random.exe

Queries for the computername (8 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Sept. 2, 2024, 10:58 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 2, 2024, 10:58 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Sept. 2, 2024, 10:58 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Sept. 2, 2024, 10:58 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Sept. 2, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 2, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Sept. 2, 2024, 10:59 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameA Sept. 2, 2024, 10:52 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 98 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:58 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 10:59 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0
IsDebuggerPresent Sept. 2, 2024, 11 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (14 events)

Time & API	Arguments	Status	Return	Repeated
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051c800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051c800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051c800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051c800 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051c880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051c880 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051c780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051c780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051c780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051c780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051c780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051cf00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051cf00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0
CryptExportKey Sept. 2, 2024, 10:58 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0051d700 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 2, 2024, 10:58 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	xzgvtied
section	eakryhpi
section	.taggant

One or more processes crashed (50 out of 238 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: random+0x3200b9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 3276985 exception.address: 0x3800b9 registers.esp: 8519240 registers.edi: 0 registers.eax: 1 registers.ebp: 8519256 registers.edx: 5402624 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 aa fc ff ff 89 de 89 f2 5e 5b 42 81 e2 5f exception.symbol: random+0x6d2de exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 447198 exception.address: 0xcd2de registers.esp: 8519208 registers.edi: 1971192040 registers.eax: 31909 registers.ebp: 3990859796 registers.edx: 393216 registers.ebx: 870904 registers.esi: 3 registers.ecx: 1971388416	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 55 c7 04 24 1a 87 exception.symbol: random+0x6d370 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 447344 exception.address: 0xcd370 registers.esp: 8519208 registers.edi: 1971192040 registers.eax: 31909 registers.ebp: 3990859796 registers.edx: 393216 registers.ebx: 870904 registers.esi: 846161 registers.ecx: 4294937620	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 31 c9 ff 34 19 ff 34 24 ff 34 24 e9 1b fe ff exception.symbol: random+0x6e167 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 450919 exception.address: 0xce167 registers.esp: 8519208 registers.edi: 1971192040 registers.eax: 29087 registers.ebp: 3990859796 registers.edx: 393216 registers.ebx: 870679 registers.esi: 846161 registers.ecx: 1180088322	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 56 e9 35 04 00 00 83 c4 04 56 51 68 0e e9 fc exception.symbol: random+0x6d870 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 448624 exception.address: 0xcd870 registers.esp: 8519208 registers.edi: 1971192040 registers.eax: 238825 registers.ebp: 3990859796 registers.edx: 393216 registers.ebx: 870679 registers.esi: 846161 registers.ecx: 4294940800	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 ad f5 ff ff a4 21 9d b1 b7 05 cf 0d 3c 3a exception.symbol: random+0x1f3878 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2046072 exception.address: 0x253878 registers.esp: 8519208 registers.edi: 877630 registers.eax: 30395 registers.ebp: 3990859796 registers.edx: 833549 registers.ebx: 2466558 registers.esi: 2435665 registers.ecx: 788463616	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 23 00 00 00 89 1c 24 bb 46 d9 a5 1f e9 9d exception.symbol: random+0x1f36e3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2045667 exception.address: 0x2536e3 registers.esp: 8519208 registers.edi: 877630 registers.eax: 0 registers.ebp: 3990859796 registers.edx: 833549 registers.ebx: 2439290 registers.esi: 2435665 registers.ecx: 1695737192	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 57 89 e7 52 ba 04 00 00 00 81 c7 5b 49 f9 74 exception.symbol: random+0x1f8d7c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2067836 exception.address: 0x258d7c registers.esp: 8519208 registers.edi: 2486235 registers.eax: 27829 registers.ebp: 3990859796 registers.edx: 2130566132 registers.ebx: 5111886 registers.esi: 2435665 registers.ecx: 78	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 56 e9 85 01 00 00 53 89 e3 81 ec 04 00 00 00 exception.symbol: random+0x1f86ea exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2066154 exception.address: 0x2586ea registers.esp: 8519208 registers.edi: 2461127 registers.eax: 0 registers.ebp: 3990859796 registers.edx: 1549541099 registers.ebx: 5111886 registers.esi: 2435665 registers.ecx: 78	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 a2 00 00 00 5e 81 c6 04 00 00 00 52 ba 04 exception.symbol: random+0x1fca57 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2083415 exception.address: 0x25ca57 registers.esp: 8519204 registers.edi: 11939568 registers.eax: 32364 registers.ebp: 3990859796 registers.edx: 1067215031 registers.ebx: 2475718 registers.esi: 0 registers.ecx: 1971442156	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 33 68 21 ac 82 6e 89 1c 24 e9 31 exception.symbol: random+0x1fcb90 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2083728 exception.address: 0x25cb90 registers.esp: 8519208 registers.edi: 11939568 registers.eax: 32364 registers.ebp: 3990859796 registers.edx: 1067215031 registers.ebx: 2508082 registers.esi: 0 registers.ecx: 1971442156	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 91 d4 00 53 89 14 24 ba 82 1a 29 3d e9 e5 exception.symbol: random+0x1fd08e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2085006 exception.address: 0x25d08e registers.esp: 8519208 registers.edi: 134889 registers.eax: 32364 registers.ebp: 3990859796 registers.edx: 1067215031 registers.ebx: 2508082 registers.esi: 4294937532 registers.ecx: 1971442156	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 83 ec 04 89 3c 24 89 exception.symbol: random+0x202215 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2105877 exception.address: 0x262215 registers.esp: 8519200 registers.edi: 134889 registers.eax: 1447909480 registers.ebp: 3990859796 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 2497561 registers.ecx: 20	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: random+0x2030cf exception.address: 0x2630cf exception.module: random.exe exception.exception_code: 0xc000001d exception.offset: 2109647 registers.esp: 8519200 registers.edi: 134889 registers.eax: 1 registers.ebp: 3990859796 registers.edx: 22104 registers.ebx: 0 registers.esi: 2497561 registers.ecx: 20	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 dc 33 2d 12 01 exception.symbol: random+0x20749f exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2127007 exception.address: 0x26749f registers.esp: 8519200 registers.edi: 134889 registers.eax: 1447909480 registers.ebp: 3990859796 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 2497561 registers.ecx: 10	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 56 e9 02 01 00 00 81 eb b6 ea f6 1b 52 ba c1 exception.symbol: random+0x20ac3d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2141245 exception.address: 0x26ac3d registers.esp: 8519204 registers.edi: 134889 registers.eax: 31642 registers.ebp: 3990859796 registers.edx: 2130566132 registers.ebx: 55315015 registers.esi: 10 registers.ecx: 2532836	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 89 e2 51 52 ba 23 00 17 6e 89 d1 e9 0d 00 exception.symbol: random+0x20af6c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2142060 exception.address: 0x26af6c registers.esp: 8519208 registers.edi: 134889 registers.eax: 31642 registers.ebp: 3990859796 registers.edx: 2130566132 registers.ebx: 55315015 registers.esi: 10 registers.ecx: 2564478	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 e8 fd ff ff 5d 35 86 d7 f5 7b 35 96 b8 0f exception.symbol: random+0x20ae7c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2141820 exception.address: 0x26ae7c registers.esp: 8519208 registers.edi: 134889 registers.eax: 31642 registers.ebp: 3990859796 registers.edx: 0 registers.ebx: 1656848480 registers.esi: 10 registers.ecx: 2535626	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 53 e8 03 00 00 00 20 5b c3 5b exception.symbol: random+0x20b2b1 exception.instruction: int 1 exception.module: random.exe exception.exception_code: 0xc0000005 exception.offset: 2142897 exception.address: 0x26b2b1 registers.esp: 8519168 registers.edi: 0 registers.eax: 8519168 registers.ebp: 3990859796 registers.edx: 2536022 registers.ebx: 2536434 registers.esi: 16760 registers.ecx: 2536434	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 50 57 52 ba e1 d9 fd 7f e9 b2 04 00 00 81 f2 exception.symbol: random+0x219ee3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2203363 exception.address: 0x279ee3 registers.esp: 8519204 registers.edi: 2596439 registers.eax: 25606 registers.ebp: 3990859796 registers.edx: 6 registers.ebx: 55315237 registers.esi: 1971262480 registers.ecx: 0	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 53 52 e9 0e 00 00 00 8b 34 24 e9 b7 00 00 00 exception.symbol: random+0x21a7b3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2205619 exception.address: 0x27a7b3 registers.esp: 8519208 registers.edi: 2599253 registers.eax: 25606 registers.ebp: 3990859796 registers.edx: 0 registers.ebx: 607422802 registers.esi: 1971262480 registers.ecx: 0	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 9d 08 00 00 03 14 24 81 ea 40 3e ff 5b e9 exception.symbol: random+0x21ac70 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2206832 exception.address: 0x27ac70 registers.esp: 8519204 registers.edi: 2599253 registers.eax: 30358 registers.ebp: 3990859796 registers.edx: 2599784 registers.ebx: 607422802 registers.esi: 1971262480 registers.ecx: 0	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 65 f4 77 7d e9 38 01 00 00 89 04 exception.symbol: random+0x21af5e exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2207582 exception.address: 0x27af5e registers.esp: 8519208 registers.edi: 2599253 registers.eax: 30358 registers.ebp: 3990859796 registers.edx: 2630142 registers.ebx: 607422802 registers.esi: 1971262480 registers.ecx: 0	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 75 ae 16 18 89 04 24 57 bf 7a cf exception.symbol: random+0x21abfc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2206716 exception.address: 0x27abfc registers.esp: 8519208 registers.edi: 2599253 registers.eax: 30358 registers.ebp: 3990859796 registers.edx: 2602794 registers.ebx: 0 registers.esi: 262633 registers.ecx: 0	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 11 00 00 00 ba a7 cd e7 7e bf 7c d4 85 b1 exception.symbol: random+0x22077d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2230141 exception.address: 0x28077d registers.esp: 8519196 registers.edi: 2599253 registers.eax: 28844 registers.ebp: 3990859796 registers.edx: 1939626016 registers.ebx: 417502937 registers.esi: 2622646 registers.ecx: 1939626016	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 50 53 68 e4 2e 8c 73 89 2c 24 bd 80 ab db 7f exception.symbol: random+0x220b63 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2231139 exception.address: 0x280b63 registers.esp: 8519200 registers.edi: 2599253 registers.eax: 0 registers.ebp: 3990859796 registers.edx: 1939626016 registers.ebx: 1179202795 registers.esi: 2625970 registers.ecx: 1939626016	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 c1 32 7f 51 89 3c 24 e9 0f 00 00 00 5a 83 exception.symbol: random+0x2265cb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2254283 exception.address: 0x2865cb registers.esp: 8519200 registers.edi: 2599253 registers.eax: 30172 registers.ebp: 3990859796 registers.edx: 2674874 registers.ebx: 940388154 registers.esi: 2625970 registers.ecx: 788463616	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 57 89 04 24 c7 04 24 b1 79 39 7d e9 f0 03 00 exception.symbol: random+0x225efc exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2252540 exception.address: 0x285efc registers.esp: 8519200 registers.edi: 30185 registers.eax: 30172 registers.ebp: 3990859796 registers.edx: 2674874 registers.ebx: 940388154 registers.esi: 2625970 registers.ecx: 4294940080	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 36 00 00 00 bd ae 4e 7f 76 01 e8 5d 5f e9 exception.symbol: random+0x22f7c7 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2291655 exception.address: 0x28f7c7 registers.esp: 8519200 registers.edi: 2674489 registers.eax: 2712391 registers.ebp: 3990859796 registers.edx: 856144079 registers.ebx: 2674534 registers.esi: 570734268 registers.ecx: 788463616	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 20 04 00 00 55 68 f7 b4 55 40 89 24 24 e9 exception.symbol: random+0x22f9a0 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2292128 exception.address: 0x28f9a0 registers.esp: 8519200 registers.edi: 1426090592 registers.eax: 2712391 registers.ebp: 3990859796 registers.edx: 4294942140 registers.ebx: 2674534 registers.esi: 570734268 registers.ecx: 788463616	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 51 b9 69 c2 df 77 41 81 f1 a0 ef bf 7f e9 5b exception.symbol: random+0x241e29 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2367017 exception.address: 0x2a1e29 registers.esp: 8519164 registers.edi: 2751994 registers.eax: 29138 registers.ebp: 3990859796 registers.edx: 2130566132 registers.ebx: 2752007 registers.esi: 2757590 registers.ecx: 788463616	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 82 fd ff ff 83 c4 04 e9 aa fc ff ff 68 b0 exception.symbol: random+0x24198d exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2365837 exception.address: 0x2a198d registers.esp: 8519168 registers.edi: 2751994 registers.eax: 29138 registers.ebp: 3990859796 registers.edx: 2130566132 registers.ebx: 2752007 registers.esi: 2786728 registers.ecx: 788463616	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 99 c8 2e 79 e9 d5 01 00 00 50 b8 00 59 e9 exception.symbol: random+0x241598 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2364824 exception.address: 0x2a1598 registers.esp: 8519168 registers.edi: 604292950 registers.eax: 0 registers.ebp: 3990859796 registers.edx: 2130566132 registers.ebx: 2752007 registers.esi: 2760544 registers.ecx: 788463616	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 3b 00 00 00 81 cd fa 86 d7 6b 81 f5 10 83 exception.symbol: random+0x2427d3 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2369491 exception.address: 0x2a27d3 registers.esp: 8519168 registers.edi: 4294939404 registers.eax: 2791567 registers.ebp: 3990859796 registers.edx: 1237932817 registers.ebx: 1375758944 registers.esi: 2760544 registers.ecx: 2033109145	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 51 89 34 24 e9 00 00 00 00 89 exception.symbol: random+0x243da8 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2375080 exception.address: 0x2a3da8 registers.esp: 8519164 registers.edi: 4294939404 registers.eax: 2765665 registers.ebp: 3990859796 registers.edx: 1948915084 registers.ebx: 1375758944 registers.esi: 2760544 registers.ecx: 1866678959	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 55 54 5d 81 c5 04 00 00 00 81 ed 04 00 00 00 exception.symbol: random+0x2438aa exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2373802 exception.address: 0x2a38aa registers.esp: 8519168 registers.edi: 4294939404 registers.eax: 2795089 registers.ebp: 3990859796 registers.edx: 1948915084 registers.ebx: 1375758944 registers.esi: 2760544 registers.ecx: 1866678959	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 51 c7 04 24 ba 0f 3d 59 e9 45 00 00 00 57 50 exception.symbol: random+0x243768 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2373480 exception.address: 0x2a3768 registers.esp: 8519168 registers.edi: 4294939404 registers.eax: 2768365 registers.ebp: 3990859796 registers.edx: 1948915084 registers.ebx: 0 registers.esi: 109842272 registers.ecx: 1866678959	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 00 a8 5a 59 89 2c 24 bd 8b e6 f7 39 68 80 exception.symbol: random+0x2446bb exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2377403 exception.address: 0x2a46bb registers.esp: 8519168 registers.edi: 0 registers.eax: 29832 registers.ebp: 3990859796 registers.edx: 0 registers.ebx: 2772610 registers.esi: 0 registers.ecx: 834182541	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 c7 2a ec f7 7e 57 89 04 24 89 1c 24 55 e9 exception.symbol: random+0x24957a exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2397562 exception.address: 0x2a957a registers.esp: 8519164 registers.edi: 2787860 registers.eax: 28535 registers.ebp: 3990859796 registers.edx: 0 registers.ebx: 65804 registers.esi: 0 registers.ecx: 1969225870	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 93 fc ff ff 81 f8 84 9c ff ff 0f 85 29 03 exception.symbol: random+0x249072 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2396274 exception.address: 0x2a9072 registers.esp: 8519168 registers.edi: 2816395 registers.eax: 28535 registers.ebp: 3990859796 registers.edx: 0 registers.ebx: 65804 registers.esi: 0 registers.ecx: 1969225870	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 51 e9 f5 00 00 00 81 ed ae 94 7a 9d 31 e9 5d exception.symbol: random+0x249084 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2396292 exception.address: 0x2a9084 registers.esp: 8519168 registers.edi: 2816395 registers.eax: 4294941828 registers.ebp: 3990859796 registers.edx: 0 registers.ebx: 24811 registers.esi: 0 registers.ecx: 1969225870	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 53 bb 40 05 a7 5f 01 de e9 21 00 00 00 52 ba exception.symbol: random+0x24c535 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2409781 exception.address: 0x2ac535 registers.esp: 8519164 registers.edi: 2798266 registers.eax: 28559 registers.ebp: 3990859796 registers.edx: 481735354 registers.ebx: 1312529944 registers.esi: 2801154 registers.ecx: 0	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 53 e9 ed fe ff ff 68 c0 cf f7 3f 5e 81 f6 e2 exception.symbol: random+0x24c888 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2410632 exception.address: 0x2ac888 registers.esp: 8519168 registers.edi: 2798266 registers.eax: 28559 registers.ebp: 3990859796 registers.edx: 481735354 registers.ebx: 4294941616 registers.esi: 2829713 registers.ecx: 157417	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 2d 56 81 7b 7e 68 d9 ef ae 32 e9 67 fd ff ff exception.symbol: random+0x24d488 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2413704 exception.address: 0x2ad488 registers.esp: 8519164 registers.edi: 2798266 registers.eax: 2805044 registers.ebp: 3990859796 registers.edx: 524582407 registers.ebx: 4294941616 registers.esi: 2829713 registers.ecx: 517475747	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 53 89 0c 24 68 6b 7c e3 7d e9 00 00 00 00 59 exception.symbol: random+0x24d4c2 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2413762 exception.address: 0x2ad4c2 registers.esp: 8519168 registers.edi: 607422807 registers.eax: 2833131 registers.ebp: 3990859796 registers.edx: 524582407 registers.ebx: 4294941616 registers.esi: 2829713 registers.ecx: 4294942176	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 2d 67 dc 57 7f e9 96 00 00 00 89 c1 58 81 ea exception.symbol: random+0x26a8c9 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2533577 exception.address: 0x2ca8c9 registers.esp: 8519164 registers.edi: 2902430 registers.eax: 2924071 registers.ebp: 3990859796 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 9879532 registers.ecx: 0	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 29 f6 e9 20 ff ff ff 83 c4 04 50 b8 ff ff ff exception.symbol: random+0x26a00c exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2531340 exception.address: 0x2ca00c registers.esp: 8519168 registers.edi: 2902430 registers.eax: 2954758 registers.ebp: 3990859796 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 9879532 registers.ecx: 0	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb e9 10 fd ff ff 53 c7 04 24 41 1b 7f 7d 8b 2c exception.symbol: random+0x26a625 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2532901 exception.address: 0x2ca625 registers.esp: 8519168 registers.edi: 2902430 registers.eax: 2954758 registers.ebp: 3990859796 registers.edx: 436827832 registers.ebx: 1969225702 registers.esi: 4294939520 registers.ecx: 0	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 ee 02 00 00 c1 e0 03 e9 exception.symbol: random+0x26acee exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2534638 exception.address: 0x2cacee registers.esp: 8519168 registers.edi: 2902430 registers.eax: 2956579 registers.ebp: 3990859796 registers.edx: 1396530597 registers.ebx: 823988410 registers.esi: 4294939520 registers.ecx: 0	1	0	0
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: fb 68 c2 56 b0 40 89 04 24 b8 e4 9b f7 7e 53 e9 exception.symbol: random+0x26ad55 exception.instruction: sti exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2534741 exception.address: 0x2cad55 registers.esp: 8519168 registers.edi: 2902430 registers.eax: 2930367 registers.ebp: 3990859796 registers.edx: 0 registers.ebx: 823988410 registers.esi: 9451 registers.ecx: 0	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return	Repeated
bind Sept. 2, 2024, 10:52 a.m.	ip_address: 127.0.0.1 socket: 244 port: 0	1	0	0
listen Sept. 2, 2024, 10:52 a.m.	socket: 244 backlog: 1	1	0	0
accept Sept. 2, 2024, 10:52 a.m.	ip_address: socket: 244 port: 0	1	252	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (26 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://185.215.113.16/Jo89Ku7d/index.php
suspicious_features	GET method with no useragent header				suspicious_request	GET http://ddl.safone.dev/3823166/crypted.exe?hash=AgADZl
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.16/inc/crypteda.exe
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.26/Nework.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://185.215.113.26/Dem7kTu/index.php
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.16/inc/stealc_default2.exe
suspicious_features	GET method with no useragent header				suspicious_request	GET http://stagingbyvdveen.com/get/setup2.exe
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.17/
suspicious_features	GET method with no useragent header				suspicious_request	GET http://ddl.safone.dev/3846636/Set-up.exe?hash=AgADDB
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address				suspicious_request	POST http://185.215.113.17/2fb6c2cc8dce150a.php
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://154.216.17.170/joffer2.exe
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
suspicious_features	GET method with no useragent header				suspicious_request	GET http://ddl.safone.dev/3846244/1.exe?hash=AgADek
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.17/f1ddeb6592c03206/nss3.dll
suspicious_features	GET method with no useragent header				suspicious_request	GET http://ddl.safone.dev/3846638/GetSys.exe?hash=AgADAh
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll
suspicious_features	POST method with no referer header				suspicious_request	POST http://sevxv17pt.top/v1/upload.php
suspicious_features	POST method with no referer header				suspicious_request	POST http://fivexv5vs.top/v1/upload.php
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.16/inc/Amadeus.exe
suspicious_features	GET method with no useragent header				suspicious_request	GET http://ddl.safone.dev/3840509/build.exe?hash=AgADNB
suspicious_features	GET method with no useragent header				suspicious_request	GET http://ddl.safone.dev/3850492/seidr_build.exe?hash=AgADjB
suspicious_features	GET method with no useragent header, Connection to IP address				suspicious_request	GET http://185.215.113.19/ProlongedPortable.dll

