HHòLñHÀu2HÁxHoèº)IHÀuHVH _è3ÀHÄ(A^^ÃVE3ÀIVHÈèZåÀy!LFHgH è«3ÀHÄ(A^^ÃNL\|$ è¤,LøHÀu DNLFH}H èqé°~H\$@Hl$HH\|$PLd$XuMÏE3ÀHÖIÎèÁüÿÿÀtmë`^IïHÛt`A¼ ffMI;ÜHûA¸IGüHÍH×è^áHør HïH+ßuÔë"LFHßH èÛIÏèÏ+E3ÿH\|$PHl$HH\$@Ld$XIHÉtè»ÝIÇIÇL\|$ HÄ(A^^ÃÌÌÌÌÌÌÌÌ@SWAVHì0HúLñè¬Røÿu HÄ0A^_[ÃHl$PIx0HoLd$`HÕè¡ULàHÀu LÅHH ´è3AD$ÿéIHÀu1INxHèÑ'IHÀuHÕH wè»ÿÿÿÿé7WE3ÀIVHÈèrãÀy LÅHH µèÄ»ÿÿÿÿéuE3ÉMÄH×IÎè#ûÿÿØéãLl$(3ÛA½ L\|$ AÍèLøHÀuLÅH(H }èdA_ÿéHÿHt$XffMI;ýH÷A¸IGõIÏHÖè~ßHør1MÌA¸HÖIÏè¤æHørH+þu½ë+H,H YëHÜH LÅèÕ»ÿÿÿÿHt$XIÏè¿)Ll$(L\|$ IHÉtè¸ÛIÇIÌè©ÛÃHl$PLd$`HÄ0A^_[ÃÌÌÌÌÌÌÌÌ@SHì LIHÚLYM;ËsDMÑIALÃL+ÀfD¶B¶+ÑuHÿÀÉuíÒt/IcIÁLÈI;Âr I;ÃrÆ3ÀHÄ [ÃH gè²3ÀHÄ [ÃIÁHÄ [ÃÌH\$Hl$Ht$WHì HYHêHñHÇÇÿÿÿÿHÿÇ<u÷HIH;ÙsT{ouHKLÇHÕèä(ÀtHNHcHÃHØH;FrH;ÁrÏë!HCHÇ8tHCHÇëH Êè3ÀH\$0Hl$8Ht$@HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌ@SHì HcHÙHÂH;AsH èÏHCHÄ [ÃÌÌÌÌÌH\$WHì0H?¸H3ÄHD$(HÙH HÉuHKxHaè¬$HHÈHÀtSH³HT$ HD$ A¸HÁèD$#è[YHøHÀt%HE3ÀHÐè9àÀyH"H è¸ÿÿÿÿégLHK ºXDB©èËÜHøsHH èV¸ÿÿÿÿé/K(E3ÀC,ÈC,C0ÈC0C4ÉÉH+ùK(ÈHÇXC4H{3ÿ»\|P²ÃS,HSHèßHcK0è'HCHÀuH®H óèÚGÿéµHcS0A¸LHÈèÜHøsH éIÿÿÿHcC0HCHHCègÙÀtH è'¸ÿÿÿÿëcHCH;CsGfDHÉHHÉHHÉHÊHcÊHÈHÁH;KrH;KrÍëH èÏ HHÉtè.ØH;3ÀHL$(H3ÌèH\$HHÄ0_ÃÌÌÌÌÌH\$Ht$WHì IØHòHùLLÊHÁxºè0=}vHxLËLØºè=}THx HÖHËèÅ 3ö·xP@f¶ H[ÀuïHÏèGýÿÿÀt"HHÉtèb×H73ÀH\$0Ht$8HÄ _ÃH\$0¸Ht$8HÄ _ÃÌÌÌÌÌÌÌÌÌÌÌÌHÉt7SHì HÙHIHÉtè%HHÉtè×HÇHËèå$HÄ [ÃÌÌÌ@SHì ºP¹è¿$HØHÀuHäH è° HÃHÄ [ÃÌÌÌÌÌÌÌLD$LL$ SUVWHì8IðHl$xHÚHùèëôÿÿHl$(LÎLÃHÇD$ H×HHÉèÀ¹ÿÿÿÿHÁHÄ8_^][ÃÌÌÌÌÌH\$Hl$Ht$ WHìHR´H3ÄH$pHALlLIHùHÁ(HD$ ºèÿº2·ÈØDBÒÿ¨fZ request_handle: 0x00cc000c	1	1
InternetReadFile July 31, 2024, 7:27 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ £XhcðXhcðXhcð`ñ_hcðfñìhcðgñRhcðëð[hcðë`ñQhcðëgñIhcðëfñphcðbñShcðXhbðÉhcðKìgñAhcðKìañYhcðRichXhcðPEdj¢fð"(ÐÀ@ÐÅ`ÁlÇx´+`"ÀhÀ@°P.text `.rdataB&°(@@.dataØsàÀ@À.pdata"`$Î@@.rsrc´+,ò@@.relochÀ@BHì(è/áHîÏè'áHHÝÏHHH ÒÏHÄ(é¹$ÌÌÌÌÌÌÌÌÌHqCÃÌÌÌÌÌÌÌÌH\$Hl$ LD$VWATAUAWHì Hò3íHý§DýIøHÙA½ÿÿÿÿèå.LàHÀuHVH Ú§èMéVE3ÀHIÌè7éÀyLFHä§H ¨èé¯Nè0LøHÀu DNLFH¨H ¦èXé~uMÏE3ÀHÖIÌèÌëW^Lt$PM÷HÛt;¸ DH;ØHûMÌA¸HGøIÎH×è^åHørhL÷¸ H+ßuÏÅH\|$`Lt$PÀtIÏèÓ/LýIÌèØáIïMÿtH×IÏèù.DèHÍèª/H\$XAÅHl$hHÄ A_A]A\_^ÃLFH!