Performs some HTTP requests (27 events)

request	POST http://185.215.113.16/Jo89Ku7d/index.php
request	GET http://ddl.safone.dev/3823166/crypted.exe?hash=AgADZl
request	GET http://185.215.113.16/inc/crypteda.exe
request	GET http://185.215.113.26/Nework.exe
request	POST http://185.215.113.26/Dem7kTu/index.php
request	GET http://185.215.113.16/inc/stealc_default2.exe
request	GET http://stagingbyvdveen.com/get/setup2.exe
request	GET http://185.215.113.17/
request	GET http://ddl.safone.dev/3846636/Set-up.exe?hash=AgADDB
request	POST http://185.215.113.17/2fb6c2cc8dce150a.php
request	GET http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
request	GET http://154.216.17.170/joffer2.exe
request	GET http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
request	GET http://ddl.safone.dev/3846244/1.exe?hash=AgADek
request	GET http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
request	GET http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
request	GET http://185.215.113.17/f1ddeb6592c03206/nss3.dll
request	GET http://ddl.safone.dev/3846638/GetSys.exe?hash=AgADAh
request	GET http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
request	GET http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll
request	POST http://sevxv17pt.top/v1/upload.php
request	POST http://fivexv5vs.top/v1/upload.php
request	GET http://185.215.113.16/inc/Amadeus.exe
request	GET http://ddl.safone.dev/3840509/build.exe?hash=AgADNB
request	GET http://ddl.safone.dev/3850492/seidr_build.exe?hash=AgADjB
request	GET http://x1.i.lencr.org/
request	GET http://185.215.113.19/ProlongedPortable.dll

Sends data using the HTTP POST Method (5 events)

request	POST http://185.215.113.16/Jo89Ku7d/index.php
request	POST http://185.215.113.26/Dem7kTu/index.php
request	POST http://185.215.113.17/2fb6c2cc8dce150a.php
request	POST http://sevxv17pt.top/v1/upload.php
request	POST http://fivexv5vs.top/v1/upload.php

Resolves a suspicious Top Level Domain (TLD) (1 event)

domain

fivexv5vs.top

description

Generic top level domain TLD

Allocates read-write-execute memory (usually to unpack itself) (50 out of 218 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00061000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ac0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 724 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03090000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:51 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1	0	0
NtProtectVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c21000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00830000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ba0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Steals private information from local Internet browsers (50 out of 5881 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Looks up the external IP address (1 event)

domain

ipinfo.io

Creates executable files on the filesystem (19 events)

file	C:\Users\test22\1000238002\Amadeus.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe
file	C:\Users\test22\AppData\Local\Temp\1000005001\Nework.exe
file	C:\Users\test22\AppData\Local\Temp\1000228001\GetSys.exe
file	C:\ProgramData\freebl3.dll
file	C:\Users\test22\AppData\Local\Temp\1000248001\seidr_build.exe
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\AppData\Local\Temp\1000011001\joffer2.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\1000066001\stealc_default2.exe
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\1000009001\setup2.exe
file	C:\Users\test22\AppData\Local\Temp\1000129001\Set-up.exe
file	C:\Users\test22\AppData\Local\Temp\1000191001\1.exe
file	C:\Users\test22\AppData\Local\Temp\1000243001\runtime.exe
file	C:\Users\test22\AppData\Local\Temp\1000241001\build.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\ProgramData\mozglue.dll
file	C:\ProgramData\softokn3.dll

Creates hidden or system file (4 events)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile Sept. 2, 2024, 10:58 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		3221225525	0
NtCreateFile Sept. 2, 2024, 10:58 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		3221225525	0
NtCreateFile Sept. 2, 2024, 10:58 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		3221225525	0
NtCreateFile Sept. 2, 2024, 10:58 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA|FILE_LIST_DIRECTORY|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)		3221225525	0

Drops a binary and executes it (12 events)

file	C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe
file	C:\Users\test22\AppData\Local\Temp\1000129001\Set-up.exe
file	C:\Users\test22\AppData\Local\Temp\1000228001\GetSys.exe
file	C:\Users\test22\1000238002\Amadeus.exe
file	C:\Users\test22\AppData\Local\Temp\1000241001\build.exe
file	C:\Users\test22\AppData\Local\Temp\1000243001\runtime.exe
file	C:\Users\test22\AppData\Local\Temp\1000248001\seidr_build.exe
file	C:\Users\test22\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
file	C:\Users\test22\AppData\Local\Temp\1000009001\setup2.exe
file	C:\Users\test22\AppData\Local\Temp\1000011001\joffer2.exe

Drops an executable to the user AppData folder (13 events)

file	C:\Users\test22\AppData\Local\Temp\JhCTEUiuPFSAmdKyCcGU.dll
file	C:\Users\test22\AppData\Local\Temp\1000009001\setup2.exe
file	C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe
file	C:\Users\test22\AppData\Local\Temp\BawuYOCdGNZiqevXAMeS.dll
file	C:\Users\test22\AppData\Local\Temp\service123.exe
file	C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe
file	C:\Users\test22\AppData\Local\Temp\1000129001\Set-up.exe
file	C:\Users\test22\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
file	C:\Users\test22\AppData\Local\Temp\1000228001\GetSys.exe
file	C:\Users\test22\AppData\Local\Temp\1000241001\build.exe
file	C:\Users\test22\AppData\Local\Temp\1000243001\runtime.exe
file	C:\Users\test22\AppData\Local\Temp\1000011001\joffer2.exe

A process created a hidden window (15 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Sept. 2, 2024, 10:58 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:58 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:58 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:58 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\Nework.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000005001\Nework.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:58 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000066001\stealc_default2.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000066001\stealc_default2.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000129001\Set-up.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000129001\Set-up.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000191001\1.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000191001\1.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000228001\GetSys.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000228001\GetSys.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\1000238002\Amadeus.exe parameters: filepath: C:\Users\test22\1000238002\Amadeus.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000241001\build.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000241001\build.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000243001\runtime.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000243001\runtime.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000248001\seidr_build.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000248001\seidr_build.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:58 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\054fdc5f70\Hkbsse.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\setup2.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000009001\setup2.exe	1	1	0
ShellExecuteExW Sept. 2, 2024, 10:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\1000011001\joffer2.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\1000011001\joffer2.exe	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (24 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x00000294 process_name: pw.exe process_identifier: 1944	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x00000294 process_name: taskhost.exe process_identifier: 1884	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x00000294 process_name: SearchProtocolHost.exe process_identifier: 1608	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x00000294 process_name: axplong.exe process_identifier: 2260	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x00000294 process_name: svchost.exe process_identifier: 2816	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x00000294 process_name: mscorsvw.exe process_identifier: 2948	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x00000294 process_name: sppsvc.exe process_identifier: 2996	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x00000294 process_name: Hkbsse.exe process_identifier: 2236	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x00000294 process_name: stealc_default2.exe process_identifier: 2128	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x0000043c process_name: joffer2.exe process_identifier: 2600	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x0000043c process_name: Set-up.exe process_identifier: 2572	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x0000043c process_name: cmd.exe process_identifier: 2728	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x0000043c process_name: conhost.exe process_identifier: 2732	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x0000043c process_name: pw.exe process_identifier: 2792	1	1	0