¦H N¦è}AÅëÌÌÌÌÌÌÌÌHT$HL$SUVWAVAWHì3ÀMðHÚHD$PHùHD$XA¸XHD$`H@¤D$(HL$ HD$ èIñèXDøÀt(HSDÀH #¤è¸ÿÿÿÿHÄA_A^_^][Ã¹ L¬$èç.LèHÀuLCH4¤H q¤è¸é\¹ è¹.HèHÀuLCHV¤H C¤èé.L¤$ÐA¿ÿÿÿÿDc¸ IÜL;àLÏºIÍHGØLÃèªãH;ÃæHÏè áÀÖL+ã\$(Ll$ f» Hl$03Ò\$8HL$ èøA¿ÿÿÿÿHùv\|øtrL$8H+ÙMöt)MÎLÃºHÍènêH;ÃuIÎèàÀtAÿëBHötLÃHÕHÎè}Hó\|$8{ÿÿÿÿtMätH¼$ÀéÿÿÿE3ÿë ¿ýÿÿÿH$ÈH {£HÂDÇèïL¤$ÐHL$ èmIÍèA-HÍè9-L¬$AÇHÄA_A^_^][ÃÌÌH\$ VAVAWHì HòHÙH¤E3öè +LøHÀu!HVH ¤èu3ÀH\$XHÄ A_A^^ÃVE3ÀHIÏèSåÀyLFH¤H 5¤è¤é»Nè§,LðHÀu DNLFH ¤H -¢èté~uMÎE3ÀHÖIÏèèüÿÿëc^Hl$@IîH\|$HLd$PHÛt8A¼ fDI;ÜHûMÏA¸IGüHÍH×ènáHørBHïH+ßuÔ3ÀH\|$HHl$@Ld$PÀtIÎèã+E3öIÏèèÝH\$XIÆHÄ A_A^^ÃLFHW¢H ¢è³¸ÿÿÿÿëªÌÌÌÌÌÌÌÌÌÌÌÌ@SWHì8znHúHÙu$èxúÿÿØÀyHWH _£èÃHÄ8_[ÃHn£Ld$`IÈèe)LàHÀu(LGHR£H £è6Ld$`¸ÿÿÿÿHÄ8_[ÃH2¢L\|$ HËè!)LøHÀuHWH ¢è»ÿÿÿÿéTWE3ÀHIÏènãÀy!LGH¢H P¢è¿»ÿÿÿÿéuE3ÉMÄH×IÏè.ûÿÿØéôLl$03ÛA½ Lt$(AÍèLðHÀu!LGHÂ H è^»ÿÿÿÿé§Ht$XwHöHl$P@ffI;õHîMÏA¸IGíIÎHÕènßHør1MÌA¸HÕIÎèæHørH+õu½ë,H¼ H é ëHl H LGèÄ»ÿÿÿÿHl$PIÎè®)Ht$XLl$0Lt$(IÏè§ÛIÌèÛL\|$ ÃLd$`HÄ8_[ÃH\$Ht$WHì HHòHùH;spfffD¶CA@¦¨÷t:Aødt4Aønt.Aøxt(HCLÆL+À¶B¶+ÑuHÿÀÉuíÒëHKHÖèí)Àt HØH;r3ÀH\$0Ht$8HÄ _ÃHt$8HÃH\$0HÄ _ÃÌÌÌÌÌÌ@SHì HHÇHÛtHè(HËHÄ [é(HÄ [ÃÌÌÌÌÌÌÌÌÌÌÌÌHÂÃÌÌÌÌÌÌÌÌÌÌH\$Hl$ WHìH7ÇH3ÄH$HYHé3ÛèK&HøHÀH ºH$H$A¸HÁèHÏH´$¨$è5]HðHÀ7E3ÀHÐHÏèoàÀyH H UèÄ é LÏHL$ ºXA¸èÝHøsH H _è é×º`¹èn'HØHÀuHûH ( è_ é¨LÍL ºHËèÓD$(H ÈD$(LL$8D$,LîÈD$,º@D$0ÈD$0D$4ÈD$4èD$(E3ÀH+ðHÏHFXHT$,HÐèhßL$0èÛ&HHÀuHH eè¬éõT$0LÏA¸HÈèîÛHøsH}H JèyéÂD$0HÏHHèÙÀtH gèÚ éHH;DâÄfo Rf3ÀAø\|óof8ÁóëfÉHÿÀHø\|ï¶JA¦¨÷tùdtùnt ùxt2Àë° ÀHÐH;rHÏè¶×H´$¨HÃH$H3ÌèL$I[ Ik(Iã_ÃÌÌÌÌÌÌÌÌÌÌLD$LL$ SUVWH request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0002dc00', u'virtual_address': u'0x00001000', u'entropy': 7.979258429305275, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}