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x0000043c process_name: 1.exe process_identifier: 2928	1	1	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: WmiPrvSE.exe process_identifier: 2288	1	1	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: cmd.exe process_identifier: 1156	1	1	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2452	1	1	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: pw.exe process_identifier: 1968	1	1	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: build.exe process_identifier: 2072	1	1	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2248	1	1	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: runtime.exe process_identifier: 2228	1	1	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: seidr_build.exe process_identifier: 1012	1	1	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 2, 2024, 10:52 a.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the processes axplong.exe, hkbsse.exe, stealc_default2.exe, runtime.exe (21 events)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Sept. 2, 2024, 10:58 a.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL `˜Ðfà  Þ ®ý @ @Õ_` XýS.  ü  H.text´Ý Þ `.rsrc.à@@.reloc è@BýHx먒”B©(¹ü|=C5Hš²ô£ýí“ÉÊ<6‚í2†Ç‚’«ù& ’¡+3“ê*½åg^ˆcÜÅF1‹u×£À€¿p.(Cëã:‡(åS+Ìþ?®EVÚÔè\ÊK©µßý ¾Ù úë xá¹Mrï×=62`è~B5=û‚‚–rQâ‹ø-]@m±1wL6RHŠ‰˜­ÔTZ›+üõÊ|Ö ¾6Ãø–iP"Íg×ý,ñd×l¡–çÚb¤Ãî×$?=s“jLÄãÇlŒNA¥BÙÁ ø<<¤YÁ5åȧ ñºšãÛsT Û<š]ïÝ M&R|ðáݦçùP§E:j¤­ þQN9r"í,«’†üNÈuTÍY§rŠY¦×ŠŒ´™®ˆüM9‹ýI®`5ëýځî¢HØï†.ûóû♸eëòc”:[´d2{ç§Â{n9ÿ9u¾ ñ¡œË²)bÝSà¯ÌŸ•ž™žÇŠ²bÃ1Ä9¥Vv“©óaiĝªáŽ8b•U4sî—K(x4|s+û-cSΗ' ]֑*mU `ÿ´P˜Ü Ø?ý¼RÔ i0)&\®<y3ÜkËC3(°iòö½”uEì%¿†‡»\h-’ªh¯]I-ÇÉÀ¸3^s ÿ®–0ò["–½&‹Í€^µÜõ9æç܎1ÿyºú?ƌÔÅÛb -mì¹+ßä]ôï\¦Gڂ‡ ,‚0;N&ÞLªE‘a!—ˆOä.jÍõ1Zó´[]¤ÐI‰¢¾âÖ*‚h¶]N¢™ž "؀0ÂxkÖ_9¾›#RèßPzÍàGÈåúe¿¦yÙJM½~¥˜ÃÃGŽ4»*!=“ ‰a䪊j#gTá­\Ž´«=‹ÂƒËrTÄÔ)]¥¯ýŸ×þ‰òÎÍqðjü˜ëjÔ¯'ǗÀ$r~S·œÅ‡Ÿaó*®_¡•Äê°@çI/ṌèG}âÆ"¡—NñuK„› ÈÇdTÈa(å –§&%:Õ yh#ü,ú¶pV¹-üǍBšk:=›ÖË;Éý‡†rG¼£²k:Ÿ'Xrï¼%4Vi3ý¶&Øì}UلfȾ` ˜âJ'rgíhpm°ï–y’:‡ZqIt ¹ H©/Aѐ C˜4 ‹WVâYá?Ôñþüeí i>z+qqƒˆÿ§¦Ñz•WÚ5ØVpÞ3má‹H’n‚´P®þïåæeP.¸4pÍoYÆÑ_.¹Óɶ‰ÎÿªƒÚToŸ–ô@ðåçÍJËüø€<zcwIoš]KiÏÔ!–I5äXM²És¨&=DA9÷‹®¢ÀÇGî–Í6èNõ EãžÏŠëÍPjg%åZËÇcµ¤» ïìS\©Þ˜§¯ü.eì2š¹€UAÚ6¾û¢¦kîx,ö1\qóðñ7‡Ë†kýcÈr¿A@Ó"Y—ñï/ËÕY6û§þdËÛfF0Z" ÑìâQ’WÔ‡@ÁÏdšˆ¥“óÔ·©(0æõàä升Û©’€–ÆÄÍÖ±-¦[)ñÊá3˜ n¯ë`yåº<RpeKÄ×Xw7&' TíÙ4±ó•õt»ü²(3›Zßâõ{T![‘|QHYiª·ñ[Ïô0‹Û Šl+ûü;# üÕÞù iPöðNÈP‘[Ù Wž™f^#€Ãg7Ö±É(ÝUՉcú¡Çíj7³$ƒzçßç­8}6íZ@N]CÇát:®œ'+Q q÷Ëç0¦ÃdìœãûuFWLŸà“ÇÙëv*#gì†?¼+î ªni­‡j•ríµËev3ë®Q©Ï½/ m3Áœî[ž¥¸‘©õ[ü´¿tQ$J¢¥M?/œib&ȼ1½¡ìŠ6º¿úwõ,˛”|9Ùëwe†}Qª+nŽûCu_rÞ]AK\Z³R(ÁÏWò{ªv\T$”æÏ#<Ný´’à@dn†X žÄD©òÓsaŒºüÇ¡¿ðÔµG®-, À'1Å$‡sZ}@yõ¡Öôÿ•±;›_º½x}åÚ^]×ùti€Txà_E&§Q\N-Â¥aüÎW„ÁƒÛ£Êp+¦äç]~"š®¿''ó{B¾ÀKæŽLØâ ßMÔ]@¯Ž¶ÑÂ4ª‰5€•[žã¾öû[„VJÓWÁâiÈÀQCôã:HQ³UëÁé³4nãf­»†cµXÂW ï‡ÒKA/µSôkNL5ÊJ7—@†w9µ€Í­žÞ¥Õ¶¹Ö¼pƒÿ|­k0¹Áƚh'Aæù–sþ8Xu’®E „õÏQyž*{ÿ>çô&¹F„§#&Õ}Ÿ‘‰”à.²ŒË¿åÝ8dHsJœ¶ët é¾ZÊVpÖU6l¡‡Fs Ä]z·U ¶‡¥a„|k¾ ¥Óc\æ¹P çY=’vNr0ÄovÕ‹Ab;¼•êø>[Y±)’õ0d•[ÞUY`>õÚwÇm¾­+ ¸ý.ì9YqAdºb JE©/€È ­Ž1"V‰öñòcc“¼Jæ‹a> ú¬”öÒï*Ӏë‡Ñh\aN¸‚»ÝpÞéÕ]‹œ¬R Þh;.güYèßn lW±FÀ +‹¬]׃>ÕøPR+]aq͘eñÐã(ˆw¥}²þ™š:Ëؾ^TxRݼÃ5#®zΐ 27gîØÜ* ›iàæ=J|´„6סJ¯QÌ­;Mr%žá-6©2D:K?úS±“ä28™D¸KOOŸ:ž@m[%«I›'^ü b½UÑ]ª-× O½|‰09HȽ>Ø7I,ûì $j”!r¼ý¹Ý¯ZñbhéLáû) ‘°‘ žQ–Ý“ºÿ—Ä‹>!þ´á»År¼Ô;»Ó+7Ü-~[•}DáO Q—>RÏiv{C“ô6˜òS/VÂ3#É>°ù؍dç½S]Á Q> ½2ÜÏ?oEâ® k9ðI—Û|~ùƒž=¬þ½)†›7™RŸ{A¹Øþ 餆üƂÀDåîì >ʨjE°<t˜*‚ːŽ2©\êí 5|‹PHðL¾'TãÞ¬>’iow‘ÂT?äÈ^X¿ž—¬?ŽŽ6k¢kHDð «ÿCþQ®t;žçF$Eô îÄqÇ4ÐÛ.Þô×Ckߺ~Ê\ è+í‡i¡ú}Ï÷ºhÃê¦2ãÏ©ƒn?= NhžíkrmÓ¯ÕÆÒI/^ÇÒh)%¡ãË_=Ðs-ÓáEâUe0\ºfÏHHýv}¯X¥JØ"ódO‹_çgOö$|¾gZylŽ0ù­<WÅ6úwÏF-ËÉmT:ˆµ¥©ò^CÒQ‚Î&æ¥÷ÂqÁ›s'¦JÝ]Ùefüö¢§ Î ”Þ¼»EKÐÚ#ŸÇmú®´i{=F(1#cDUæë„Ô΢gÊÿ””W\Þ±J1=@^ó ïgӄ;Ÿ^7ü×Eò¨öpï!‡¹ê*v‰h*Ñ˜"&y¿·F¨ŽÚÎÃé|e<e½P0 ˜NÜP9,†Cì™ÕÆùAÀŒ!·(¬Ô™ιô¤#M‡•*F:uô¯é ëLΊÙýh³ö´ފ8®þ\˜­×`®ž¡©í™˜ež;W)D¤èñ‚¥å´}6dŒ3 F]È¸¡à§`¬ÙUÁ²| F” ·ã€)jÈ¢ps,M?* w¼pHqÕ¿j1.ìy8ažðŽmÕAèvª^<Ë:§¸7ú<Î;$ëÜÌã¢á·–êt5ÁÅ$õ HÇê£.Ÿ[?i€€#©< p3(7êpK}=ô÷3k‘Ú$%hZÌK}Ò/P‡ÂåÉJEÕZ˜\ºÑ9+ý6Ojy l½3™sot%&†"<ù’½¦ìœßó;‡ÀW úÛ«̎–ÓbKúVíå.ÈÝe W (ò88´ d Ž¬¬|'Yoøöq °Û§ÏR°;î1Hô´ŽidJ>‡%&ŒòRÚ6µ­ZKí⛎õ+Ò ¤@”‹<Üœ`Ý]M÷$ ú ¡g„Õá:ÐØU7º—‰yß@ªó–hHœbE„¶*n»þW“·è¯ºù$ûŠÊÍ6™vBOAþ€ÈbÈ-9li«ET±J€%7ž>ª`‹Ã5q„µtI#} ØoêÔ'Ùo['5¨rs7Ó^p±æŪ”¦È@oNí ôsqŸVð«#Nv|×:âb䃟ô+Ï š†¸¬u{•´]k˜‡¨ãÓ WöíB +_à©ë#³| J Š&ÃÞ+4å¬hë? >}¡}p~, ÙDïN75øa"èäâMŽ¤0%a-ò6CGͤKh)›Õ¡ÀÎX¬®úµbyãJ/<‰7WeñŠÆóuÛ9RÅ zßd¨ü”pÞÃ݂`v°Ðžÿéÿèb request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:58 a.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL \Ãfà  ¬Ê à@  ` ÌÉOà°¶(&”È  H.text$ª ¬ `.rsrc°à®@@.reloc´@BÊH¹ š ¬“LævúlTp#‹E²'&ÈÄ@cCÎØtEÑ«‘ÈÉ% ëƒè„pr*QA¸Uêv6ÕVÆ=Cx–GHòE‹Ï³Þi ‚Ç¡(hhÆqĂBfÀ}ƹ¥gL-S¨1),p˜àªÄ×箶$”8ðij3¹ûà7Ó³ü«!TsŒÉŸßÏìT§[‰Ç Xª°PUE¥cиj ŵsʾ]Eüõ›÷”qûX€wsSÇY»Ž­®g)úÙçóœõ7IªþîOK¯ m(†d(½TÊÞ˳´0`ÀV` ³o»´šÝ¬EGžÊ#I ðq íÂlh9œñ+Õû事š>6Q‹á=ØS Óô³Ãí­Àµ±-‰õÜÿ#ÕÒ] ÈrAËRž‹ ’Îú1?´[ü–}l°ÝÇõjqDŒ$•úœNÂxE1pŽÐóx[h~ÿÿ¾êÅi¾—duÞ!x¨oÃDÏyue¶©åSÌ/z™>|Æ!æ –0è½^÷ʸw¬XÀœ™"ÐøñP9Ï1±‹âË|Ï@lÏîÏø®ÃÓLôC`l>ÜåCUõsH1Uc›Åjv)µX´+nåK6w:  ZUÄa€.Ll?‚èrœXðÏ“]0ƒ83GÇ$)¤ÎõõMsâ@ú' d§AMmÎ8ӚçF–Y²~g}x_B /­ãQŽêåôÀK%b[²øFèq Æôáދ  åãӃŽÊÃHë7>&нø6Q†xZy ”•Nª¶Ú]=W‘–¡êyyÒmß:Aón¢dnèýíñÈÕÒ°R÷s½_5`=6Ü9W¿•îµ=›Š¨àÖÕwšxÅk\L½iÀVA ò×pRóTQ|u9äŽ=0=KIºFo•\n/ûw}UO §ãsœ™Þ|§ûæ†VŠ5T²‘•»T02ó+µ Š­„“^,×vXO‡+„?ŸzÉrœ“¼ƒZ֔͂§I§y;§F‹É÷T—(•ƒŒúh¹`¾[ô4{f\2e)l­qšÖø•!4ç[¥‘Cï*dL4äÓᎀ4Ó¼Ÿo[3¹PԤݙ-¼Zbþq;÷¹ ÅEÄeº'{Ⱥ¹øçð#X†6D£p\ˆá—§nROìSŽ?0}<ê½|¾u‘0œaÂ\¥-n{’Y€¨Z ŒNòqë¸$ðªÝŸö•˜Ä_qžª¿,Nûâ‘ζÓUþ8s/JsÀQa.e–=ïqéÖáFô ¥*½ÛhrÙаæ8½Iòƒõbrêü.I’F†4/6:êNW,ný’¤“g9§‚ÓB5½ÿZ «ÕßmIz–ñù(_º:ö`Bt˜|n°èP$œþøþvj(Wâ<‘DîìYµAÊ¡P Ñ£}ƒ–¶wW¡f<®ªóSÁ¶&ºW[¹,·{îdE.dîÄ3ý Ï+ F¦D’WTÈË$Ôu´[ø„`!AχÕF*¨xçXдÕ1~‚ƒŽí»ì(§’/úb“%³UÞ7$û-ä×¹7Úû$PsãÍÙSC¡øfÇAA6â[:gî®AÀËî;RÈæ\Œ{¯ÑŠÚòŒjʼni—¹U,áJKÿìå|èüøŸ¢Ý‰hËN‡/âƒNg½¨÷]°µf˜È J,~W3 öÁÇáPg×°§²2ªsÝ¡°)'ìƦÍUU+ÐZÉ\9¦Æ£O´®›ÓËNÑjrK|’G­»0 ÓþŒ”“Ð=‘Aó*–yˆ»x؈¨Â†*:Øz%|²äŸëŽMÏ:–ã3Bñø\áûŠ&WøEtÐ:x!ÿê”ù–²_­Ã ª>x ª~5’r­Ü ©Ä9¾Qiù–»Ã®1§Lw¥ðƒx¯ø±ŠcD–WFÉU(ßÁp4´tÁ6> T^*N±¢WÊJ~¹ç@t<1›àÚk2tJ-a{ûº³ í%RÌ82B³5‘ml¿o1.Nu.±T`5McDÚº©Ú½a¿iœd€Êª”ýnO8½)j Éðûû Á)Ïù̖¤¨Ý%¦ߛŠ¾ü®LCOC}"O}`›ADaxkòUÞq€Õ¤%;@ZTÆü¡‰J­núüßYÏ5bbK°­¾õKÆ}Êî~r;a«Q‡I0Úÿ~ïÄÿéÿž˜éIÏpϐüWH#ÁKU1eê›÷;=à‚Eï!u^uÒw"J©jpÚ»ÖF¥«'lFû¥?³­Ê~ÔR“@‡p’à à Z£Åµ˜cà6.Rt °[QúSxýåËöXE°ØŽÏ³žhóÆue±C‚–ÿËßÎ^;î¿ð” ÙJÇ#ËQ˜±[[fƒ3æŸÃmÞÿzîÄå9ðàYë¼¼”Í'@Kÿ‚‹Q¹Ngl©öâ@5ٝ½}|š.Óë” ߈"súáÓö },c¢*E!esÕ_RwJ»7ã¶R£*yêÑàRø¸µ„‹û$]0žù›‹-ò¹ýGK7ÏÈ¿yaށLшșr/÷?«ŽBûg¥×ü_½ÐyIåÇV»ÝjLª’”Æ’ÀëÌBÓ5ŠéUl=@Âé»û‹ÒâÏùYéê-–+€ àAHÆ÷.Ú÷"qýFØ?„¶wQ2›–þWN:*×rEâC¿b÷ҍçÚ±*—œö «­=¢Ûy±ÃŽÝ;Ƭ–ž¼¹{-¬ƒ_XË#⠎¢Pk9oŠ¹ZÕ¥Ò{N¯J¾ùdUõgg«Ä»F¹V¤Z ì„zÒQ¡Ü†Ô¶çÒ5ü_²Žu¢¥ xÅ­2뼘n^âÎ笡4KùŸÎ——ô¯Ô&Ò1z®¥Ø6P嘍ÆÚ “j–*¼w;#v†o%'éΓprp V5ƒqÙ´ ¹»*ÐJCIÖæ£òÈ9“ÕÆrLnKG(öa#aËÓüKû÷øgžù©Í4/÷ò®‹Ëwƒ‡wã=þ›mÒaY"#ÍÕíSN“è4ÁGDúéíQ_~J6û ¼K5Û0¦Û8CñéÿRþ’ñ¹'p/TÒR Ö²A·¿ynLoõgÆj'È²î5º2»Ó|&TÑ«ôÌK:§Ï³³/õb ‘c6]Uº£B€™~Šªêóvª±âÕ^´âQ¶ÂXä°2Ä%IuLÐ ™K}·LKÉ]çÍÜýâ£ÎF‚¢ÏýÃVcì‘$gƒ\s5þ­XVçÈ-¬È ‚Â.SmÚg2íÂäïǃe´FÌON²‚"˜'¾ˆ¹ ¯hÉÛð´~Õ f"KÏåù÷ýÜ#AÇ+#ÞGŒØRÒOð8Iž›¢ÀÁ͵ ¬ïZ÷ùMçÆÇ}ûmìͪثð@ʹv‹S%{™wʼ ½êgQJ ‚R=E9TÀŒ¹_€>[S™EîKÒvsWªóÑIž[¡Å°ºAŠëBC%Eñĸ<¸–ÈöͯøR3]+ìëáª|ŽÐæÒP߬w°älí–y-ßÁ±ìÛHv ùeJž>ähG•û™ðD@EEãú n‹Ø)¡zMq|i¦åÅL& }µ2,ÀM¨õƏ|"–÷“t2崔öÍߌçü%Ìão"Ç ÒØaaîE á`thqKÖB†”6¯ L¤ Aºyå{—ó´ï=iÉX‘æ(÷ÄjŠÎ½LhCNïid6iÍÌ|¡ŽYºOž5ß+#\r[aû6AYPåµm_Ny‘˜¼"Ý¿R‡*«„ÌSÊ=[W²5—"] l=o)]},XÒQ±¤-+f+Ëtšáû¾%Éï ŽdIÈ´‘Z±Õȵ?¥Z.€ÒZÉ%)¼ŽïÊf@ VÔ]‹‹j^†¸—-³‰ÀŽ;Qa,ÌZLqü¢²ÞÀ¬‚î Pu̾}þ-F›(°shAèÑ$aYñ M‘ÏOñW@Žƒõ$ðÊîÒm¦GRüyzÇ8ÔΞ®áÛ°\¸cëi‘ÌÍ}¬xé‘ÃØkøuµ]·N^m`M:Pv‚:%y&¹ÛzUcúBO¶†Ԅ€'ÜÏñ“Ð_¡ŸßÜ£5ŠDæÀMXíÒç·Mé©SªãšçϞ‡ikU#¾F3D8ÄM<@¤Ñ x†çB Èô°k؊åPš½:3¢?Þ̊¬/OÎÆ~³&ÛÕp/w‘Öã´É¨ô¾–kÓã½û7³[”Ò.% m~€Ë'ê² "ãÀ Ù:ø›Eæ=ù›=nxÆo½ÍR¸TEÆ©86­§‚îB)ôÀJ¨>'±Þ¼ÎÜ ³­b’úbòˆ¢Lõk»$&!͙‚©ðÌQÙE§ôbsxö»:kpÐ.!§œPՀ»Á|I)KTûX¼3/×ɹJ èÓNhZ=.B‚LîäVÀÈà%¥=K'¿Á>/w*:ÞHâb“ä»ÐÒZ\™å§;I¡€óÖÔN‹PeÿùžfG¥JžHqàŸªnÉ̀‘œT¶Š©J˜˜s3Ï<µï{oÌ\«£˜{ ]žÈDq5?5vúl‹HÂҒ~¦º˜Ùæï request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:58 a.m.	buffer: MZÿÿ¸@ º´ Í!¸ LÍ!This program cannot be run in DOS mode. $ÌPJˆr>ˆr>ˆr>Ó=†r>Ó;(r>]:šr>]=žr>];ýr>Ó:œr>Ó?›r>ˆr?^r>7‰r>Á‰r><‰r>Richˆr>PEL  Êfà  æÊ E× @ð@DŒà  <Là8¼‘‘@È.text åæ `.rdata8  ê@@.data|f 4ü@À.rsrcà 0@@.reloc<L N2@Bh`ÀDè¥Ä YÃÌÌÌÌhÀDè•Ä YÃÌÌÌÌj h`‚E¹<,Fèïn hÀÀDètÄ YÃÌÌÌj h„‚E¹$2FèÏn h ÁDèTÄ YÃÌÌÌjh¨‚E¹Ì2Fè¯n h€ÁDè4Ä YÃÌÌÌj h°‚E¹\-Fèn hàÁDèÄ YÃÌÌÌjhԂE¹Ü1Fèon h@ÂDèôà YÃÌÌÌjhì‚E¹d+FèOn h ÂDèÔà YÃÌÌÌjhkE¹œ2Fè/n hÃDè´Ã YÃÌÌÌjhkE¹ü2Fèn h`ÃDè”à YÃÌÌÌjhkE¹t-Fèïm hÀÃDètà YÃÌÌÌjhkE¹ì*FèÏm h ÄDèTà YÃÌÌÌjhƒE¹ô+Fè¯m h€ÄDè4à YÃÌÌÌjhƒE¹˜5Fèm hàÄDèà YÃÌÌÌjh ƒE¹l2Fèom h@ÅDèô YÃÌÌÌjh,ƒE¹D*FèOm h ÅDèÔ YÃÌÌÌjh8ƒE¹2Fè/m hÆDè´Â YÃÌÌÌjhLƒE¹.Fèm h`ÆDè” YÃÌÌÌjDh`ƒE¹85Fèïl hÀÆDèt YÃÌÌÌj\h¨ƒE¹ü,FèÏl h ÇDèT YÃÌÌÌjh„E¹.Fè¯l h€ÇDè4 YÃÌÌÌjh„E¹ä)Fèl hàÇDè YÃÌÌÌjh „E¹,0Fèol h@ÈDèôÁ YÃÌÌÌj<h<„E¹´)FèOl h ÈDèÔÁ YÃÌÌÌjh|„E¹œ)Fè/l hÉDè´Á YÃÌÌÌjhŒ„E¹à5Fèl h`ÉDè”Á YÃÌÌÌjXh „E¹ô.Fèïk hÀÉDètÁ YÃÌÌÌjhü„E¹ø5FèÏk h ÊDèTÁ YÃÌÌÌjh E¹¤3Fè¯k h€ÊDè4Á YÃÌÌÌjh E¹ 5Fèk hàÊDèÁ YÃÌÌÌjh, E¹¼*Fèok h@ËDèôÀ YÃÌÌÌjh4 E¹ü/FèOk h ËDèÔÀ YÃÌÌÌjh< E¹Ô0Fè/k hÌDè´À YÃÌÌÌjhD E¹d1Fèk h`ÌDè”À YÃÌÌÌjhL E¹*Fèïj hÀÌDètÀ YÃÌÌÌjhT E¹,3FèÏj h ÍDèTÀ YÃÌÌÌjh\ E¹$/Fè¯j h€ÍDè4À YÃÌÌÌjhd E¹Œ0Fèj hàÍDèÀ YÃÌÌÌjhl E¹´/Fèoj h@ÎDèô¿ YÃÌÌÌjht E¹ð4FèOj h ÎDèÔ¿ YÃÌÌÌjh| E¹41Fè/j hÏDè´¿ YÃÌÌÌjh„ E¹È5Fèj h`ÏD蔿 YÃÌÌÌjhŒ E¹´2Fèïi hÀÏDèt¿ YÃÌÌÌjh” E¹¤*FèÏi h ÐDèT¿ YÃÌÌÌjhœ E¹Ô*Fè¯i h€ÐDè4¿ YÃÌÌÌjh¸ E¹+Fèi hàÐDè¿ YÃÌÌÌjhÈ E¹œ,Fèoi h@ÑDèô¾ YÃÌÌÌjhØ E¹d.FèOi h ÑDèÔ¾ YÃÌÌÌjhà E¹D3Fè/i hÒDè´¾ YÃÌÌÌjhè E¹(6Fèi h`ÒD蔾 YÃÌÌÌjhð E¹44Fèïh hÀÒDèt¾ YÃÌÌÌjhø E¹Ü+FèÏh h ÓDèT¾ YÃÌÌÌjh†E¹X6Fè¯h h€ÓDè4¾ YÃÌÌÌjh†E¹4+Fèh hàÓDè¾ YÃÌÌÌjh$†E¹¬.Fèoh h@ÔDèô½ YÃÌÌÌjh,†E¹Ä+FèOh h ÔDèÔ½ YÃÌÌÌjh4†E¹ä,Fè/h hÕDè´½ YÃÌÌÌjh<†E¹/Fèh h`ÕD蔽 YÃÌÌÌjhD†E¹-Fèïg hÀÕDèt½ YÃÌÌÌjhL†E¹€5FèÏg h ÖDèT½ YÃÌÌÌjhT†E¹„2Fè¯g h€ÖDè4½ YÃÌÌÌjh`†E¹$,Fèg hàÖDè½ YÃÌÌÌjhh†E¹¬1Fèog h@×Dèô¼ YÃÌÌÌjhp†E¹Ä1FèOg h ×DèÔ¼ YÃÌÌÌjh€†E¹”.Fè/g hØDè´¼ YÃÌÌÌjhˆ†E¹\*Fèg h`ØD蔼 YÃÌÌÌjh†E¹L4Fèïf hÀØDèt¼ YÃÌÌÌjh˜†E¹Œ3FèÏf h ÙDèT¼ YÃÌÌÌjh¤†E¹|.Fè¯f h€ÙDè4¼ YÃÌÌÌjh¬†E¹h5Fèf hàÙDè¼ YÃÌÌÌjhÀ†E¹L.Fèof h@ÚDèô» YÃÌÌÌjhԆE¹5FèOf h ÚDèÔ» YÃÌÌÌjhô†E¹¼-Fè/f hÛDè´» YÃÌÌÌjh‡E¹T,Fèf h`ÛD蔻 YÃÌÌÌjh ‡E¹ô1Fèïe hÀÛDèt» YÃÌÌÌjh,‡E¹œ/FèÏe h ÜDèT» YÃÌÌÌjhD‡E¹p6Fè¯e h€ÜDè4» YÃÌÌÌjhP‡E¹|4Fèe hàÜDè» YÃÌÌÌjhh‡E¹,*Fèoe h@ÝDèôº YÃÌÌÌjh|‡E¹D-FèOe h ÝDèÔº YÃÌÌÌjh„‡E¹</Fè/e hÞDè´º YÃÌÌÌjh ‡E¹´,Fèe h`ÞD蔺 YÃÌÌÌjh´‡E¹Ä.Fèïd hÀÞDètº YÃÌÌÌjhÀ‡E¹D0FèÏd h ßDèTº YÃÌÌÌjḣE¹4Fè¯d h€ßDè4º YÃÌÌÌjh؇E¹Ü.Fèd hàßDèº YÃÌÌÌjhì‡E¹P5Fèod h@àDèô¹ YÃÌÌÌjhˆE¹@6FèOd h àDèÔ¹ YÃÌÌÌjhˆE¹ä2Fè/d háDè´¹ YÃÌÌÌj@hˆE¹¤-Fèd h`áD蔹 YÃÌÌÌjhTˆE¹0Fèïc hÀáDèt¹ YÃÌÌÌjLh`ˆE¹l/FèÏc h âDèT¹ YÃÌÌÌj<h°ˆE¹|+Fè¯c h€âDè4¹ YÃÌÌÌjhðˆE¹|1Fèc hàâDè¹ YÃÌÌÌjh‰E¹ä/Fèoc h@ãDèô¸ YÃÌÌÌjh‰E¹T/FèOc h ãDèÔ¸ YÃÌÌÌjh‰E¹”1Fè/c häDè´¸ YÃÌÌÌ request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:58 a.m.	buffer: MZÿÿ¸@躴 Í!¸ LÍ!This program cannot be run in DOS mode. $¢b›åæõ¶æõ¶æõ¶‰u^¶þõ¶‰uk¶ëõ¶‰u_¶Üõ¶ï{v¶åõ¶fzô·äõ¶ï{f¶áõ¶æô¶õ¶‰uZ¶ôõ¶‰uh¶çõ¶Richæõ¶PEL ˜àÈfà  È B"d à @  0$@Ø©<à#€$à ô.textJÆ È  à.rdataîÎà ÐÌ @@.data”+!°œ@À.reloc*Dà#F¨@By¹ApÈAÙÈAU‹ìQ‹E‰Eüƒ}t‹MüÆ ‹UüƒÂ ‰Uü‹Eƒè ‰Eëà‹E‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ì‹Eƒè ‰Ex‹MÿU‹MM‰Mëä]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQSjh0hÀAÈjÿ$Ðb‰EüPƒøt‹Àü ÉÀøXƒ}üt,ŠÀhÀžæ‹EüPèNs SŠÉŠÉü[h€hÀAÈ‹MüQÿdÏb[‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQÇEüjj@h0hÐjÿØÐbPÿœÐb‰Eüƒ}üujÿìÏbèRÿÿÿ‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì(EÜPÿtÏb‹Mð‰M؃}ØsjÿìÏb‹å]ÃÌÌÌÌÌÌÌÌU‹ì¡@ÍbPèâa Pè,s ƒÄ Àu!