entropy

7.97925842931

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x001a4400', u'virtual_address': u'0x0031f000', u'entropy': 7.95364661792593, u'name': u'upgbvxgh', u'virtual_size': u'0x001a5000'}

entropy

7.95364661793

description

A section with a high entropy has been found

entropy

0.994133333333

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Communicates with host for which no DNS query was performed (3 events)

host	185.215.113.16
host	185.215.113.19
host	185.215.113.67

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 31, 2024, 7:26 a.m.	process_identifier: 1964 region_size: 48115712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000388		3221225496	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 626 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA July 31, 2024, 7:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA July 31, 2024, 7:25 a.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ab417aa83e.exe	reg_value	C:\Users\test22\1000029002\ab417aa83e.exe
file	C:\Windows\Tasks\explorti.job
file	C:\Windows\Tasks\axplong.job

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2816 manipulating memory of non-child process 1964
NtAllocateVirtualMemory July 31, 2024, 7:26 a.m.	process_identifier: 1964 region_size: 48115712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000388		3221225496	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ July 31, 2024, 7:25 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 e9 bf 18 00 00 42 81 ea exception.symbol: sand+0x1fe4d4 exception.instruction: in eax, dx exception.module: sand.exe exception.exception_code: 0xc0000096 exception.offset: 2090196 exception.address: 0x3ce4d4 registers.esp: 9436704 registers.edi: 13250062 registers.eax: 1447909480 registers.ebp: 3992367124 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 3981226 registers.ecx: 20	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (22 events)