‹ ÎbQè9a Pès ƒÄ ÀujÿìÏb]ÃÌÌU‹ìƒìjjj¡ÐÈbPÿ,Ðb‰Eôj ‹MôQÿÐÏb‰Eø‹UôRjÿpÐb}øš}jÿìÏb‹å]ÃÌÌÌÌÌU‹ìƒìHj@jE¸Pèr ÇE¸@M¸QÿÑbƒø u*jh‹UÄR‹EÀPè“Á jhRPè Á ‰Eø‰UüëÇEøÇEüƒ}üwr }øWsjÿìÏb‹å]ÃÌÌU‹ìƒìÇEøÿh jÿÀÐbPÿXÐb‰EôEüPh j‹MQ‹URÿ¬Ïb ÀuEøP‹MôQjj‹UR‹EüPÿ”Ïb‹MüQÿ(Ðb‹Eô‹å]ÃÌÌÌÌU‹ìì\hèj üÿÿPÿäàAƒÄh<MBhìMBh €è\ÿÿÿƒÄPüÿÿQÿlÐb•üÿÿRÿ€ÏbƒøŽÊ hŒbB üÿÿPÿlÐbhÿ Büÿÿ胍 h´NBàûÿÿQ‹ðÉbR ìûÿÿPüÿÿèΏ ‹ÈèǏ Püÿÿ諎 àûÿÿèŽ ìûÿÿèõ hBøûÿÿè% jÈûÿÿQèr ƒÄP•¼ûÿÿR¡¤ÌbPÔûÿÿQøûÿÿèd ‹Èè͎ PøûÿÿèAŽ ¼ûÿÿ薍 Ôûÿÿ苍 Èûÿÿ耍 j øûÿÿèC P•üÿÿRÿ0Ïb üÿÿPüÿÿQƒì‹Ì•øûÿÿRèæŒ è ƒÄ ÀtM‹ üÿÿP‹üÿÿQƒì‹Ì•üÿÿR軌 ìˆ‹ÌEPèʍ¤ûÿÿQèž7 Ä ¤ûÿÿèíŒ øûÿÿ貏 PÿŒÏbøûÿÿè üÿÿè jj•üÿÿRÿäàAƒÄøûÿÿ覌 üÿÿ蛌 Mè‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQ‰Mü‹MüƒÁ|ènŒ ‹MüƒÁHècŒ ‹MüƒÁ<èXŒ ‹MüƒÁ0èMŒ ‹Müèå‹å]ÃÌU‹ìQ‰Mü‹EP‹Müè ‹MƒÁ0Q‹MüƒÁ0軋 ‹UƒÂ<R‹MüƒÁ<詋 ‹EƒÀHP‹MüƒÁH藋 ‹Mü‹U‹BT‰AT‹Mü‹U‹BX‰AX‹Mü‹U‹B\‰A\‹Mü‹U‹B`‰A`‹Mü‹U‹Bd‰Ad‹Mü‹U‹Bh‰Ah‹Mü‹U‹Bl‰Al‹Mü‹U‹Bp‰Ap‹Mü‹U‹Bt‰At‹Mü‹U‹Bx‰Ax‹MƒÁ|Q‹MüƒÁ|è ‹ ‹Eü‹å]ÂÌÌÌÌU‹ìQ‰Mü‹MüƒÁ$èN‹ ‹MüƒÁèC‹ ‹MüƒÁè8‹ ‹Müè0‹ ‹å]ÃÌÌÌÌÌÌÌÌÌÌÌÌU‹ìQ‰Mü‹EP‹Mü譊 ‹MƒÁQ‹MüƒÁ蛊 ‹UƒÂR‹MüƒÁ艊 ‹EƒÀ$P‹MüƒÁ$èwŠ ‹Eü‹å]ÂÌÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ììthBMèèê‰ hBMôè݉ ‹E‰ Œüÿÿƒ½Œüÿÿtƒ½Œüÿÿ tWƒ½Œüÿÿ„ŒéÇjhþÿÿQèq ƒÄP•\þÿÿRMèèo‹ PMèèæŠ \þÿÿè;Š hþÿÿè0Š é‚j PþÿÿPèÍp ƒÄPDþÿÿQMèè*‹ PMè衊 Dþÿÿèö‰ Pþÿÿèë‰ ë@j(•8þÿÿRè‹p ƒÄP ,þÿÿPMèèèŠ PMèè_Š ,þÿÿ贉 8þÿÿ詉 ƒ}0„ h”bBüýÿÿQUR þÿÿPhlOBþÿÿQUèR þÿÿPMô艊 ‹Èè‹ ‹Èè{Š ‹Èè‹ PMôèë‰ üýÿÿè@‰ þÿÿè5‰ þÿÿè*‰  þÿÿè‰ 靍M$Q•ÀýÿÿRh¼PB ÌýÿÿPMQ•ØýÿÿRhPB äýÿÿPMèQ•ðýÿÿRMôèù‰ ‹È肊 ‹Èèë‰ ‹ÈètŠ ‹Èè݉ PMôèT‰ Àýÿÿ詈 Ìýÿÿ螈 Øýÿÿ蓈 äýÿÿ興 ðýÿÿè}ˆ   þÿÿPMôè>‹ PÿÑb‰Eäƒ}äÿu5MôèVˆ MèèNˆ MèFˆ Mè>ˆ M$è6ˆ M4è®ûÿÿéhdQBÌþÿÿQÿ˜Ðb ÀthRB•ÌþÿÿRÿ˜Ðb Àué}hB”þÿÿè(‡ ƒ}0„æE$PlýÿÿQhTB•xýÿÿR ÌþÿÿP„ýÿÿQh\SB•ýÿÿREPœýÿÿQh´RB•¨ýÿÿREèP´ýÿÿQ”þÿÿ蠈 ‹Èè)‰ ‹È蒈 ‹Èè‰ ‹Èè‰ ‹Èè ‰ ‹Èèvˆ P”þÿÿèê‡ lýÿÿè?‡ xýÿÿè4‡ „ýÿÿè)‡ ýÿÿè‡ œýÿÿè‡ ¨ýÿÿè‡ ´ýÿÿèý† 馍•ÌþÿÿR 0ýÿÿPhTUB<ýÿÿQUR HýÿÿPh¬TBTýÿÿQUèR `ýÿÿP”þÿÿèч ‹ÈèZˆ ‹ÈèÇ ‹ÈèLˆ ‹ÈèEˆ P”þÿÿè)‡ 0ýÿÿè~† <ýÿÿès† Hýÿÿèh† Týÿÿè]† `ýÿÿèR† ƒì‹Ì•”þÿÿRèá èœl ƒÄ À„«h B€þÿÿèa h¤VB üüÿÿPMQ•ýÿÿRhüUB ýÿÿP‹ ðÉbQ• ýÿÿR€þÿÿ蕇 ‹È莇 ‹Èè÷† ‹È耇 request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL LøÓf2_E&à  #èG„Zäf°H@ °Æ.~f `³Bp³ä  ³,$´¬Hàq³ .text„æGèG`P`.dataHHîG@`À.rdata؞ H H@`@/4¨®ÀH°¤H@0@.bssTâfpL€`À.edataB`³TL@0@.idataä p³ VL@0À.CRT4€³`L@0À.tls³bL@0À.reloc,$ ³&dL@0B/14ÐÁŠZ@B/29ħ àÁ¨ ’Z@B/41XLÃN:\@B/55BãàÃäˆ\@B/67TÐÄl]@0B/80a ðÄ Š]@B/91‹ Ō ”]@B/102ÀÆ _@BÍ´&´&ƒì1Àf=@MZÇ@Gó Ç<Gó Ç8Gó Ç0Gó u‹<@º@PEŠ@t`£pŒ¡LGó ÀtBÇ$èÆ×GèÉ×G‹`Gó‰èÄ×G‹HGó‰è§Gƒ=äˆ tN1ÀƒÄÍ´&Ç$ è„×Gë¼f·Qfú t=fúuŽƒ¹„v ‹‘ø1À Ò•ÀésÿÿÿvÇ$P‡è„G1ÀƒÄͶƒyt†Nÿÿÿ‹‰è1À É•Àé<ÿÿÿ´&t&ƒì,¡4GóÇD$pŒ£pŒ¡,GóÇD$pŒ‰D$ÇD$ pŒÇ$$pŒèöÖGƒÄ,ÃfL$ƒäð1ÀÿqüU‰åWVU¤S‰×Q¹ƒìx‹5LGóó« ö  d¡‹5ró‹x1Ûët&9Ç„Ç$èÿփì‰Øð±=$Gó ÀuÞ¡(Gó1ۃø „ ¡(Gó À„yÇpŒ ¡(Góƒø „ö Û„¡°¬ˆ ÀtÇD$ÇD$Ç$ÿЃìè_GÇ$‡ÿróƒì£dGóÇ$@èÞÛGèiGÇpŒ@èâÕG1ɋ ÀuëM„ÒtDƒá t'¹ ƒÀ ¶€ú ~ç‰Ëƒó €ú"DËë荴&v„Òtt&¶P ƒÀ „Òt€ú ~ð£pŒ‹LGó Ût¸ öEÐ  ⣈‹$pŒ4‰4$èxÔG‹ pŒ‰E ÛŽ‚ ‰ÃFü‰×‰EŒ ЉE”‹ƒÃƒÇ‰$èàÓGp ‰4$è=ÔG‰Cü‹Oü‰t$‰L$‰$èÔG9}”uʋEŒEÇ‹E£ pŒè¡ýF¡pŒ‹<ró‰‰D$¡ pŒ‰D$¡$pŒ‰$è-Y‹ pŒ£pŒ É„ò‹pŒ Ò„¡eðY[^_]aüÍt&·EÔéÿÿÿ´&¡(Gó» ƒø  ÿýÿÿÇ$è9ÔG¡(Góƒø  þÿÿÇD$€óÇ$€óè÷ÓGÇ(Gó Û ìýÿÿ‡$Góéáýÿÿ´&v‰$ÿüqóƒìéOýÿÿ´&èËÓG¡pŒeðY[^_]aüÃfÇD$€óÇ$€óÇ(Gó è‚ÓGénýÿÿ‹EéÁþÿÿ‰$èMÓG´&¶ÇLGó é±üÿÿÇLGóé¡üÿÿƒì‹D$ ‰$è)ÓG À”ÀƒÄ¶À÷ØАU‰åWVSƒìÇ$ ˆÿðqóƒì Àts‰ÃÇ$ ˆÿró‹=øqóƒì£(pŒÇD$ ˆ‰$ÿ׃ì‰ÆÇD$) ˆ‰$ÿ×£ˆƒì ötÇD$,pŒÇ$ÀˆÿÖÇ$ @è^ÿÿÿeô[^_]ͶLj¾ëÀ´&´&U‰åƒì¡ˆ Àt Ç$ÀˆÿС(pŒ Àt‰$ÿèqóƒìÉÐU‰åì¨Ç hÿÿÿOMÇ lÿÿÿÒ‡ÇEðE‰ pÿÿÿE‰ tÿÿÿE‰ xÿÿÿE‰ |ÿÿÿE‰E€E‰E„E ‰EˆE$‰EŒE(‰EE,‰E”E0‰E˜E4‰EœE8‰E E<‰E¤E@‰E¨ED‰E¬EH‰E°EL‰E´EP‰E¸ET‰E¼EX‰EÀE\‰EčE`‰EȍEd‰E̍Eh‰EЍEl‰EԍEp‰E؍Et‰E܍Ex‰EàE|‰Eä €‰Eè „‰Eì‹Eðƒø w‹Eð‹„ hÿÿÿ•pÿÿÿ‰$ÿÐëáÉÃU‰åìˆÇE”@‹€ÇE˜c¥~ÇEðE‰EœE‰E E‰E¤E‰E¨E‰E¬E‰E°E ‰E´E$‰E¸E(‰E¼E,‰EÀE0‰EčE4‰EȍE8‰E̍E<‰EЍE@‰EԍED‰E؍EH‰E܍EL‰EàEP‰EäET‰EèEX‰Eì‹Eðƒø w‹Eð‹D ”Uœ‰$ÿÐëçÉÃU‰åƒì(ÇEìÇ@ÇEðÅ@ÇEô‹Eô‹D ìÿàë‹E‹‰Â‹E‹‰$ÿ҃ìëèÉÃU‰å‹EÇ@]ÃU‰åƒì(ÇEôƒ}ôtƒ}ô uë‹E‰$è?(ÇEô ë ëÛÉÃU‰åìøÇEìM@ÇEð€@ÇEô‹Eô‹D ìé1‹ 䉄$܋ à‰„$؋ ܉„$ԋ ؉„$Ћ ԉ„$̋ Љ„$ȋ ̉„$ċ ȉ„$À‹ ĉ„$¼‹ À‰„$¸‹ ¼‰„$´‹ ¸‰„$°‹ ´‰„$¬‹ °‰„$¨‹ ¬‰„$¤‹ ¨‰„$ ‹ ¤‰„$œ‹  ‰„$˜‹ œ‰„$”‹ ˜‰„$‹ ”‰„$Œ‹ ‰„$ˆ‹ Œ‰„$„‹ ˆ‰„$€‹ „‰D$|‹ €‰D$x‹E|‰D$t‹Ex‰D$p‹Et‰D$l‹Ep‰D$h‹El‰D$d‹Eh‰D$`‹Ed‰D$\‹E`‰D$X‹E\‰D$T‹EX‰D$P‹ET‰D$L‹EP‰D$H‹EL‰D$D‹EH‰D$@‹ED‰D request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZPÿÿ¸@ º´ Í!¸ LÍ!This program must be run under Win32 $7PEL ^B*àŽ H2V`@Ð7þú7@¸ Pv1f7ˆ!àDdÐCODE`FH `DATAd`L@ÀBSSQ€fÀ.idata¸ "f@À.tlsÀˆÀ.rdataЈ@P.relocDdàfŠ@P.rsrcv1Pv1ð@PÐ7f7@P@Boolean @FalseTrue@,@Char ÿ@@ Integer€ÿÿÿ‹ÀX@ Byte ÿl@ Wordÿÿ€@ Cardinalÿÿÿÿ˜@ String¤@ WideString´@Variant@Ä@ OleVariant@@L3@X3@\3@`3@T3@´0@Ð0@1@TObject(@TObject@SystemH@ IInterface ÀFSystemÿÿ̃D$øéAFƒD$øé_FƒD$øéiFÌÌu@@‰@ ÀF•@@@¡@@Ð@L3@”W@ W@`3@T3@°W@Ð0@1@TInterfacedObject‹Àÿ%đE‹Àÿ%À‘E‹Àÿ%¼‘E‹Àÿ%¸‘E‹Àÿ%´‘E‹Àÿ%ؑE‹Àÿ%°‘E‹Àÿ%ԑE‹Àÿ%¬‘E‹Àÿ%¨‘E‹Àÿ%¤‘E‹Àÿ% ‘E‹Àÿ%œ‘E‹Àÿ%˜‘E‹Àÿ%”‘E‹Àÿ%‘E‹Àÿ%Œ‘E‹Àÿ%ˆ‘E‹Àÿ%„‘E‹Àÿ%БE‹Àÿ%€‘E‹Àÿ%|‘E‹Àÿ%x‘E‹Àÿ%è‘E‹Àÿ%ä‘E‹Àÿ%à‘E‹Àÿ%t‘E‹Àÿ%p‘E‹Àÿ%ø‘E‹Àÿ%ô‘E‹Àÿ%ð‘E‹Àÿ%l‘E‹Àÿ%h‘E‹Àÿ%d‘E‹Àÿ%`‘E‹ÀSƒÄ¼» TèYÿÿÿöD$, t·\$0‹ÃƒÄD[ËÀÿ%\‘E‹Àÿ%X‘E‹Àÿ%T‘E‹Àÿ%P‘E‹Àÿ%L‘E‹Àÿ%H‘E‹Àÿ%D‘E‹Àÿ%@‘E‹ÀSV¾è Eƒ>u:hDjè¨ÿÿÿ‹È Éu3À^[áä E‰ ‰ ä E3ҋÂÀDÁ‹‰‰Bƒúduì‹‹‰^[Љ‰@ËÀSV‹ò‹Øèÿÿÿ Àu3À^[ˉP‹V‰P‹‰‰X‰B‰° ^[ËP‹‰ ‰Q‹è E‰£è EÃSVWUQ‹ñ‰$‹è‹]‹$‹‰‹P‰V‹;‹‹SS;Âu‹Ãè·ÿÿÿ‹C‰‹C FëF;Cu ‹Ãè›ÿÿÿ‹C F‹ß;ëuË֋ÅèVÿÿÿ„Àu3À‰Z]_^[ÃSVWUƒÄø‹Ø‹û‹2‹C;ðrp‹ÎJ‹èk;Íwb;ðu‹B C‹B)Cƒ{uH‹Ãè9ÿÿÿë?‹Î‹zϋèk;Íu){ë*‹ J‰$‹{{+ù‰|$+ð‰s‹Ô‹ÃèÐþÿÿ„Àu3Àë° ë‹;ûu3ÀYZ]_^[ÐSVW‹Ú‹ðþ}¾ëÆÿÿæÿÿ‰sj h Vjèøýÿÿ‹ø‰; ÿt#‹Ó¸ì Eèlþÿÿ„Àuh€j‹PèÙýÿÿ3À‰_^[ÐSVWU‹Ù‹ò‹èÇCjh hUè¥ýÿÿ‹ø‰; ÿuÆÿÿæÿÿ‰sjh VUè€ýÿÿ‰ƒ;t#‹Ó¸ì Eèõýÿÿ„Àuh€j‹Pèbýÿÿ3À‰]_^[ÐSVWUƒÄì‰L$‰$ÇD$ÿÿÿÿ3҉T$‹è‹$ʼnD$‹ì EëQ‹;‹s;îwF‹ÆC;D$w;;t$s‰t$‹ÆC;D$v‰D$h€jVèïüÿÿ Àu ÇÈ E ‹ÃèŠýÿÿ‹ßûì Eu§‹D$3҉ƒ|$t‹D$‹T$‰‹D$+D$‹T$‰BƒÄ]_^[ÃSVWUƒÄô‰L$‰$‹Ð‹êåðÿÿ$Âÿâðÿÿ‰T$‹D$‰(‹D$+ŋT$‰B‹5ì Eë<‹^‹~û;ëv‹Ý;|$v‹|$;ûvjh+ûWSè&üÿÿ Àu ‹D$3҉ë ‹6þì Eu¼ƒÄ]_^[ËÀSVWUQ‹Ø‹óÆÿæðÿÿ‰4$‹ëêåðÿÿ‹$‰ ‹Å+$‰A‹5ì Eë8‹^‹~û;$s‹$;ïs‹ý;ûvh@+ûWSè­ûÿÿ Àu ÇÈ E‹6þì EuÀZ]_^[Í@SVWUƒÄø‹ò‹ø½ü EÇÿ?çÀÿÿ‹]ë3;{,‹Î‹×‹Cèºþÿÿƒ>tP‹F C‹F)Cƒ{u>‹Ãèìûÿÿë5‹;Ýuɋ֋Çè÷üÿÿƒ>t!‹Ì‹Ö‹Åèãûÿÿƒ<$u¥‹Ì‹V‹è±ýÿÿ3À‰YZ]_^[ËÀSVWUƒÄì‰$‹ú‹ð½ü EÇÿ?çÀÿÿ‹]ë‹;Ýt;suõ;suW;{Ž–L$‹×+S‹CCèÛüÿÿƒ|$t3L$T$‹Åè]ûÿÿƒ|$u±L$‹T$‹D$è%ýÿÿ‹$3҉鐍L$‹×‹Æè”üÿÿƒ|$t4L$T$‹Åèûÿÿƒ|$ fÿÿÿL$‹T$‹D$èÚüÿÿ‹$3҉ëH‹k;õu:;{5‹$‹×‹Åèqýÿÿ‹$ƒ8t(‹$‹@ C‹$‹@)Cƒ{u‹Ãèšúÿÿë‹$3҉ƒÄ]_^[ÐSVWƒÄì‹ù‰$˜ÿ?ãÀÿÿ‹4$ðæÀÿÿ;Þs[‹Ï‹Ö+ӋÃè™ýÿÿL$‹×¸ü Eè]úÿÿ‹\$ ÛtL$‹T$‹Ãè&üÿÿ‹D$‰D$‹D$‰D$ƒ|$tT$¸ü Eè‘úÿÿë3À‰ƒÄ_^[ÃU‹ì3ÒUhâ@dÿ2d‰"hÌ Eè9ùÿÿ€=M€Et hÌ Eè.ùÿÿ¸ì EèŒùÿÿ¸ü Eè‚ùÿÿ¸(†EèxùÿÿhøjèÜøÿÿ£$†Eƒ=$†Et/¸‹$†E3ɉL‚ô@= uì¸†E‰@‰£†EÆÄ E 3ÀZYYd‰hé@€=M€Et hÌ Eè¯øÿÿÃéqëå Ä E]ÃU‹ìS€=Ä E„Ì3ÒUhÆ@dÿ2d‰"€=M€Et hÌ EèføÿÿÆÄ E¡$†EPè4øÿÿ3À£$†E‹ì Eëh€j‹CPè%øÿÿ‹ûì Euæ¸ì Eè‰øÿÿ¸ü Eèøÿÿ¸(†Eèuøÿÿ¡ä E Àt‹‰ä EPèÖ÷ÿÿ¡ä E Àué3ÀZYYd‰hÍ@€=M€Et hÌ EèÕ÷ÿÿhÌ EèÓ÷ÿÿÃéëÛ[]ÃS;†Eu ‹P‰†E‹P‹Hù8;Âu ÉyƒÁÁù¡$ request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ‹@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL æ¨à  HF  , Ÿ@  p¬}ª@°§LÀ«„­À§Hë@3Ÿ´.textÈGFHF `.rdata4µX`F¶XLF@@.data ‰ ŸòŸ@À.idataL°§ô¤@À.relocHëÀ§ìú¤@B.symtab°«æ¨B.rsrc„­À«®è¨@@‹$ÃÌÌÌÌÌÌÌÌÌÌÌ̋$ÃÌÌÌÌÌÌÌÌÌÌÌ̋$ÃÌÌÌÌÌÌÌÌÌÌÌ̋$ÃÌÌÌÌÌÌÌÌÌÌÌ̋,$ÃÌÌÌÌÌÌÌÌÌÌÌ̋4$ÃÌÌÌÌÌÌÌÌÌÌÌ̋<$ÃÌÌÌÌÌÌÌÌÌÌÌ̋ Ð#çd‹ ‹ ;av ƒìèØ‹D$‰$‹D$‰D$èƒÄÃè›ûëÉÌÌÌÌÌÌÌÌ̋ Ð#çd‹ ‹ ;a†’ƒìD‹\$H‹l$Lë‰Í‰ó í„1À鯸ÿÿÿÿ À}‰è1É1öë'9è‡Op 9õ‚;)ō}ÿ‰ù‡ß÷ۇßÁÿ!þ ރø|°;cpu.u¨1Òéyºÿÿÿÿ‰L$,‰t$< ÒŒA 9‡íƒú‚؍jü‰ï‡Ý÷ۇÝÁýƒåJ 4+9È‚®‰|$(‰t$4)Ѝxÿ‰|$‡ß÷ۇßÁÿ!ù<‰|$0ƒøuf?onuaƒøëƒøuWf?ofuPL€9fuGƒø‡ß”Ç߃úuf>alu\+€;lu ‹å1Àéø—ˆD$—‹å‰T$$‹\$(1Àé èftÆà’‰$ÇD$è°|‹D$0‰$‹D$‰D$èœ|^ʓ‰$ÇD$ è†|‹D$4‰$‹D$(‰D$èr|a’‰$ÇD$è\|èWt‹L$,‹t$<éKþÿÿ‰D$‰\$8èÝs蓉$ÇD$!è'|‹D$8‰$‹D$‰D$è|a’‰$ÇD$èý{èøs‹L$,‹t$<éìýÿÿ‹å‹ åëƒÀI ÉŽ¶P„Òtì¶P ‹X„Òtu¶+•„À•ul‰L$,‰D$@‹‰L$<‹P‰T$(è;sŽY“‰$ÇD$è {‹D$<‰$‹D$(‰D$èq{Ã>“‰$ÇD$è[{èVs‹D$@‹L$,élÿÿÿˆéeÿÿÿƒÄDÃ@9èIýÿÿ4€>,uïéAýÿÿB9ýÿÿ,€}=uîévýÿÿE ¶|$9Ѝ ‹ å9ȃó‰ÅÁà‹ å‹| ‹ 9ßủl$ ‰D$‰$‰t$‰|$è%¶D$„Àu‹T$$‹\$(‹l$ ‹t$4뙋 å‹D$ 9ȃ“‹å‹l$ÆD+ ‹ å9Èsu‹å¶|$—ˆD+ —‹L$,‹t$<ébüÿÿèüq¹§“‰$ÇD$èFz‹D$4‰$‹D$(‰D$è2za’‰$ÇD$èzèr‹L$,‹t$<éüÿÿèõèðèë‹5嗈D. —@9Ø}&‹ å9Ès.‰ÅÁå‹5åÆD. ‹ å9ÈrËë ‹L$,‹t$<é¸ûÿÿè¢è‰Â‰È‰Ñèò¸‰Ñèæ‰Ñ‰Â蝉ð‰éèÔ‰Á‰ê苐èåöéPûÿÿ‹ Ð#çd‹ ‹ ;a†vƒì0 fŠ‰$苪‹D$Ç@ õd’‰ ¡-ç‰HÇ@ ød’‰H  -ç‰HÇ@$ zi’‰H  ©-ç‰H(Ç@4  ¿‰’‰H0 ¬-ç‰H8Ç@D It’‰H@ ®-ç‰HHÇ@T ûd’‰HP ¯-ç‰HXÇåÇå‹ ¸'ç Étè ‰‹ å‰O‰åè© ‹$‰D$(ƒø„ ‹ å‹åƒÂ‹å9ÑsZ‰$‰T$‰L$ÇD$ࠎ‰D$èÞ·‹D$‹L$‹T$‰å‹¸'ç Àtè ‰‹å‰G‰ å‹D$(‰Ë‰åJûÁáÇDfÇD‹¸'ç ÒtM‹è© ‰‹T‰W‹T‰W‹T‰W‹T ‰W‹T(‰W‹T0‰W‹T8‰W‹T@è ‰‹TH‰WOt’‰­-ç‰TÇDfÇD~i’‰T°-ç‰TÇD$fÇD,ám’‰T ²-ç‰T(ÇD4fÇD<æm’‰T0³-ç‰T8ÇDDfÇDLëm’‰T@±-ç‰THƒø„ ‹ å‹åƒÂ‹å9ÑsZ‰$‰T$‰L$ÇD$ࠎ‰D$èQ¶‹D$‹L$‹T$‰å‹¸'ç Àt艋å‰G‰ å‹D$(‰Ë‰åJûÁáÇDfÇD‹¸'ç ÒtM‹è‰‹T‰W‹T‰W‹T‰W‹T ‰W‹T(‰W‹T0‰W‹T8‰W‹T@耉‹TH‰Wþd’‰¢-ç‰TÇDfÇD‚i’‰T£-ç‰TÇD$fÇD,†i’‰T §-ç‰T(ÇD4fÇD<Ši’‰T0¨-ç‰T8ÇDDfÇDL e’‰T@ª-ç‰THƒø ‹å‹ åƒÁ‹å9ÈsZ‰$‰L$‰D$ÇD$ࠎ‰D$èÄ´‹D$‹L$‹T$‰å‹¸'ç Àtès‰‹å‰G‰ å‰Ð‰Ê‰Á‰ åAýÁàÇDfÇD‹ ¸'ç Ét-‹èo‰‹L‰O‹L‰O‹L‰O‹L ‰O‹L(‰O {’‰ ¤-ç‰LÇDfÇD ¢‚’‰L ¥-ç‰LÇD$fÇD, ª‚’‰L  ¦-ç‰L(Ç$ÇD$è ‹D$ À„'‰D$$Ç$€ÇD$èé‹D$‰d#çÇ$ ÇD$èË‹D$© •Áˆ °-ç©•Áˆ ¬-ç©•Áˆ ±-ç©•Áˆ ²-ç©•Áˆ ³-穀•Áˆ ­-ç©•Áˆ  -ç©•Á©•Âˆ«-ç!ш ª-ç©u1É1ÒëC‰D$,èQ‹$©t ©•Áë1ɄÉt© t©@t ©€•Àë1À‰Â‹D$,©•À!Ȉ¢-ç‹D$$ƒø‚üˆT$"ˆL$#Ç$ÇD$è¾ request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ‹@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL Rà  ¤$l °J@   W—U@ÀRLÀTéÛÐR¼Ý à¼J´.textx¢$¤$ `.rdatadä%À$æ%¨$@@.data` °JŽJ@À.idataLÀRP@À.reloc¼Ý ÐRÞ $P@B.symtab°TRB.rsrcéÛÀTÜR@@‹$ÃÌÌÌÌÌÌÌÌÌÌÌ̋$ÃÌÌÌÌÌÌÌÌÌÌÌ̋$ÃÌÌÌÌÌÌÌÌÌÌÌ̋$ÃÌÌÌÌÌÌÌÌÌÌÌ̋,$ÃÌÌÌÌÌÌÌÌÌÌÌ̋4$ÃÌÌÌÌÌÌÌÌÌÌÌ̋<$ÃÌÌÌÌÌÌÌÌÌÌÌ̋ lB’d‹ ‹ ;av ƒìèØ‹D$‰$‹D$‰D$èƒÄÃè‹ïëÉÌÌÌÌÌÌÌÌ̋ lB’d‹ ‹ ;a†’ƒìD‹\$H‹l$Lë‰Í‰ó í„1À鯸ÿÿÿÿ À}‰è1É1öë'9è‡Op 9õ‚;)ō}ÿ‰ù‡ß÷ۇßÁÿ!þ ރø|°;cpu.u¨1Òéyºÿÿÿÿ‰L$,‰t$< ÒŒA 9‡íƒú‚؍jü‰ï‡Ý÷ۇÝÁýƒåJ 4+9È‚®‰|$(‰t$4)Ѝxÿ‰|$‡ß÷ۇßÁÿ!ù<‰|$0ƒøuf?onuaƒøëƒøuWf?ofuPL€9fuGƒø‡ß”Ç߃úuf>alu\+€;lu ‹tG1Àéø—ˆD$—‹tG‰T$$‹\$(1Àé èfn3Ûk‰$ÇD$è°v‹D$0‰$‹D$‰D$èœv¹`l‰$ÇD$ è†v‹D$4‰$‹D$(‰D$èrv~zk‰$ÇD$è\vèWn‹L$,‹t$<éKþÿÿ‰D$‰\$8èÝmNhl‰$ÇD$!è'v‹D$8‰$‹D$‰D$èv~zk‰$ÇD$èýuèøm‹L$,‹t$<éìýÿÿ‹pG‹ tGëƒÀI ÉŽ¶P„Òtì¶P ‹X„Òtu¶+•„À•ul‰L$,‰D$@‹‰L$<‹P‰T$(è;mø,l‰$ÇD$è u‹D$<‰$‹D$(‰D$èquÆl‰$ÇD$è[uèVm‹D$@‹L$,élÿÿÿˆéeÿÿÿƒÄDÃ@9èIýÿÿ4€>,uïéAýÿÿB9ýÿÿ,€}=uîévýÿÿE ¶|$9Ѝ ‹ tG9ȃó‰ÅÁà‹ pG‹| ‹ 9ßủl$ ‰D$‰$‰t$‰|$è%¶D$„Àu‹T$$‹\$(‹l$ ‹t$4뙋 tG‹D$ 9ȃ“‹pG‹l$ÆD+ ‹ tG9Èsu‹pG¶|$—ˆD+ —‹L$,‹t$<ébüÿÿèükMTl‰$ÇD$èFt‹D$4‰$‹D$(‰D$è2t~zk‰$ÇD$ètèl‹L$,‹t$<éüÿÿèåÿèàÿèÛÿ‹5pG—ˆD. —@9Ø}&‹ tG9Ès.