Time & API	Arguments	Status	Return
NtResumeThread July 31, 2024, 7:25 a.m.	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 2556	1	0
CreateProcessInternalW July 31, 2024, 7:25 a.m.	thread_identifier: 2820 thread_handle: 0x000003d8 process_identifier: 2816 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e0	1	1
NtResumeThread July 31, 2024, 7:25 a.m.	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 2816	1	0
CreateProcessInternalW July 31, 2024, 7:26 a.m.	thread_identifier: 908 thread_handle: 0x00000370 process_identifier: 1964 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\0d8f5eb8a7\explorti.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000388	1	1
NtGetContextThread July 31, 2024, 7:26 a.m.	thread_handle: 0x00000370	1	0
NtAllocateVirtualMemory July 31, 2024, 7:26 a.m.	process_identifier: 1964 region_size: 48115712 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000388		3221225496
CreateProcessInternalW July 31, 2024, 7:26 a.m.	thread_identifier: 1356 thread_handle: 0x00000480 process_identifier: 1264 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\1000029002\ab417aa83e.exe track: 1 command_line: "C:\Users\test22\1000029002\ab417aa83e.exe" filepath_r: C:\Users\test22\1000029002\ab417aa83e.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1
CreateProcessInternalW July 31, 2024, 7:26 a.m.	thread_identifier: 2192 thread_handle: 0x0000046c process_identifier: 2188 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000030001\22fc86ad3a.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000030001\22fc86ad3a.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000030001\22fc86ad3a.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000047c	1	1
NtResumeThread July 31, 2024, 7:26 a.m.	thread_handle: 0x00000114 suspend_count: 1 process_identifier: 1264	1	0
NtResumeThread July 31, 2024, 7:26 a.m.	thread_handle: 0x000001e8 suspend_count: 1 process_identifier: 2188	1	0
CreateProcessInternalW July 31, 2024, 7:26 a.m.	thread_identifier: 2536 thread_handle: 0x000003cc process_identifier: 2540 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1
NtResumeThread July 31, 2024, 7:26 a.m.	thread_handle: 0x000001a0 suspend_count: 1 process_identifier: 2540	1	0
CreateProcessInternalW July 31, 2024, 7:26 a.m.	thread_identifier: 2720 thread_handle: 0x00000460 process_identifier: 2716 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000002001\GOLD.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000002001\GOLD.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000002001\GOLD.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000464	1	1
CreateProcessInternalW July 31, 2024, 7:26 a.m.	thread_identifier: 3036 thread_handle: 0x00000444 process_identifier: 3020 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000003001\4434.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000003001\4434.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000003001\4434.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000470	1	1
CreateProcessInternalW July 31, 2024, 7:26 a.m.	thread_identifier: 1864 thread_handle: 0x00000370 process_identifier: 1780 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000046c	1	1
CreateProcessInternalW July 31, 2024, 7:26 a.m.	thread_identifier: 2468 thread_handle: 0x000004dc process_identifier: 2452 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\25072023.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004fc	1	1
CreateProcessInternalW July 31, 2024, 7:27 a.m.	thread_identifier: 416 thread_handle: 0x000004d4 process_identifier: 1304 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000500	1	1
NtResumeThread July 31, 2024, 7:26 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2452	1	0
NtResumeThread July 31, 2024, 7:26 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2452	1	0
NtResumeThread July 31, 2024, 7:26 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2452	1	0
NtResumeThread July 31, 2024, 7:20 a.m.	thread_handle: 0x0000000000000090 suspend_count: 1 process_identifier: 1304	1	0
CreateProcessInternalW July 31, 2024, 7:20 a.m.	thread_identifier: 672 thread_handle: 0x000000000000009c process_identifier: 920 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000010001\pered.exe stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x00000000000000a0	1	1

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 events)

dead_host	192.168.56.101:49194
dead_host	192.168.56.101:49191
dead_host	192.168.56.101:49193
dead_host	185.215.113.67:40960
dead_host	192.168.56.101:49192
dead_host	192.168.56.101:49197
dead_host	192.168.56.101:49196
dead_host	192.168.56.101:49200

sand.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All