‰ÅÁå‹5pGÆD. ‹ tG9ÈrËë ‹L$,‹t$<é¸ûÿÿè’ÿèÿ‰Â‰È‰Ñèâÿ¸‰ÑèÖÿ‰Ñ‰Âèÿ‰ð‰éèÄÿ‰Á‰êè{ÿèÕêéPûÿÿ‹ lB’d‹ ‹ ;a†vƒì0À4g‰$è+¨‹D$Ç@ ,~k‰ áI’‰HÇ@ /~k‰H àI’‰HÇ@$ ™k‰H  éI’‰H(Ç@4  Vœk‰H0 ìI’‰H8Ç@D ¨‹k‰H@ îI’‰HHÇ@T 2~k‰HP ïI’‰HXÇtGÇxG‹ øD’ Étèÿý‰‹ pG‰O‰pGè© ‹$‰D$(ƒø„ ‹ xG‹tGƒÂ‹pG9ÑsZ‰$‰T$‰L$ÇD$Àci‰D$è~¬‹D$‹L$‹T$‰xG‹øD’ Àtè}ý‰‹pG‰G‰ pG‹D$(‰Ë‰tGJûÁáÇDfÇD‹øD’ ÒtM‹è™ý‰‹T‰W‹T‰W‹T‰W‹T ‰W‹T(‰W‹T0‰W‹T8‰W‹T@èýü‰‹TH‰W®‹k‰íI’‰TÇDfÇDk‰TðI’‰TÇD$fÇD,ô k‰T òI’‰T(ÇD4fÇD<ù k‰T0óI’‰T8ÇDDfÇDLþ k‰T@ñI’‰THƒø„ ‹ xG‹tGƒÂ‹pG9ÑsZ‰$‰T$‰L$ÇD$Àci‰D$èñª‹D$‹L$‹T$‰xG‹øD’ Àtèðû‰‹pG‰G‰ pG‹D$(‰Ë‰tGJûÁáÇDfÇD‹øD’ ÒtM‹èü‰‹T‰W‹T‰W‹T‰W‹T ‰W‹T(‰W‹T0‰W‹T8‰W‹T@èpû‰‹TH‰W5~k‰âI’‰TÇDfÇD¡k‰TãI’‰TÇD$fÇD,¥k‰T çI’‰T(ÇD4fÇD<©k‰T0èI’‰T8ÇDDfÇDL8~k‰T@êI’‰THƒø ‹xG‹ tGƒÁ‹pG9ÈsZ‰$‰L$‰D$ÇD$Àci‰D$èd©‹D$‹L$‹T$‰xG‹øD’ Àtècú‰‹pG‰G‰ pG‰Ð‰Ê‰Á‰ tGAýÁàÇDfÇD‹ øD’ Ét-‹è_ú‰‹L‰O‹L‰O‹L‰O‹L ‰O‹L(‰O Ok‰ äI’‰LÇDfÇD J–k‰L åI’‰LÇD$fÇD, R–k‰L  æI’‰L(Ç$ÇD$è ‹D$ À„'‰D$$Ç$€ÇD$èé‹D$‰HB’Ç$ ÇD$èË‹D$© •Áˆ ðI’©•Áˆ ìI’©•Áˆ ñI’©•Áˆ òI’©•Áˆ óI’©€•Áˆ íI’©•Áˆ àI’©•Á©•ÂˆëI’!ш êI’©u1É1ÒëC‰D$,èQ‹$©t ©•Áë1ɄÉt© t©@t ©€•Àë1À‰Â‹D$,©•À!ȈâI’‹D$$ƒø‚üˆT$"ˆL$#Ç$ÇD$è¾ request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL ]ÝD–à  0B2®a €@ à@ `aK€¬.À  H.text´A B `.rsrc¬.€0D@@.relocÀt@BaHDZh¤Í¬þÀ*.(ò( *0 Î s ~%:&~þ&s %€( +o 8[o  %F~((¢%G~((¢%H~((¢%e~((¢~)(¡ o 8Ô( ssÔ~ }~ s ( o }{I~((o   9I~((8C~((o :{~*(¥8{~+(©( þ   9Ño ( o o ( {~,(­( þ   9ƒs s s þs ~%:&~þ's! %€(+þs ~%:&~þ(s! %€(+þs ~%:&~þ)s! %€(+~-(±~.(µþs" ~ %:&~þ*s# %€ (+~/(¹~0(½þs$ ~ %:&~þ+s% %€ (+~1(Áþ s& ~%:&~þ,s' %€(+~2(Åþ!s( ~%:&~þ-s) %€(+~3(É{~4(Í~5(Ñ(+9«sÔ%~-(±%r pf~(((+ ~.(µ%s, ~/(¹%~0(½%s- ~1(Á%s. ~2(Å%~3(É%~6(Õ~5(Ño/ (+9«sÔ%~-(±%r pg~(((+ ~.(µ%s, ~/(¹%~0(½%s- ~1(Á%s. ~2(Å%~3(É%~6(Õ~5(Ño/ Ý Ý~7(Ùþ 9o/ (0 : ûÿÿÝþo1 Üo2 :šúÿÿÝ9o1 ÜÝ&Ý8*AdÍ|I  ê‡7p§´» 02s, F~(((3 (4 þ 9 Ýû ~8(Ýs h~((~9(á&8† s“~:(å~:(åo5 ~;(é~:(åo5 ~<(í~=(ñ~>(õÝ  ÝÝÃ~?(ù(6 :~?(ù8;~((~;(é~@(ý(6 :~@(ý8;~((~<(í~A( (6 :~A( 8;~((~>(õÜ~A( ;~(((7   9o8 X~B(þ:aþÿÿÝ ÝÝ  Ý8*Adruç  rƒõÃ@Ï     0ð  þ8þEc8^8V8Q;~(( ~ {Ç9½ÿÿÿ& 8²ÿÿÿ ~ {:šÿÿÿ& 8ÿÿÿ*i~(((  8þE">|8ݲÿÿÿ þ8Çÿÿÿ8p8Ê~C(  þ8¡ÿÿÿ %j~((¢o9 š %"o: šo; 8” (þ 89 Q~(((< (+ ~ {ý:(ÿÿÿ& 8ÿÿÿ: ~ {ö:ÿÿÿ& 8÷þÿÿ ~ {´9Þþÿÿ& 8Óþÿÿ݃þÿÿ8Ýuþÿÿ8pþÿÿA‡V Ý  0`s (3 (4 þ 9 Ý4~8(Ýs H~((o> ~9(á&8º sô%~:(åo5 ~D( %~:(åo5 o .þ ~E(%~:(åo5 ~F(%~:(åo 1þ ~G(%~:(åo5 (? @Bj[!‘¶Y~H(%~:(åo5 ~I(!% š~((~J(%~=(ñ~K()~L(-jþ92(@   (A   (B !€µ÷õŸY~H(Ý  Ý:8~M(1(6 þ 9 oC X~B(þ:-þÿÿÝ  ÝÝ Ý8*ALhs Û  5=  request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL [š§Ñà" 0¦jÄ à@  @ ÄOàø tÃ8  H.textp¤ ¦ `.rsrcøà¨@@.reloc ®@BJÄH¤1° TJ yþ~ } ~ }~ }( ({t }*6s (*0> {r po  o &{  ( ( } (*0! {  ( ( } (*0! {  ( ( } (*0! {  ( ( } (*0! {  ( ( } (*0! {  ( ( } (*0! {  ( ( } (*0! {  ( ( } (*0" {  ( ( } (*0! {  ( ( } (*þ{X}{2({ }+}~ } *þ{X}{2({ }-}~ } *þ{X}{2({ }*}~ } *þ{X}{2({ }/}~ } *Š{rpo {{ o **0[ { }{( &{ ( &{1{ {+3$X}{|( o 8Þ{-3$Y}{|( o 8°{*3_#3}#3}#.#. Z}{|( o +G{/3=#.![}{|( o +{r po N}{X}*0A{rpo ~ } ~ }~ }N}}*z,{ ,{ o ( *0`rprprp( r prpo r—pr¡po s! ("  '(# ($ r¯po% }*0Ð(& s' s( } s( }s( }s( } s( }s( }s( }s( }s( }s( }s( }s( }s( }s( }s( }s) }s( }((* { (+ o, {  @ Ys- o. { rÓpo/ { Ks0 o1 { "o2 { rçpo { o3 { þ s4 o5 {(+ o, { @ vs- o. {rëpo/ {Ks0 o1 {!o2 {rÿpo {o3 {þs4 o5 {{Ys- o. {r po/ {Ks0 o1 { o2 {r po {o3 {þs4 o5 {  °s- o. { r po/ { Ks0 o1 { o2 { r' po { o3 { þs4 o5 {(+ o, { @ “s- o. {r+ po/ {Ks0 o1 {o2 {r; po {o3 {þs4 o5 {(+ o, { @ °s- o. {r? po/ {Ks0 o1 {o2 {rS po {o3 {þs4 o5 {(6 o, {o «s- o. {rW po/ {l!s0 o1 {o2 {ri po {o3 {þs4 o5 { ÞYs- o. {rm po/ {Ks0 o1 {o2 {r} po {o3 {þs4 o5 {vs- o. {r po/ {Ks0 o1 {o2 {r‘ po {o3 {þs4 o5 { Þvs- o. {r• po/ {Ks0 o1 {o2 {r¥ po {o3 {þs4 o5 {{vs- o. {r© po/ {Ks0 o1 {o2 {r¹ po {o3 {þs4 o5 { Þ “s- o. {r½ po/ {Ks0 o1 {o2 {rÍ po {o3 {þs4 o5 {{ “s- o. {rÑ po/ {Ks0 o1 {o2 {rá po {o3 {þ s4 o5 { “s- o. {rå po/ {Ks0 o1 {o2 {rõ po {o3 {þ s4 o5 {Ys- o. request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@( º´ Í!¸ LÍ!This program cannot be run in DOS mode. $JJ™O+÷+÷+÷ESô+÷ESòÒ+÷ESó+÷¯ +÷¯ô+÷¯ó+÷¯òg+÷ESñ+÷ESö+÷+öB*÷Tô+÷Tò'+÷TóÁ+÷F®þ+÷F®+÷+`+÷F®õ+÷Rich+÷PEd†„ëÔfð")¦#’Œ@ €0`,†,܀/ظ.èv @0ä1°Þ)p€à)(pÝ)@ À#ð.text¬¥#¦# `.rdata@âÀ#äª#@@.dataÔI °,”Ž,@À.pdataèv .x "-@@.rsrcظ€/ºš.@@.relocä1@02T/@BHƒìxՉ(‹÷‰(3Ƀ=>¬, ω(‰D$X·à‰(D$0f‰D$\ò‰(¶ɉ(òD$PˆD$^L$@Œ1 fo~Ì)HT$4fo%ÑË)fo‰Ì)fo-!Ì)fD$ D‹D$ )t$`fo5Ì)f„fnэAfpÒHRfþԃÁfoÊfoÂfjÂfbÊf8(Ãf8(ËÆÈÝfráfoÁfrÐfþÁf8@ÅfúÐfAnÀTÖfgÒfgÒfüÐfnBôWÐf~RôfnÐfpÒfþÔfoÊfoÂfjÂfbÊf8(Ãf8(ËÆÈÝfráfoÁfrÐfþÁf8@ÅfúÐfAnÀTÖfgÒfgÒfüÐfnBøWÐf~Røƒù(Œÿÿÿ(t$`ƒù/}BHcÁLD$0LÀff„¸OìÄNM@ ÷éÁú‹ÂÁèоÂkÐ4¶ÁÿÁ*Â9A0@ÿƒù/|ÓHD$0IÇÀÿÿÿÿ€IÿÀB€<uöHT$0H Úa-èu‰H #HƒÄxéñÌÌÌÌÌHƒìxZ(‹¿Z(3Ƀ=.ª, —Z(‰D$X·¨Z(D$0f‰D$\òŠZ(¶‘Z(òD$PˆD$^L$@Œ1 fonÊ)HT$4fo%ÁÉ)foyÊ)fo-Ê)fD$ D‹D$ )t$`fo5 Ê)f„fnэAfpÒHRfþԃÁfoÊfoÂfjÂfbÊf8(Ãf8(ËÆÈÝfráfoÁfrÐfþÁf8@ÅfúÐfAnÀTÖfgÒfgÒfüÐfnBôWÐf~RôfnÐfpÒfþÔfoÊfoÂfjÂfbÊf8(Ãf8(ËÆÈÝfráfoÁfrÐfþÁf8@ÅfúÐfAnÀTÖfgÒfgÒfüÐfnBøWÐf~Røƒù(Œÿÿÿ(t$`ƒù/}BHcÁLD$0LÀff„¸OìÄNM@ ÷éÁú‹ÂÁèоÂkÐ4¶ÁÿÁ*Â9A0@ÿƒù/|ÓHD$0IÇÀÿÿÿÿ€IÿÀB€<uöHT$0H ¢`-èe‡H ›#HƒÄxéáÌÌÌÌÌHƒì8· í (IÇÀÿÿÿÿ¶á (òÏ (òD$ €t$!:€t$";€t$#<€t$$=€t$%>€t$&?€t$'@f‰L$(€ñA€t$)B4CÆD$ 6ˆD$*HD$ ˆL$(DIÿÀB€<uöHT$ H â_-èņH Žš#HƒÄ8éAÌÌÌÌÌHƒì8·aY(3Ƀ=„§,òDY(‹FY(f‰D$,¶@Y(ˆD$.òD$ ‰T$(ŒJ fo-öÇ)¹fo)Ç)foAÇ)foÊfo% Ç)foÂfjÂfbÊf8(Åf8(ÍÆÈÝfráfoÁfrÐfþÁf8@@Ç)fúÐfn´X(TÔfgÒfgÒfüaÇ)WÐf~T$ foÀÆ)foÊfoÂfjÂfbÊf8(Åf8(ÍÆÈÝfráfoÁfrÐfþÁfoËf8@ÓÆ)fúÐfbËfnD$$TÔfgÒfgÒfüòÆ)WÐf8(ÍfoÃf~T$$fjÃf8(ÅÆÈÝfráfoÁfrÐfþÁf8@xÆ)fúØfnÂTÜfgÛfgÛfüÆ)WØf~\$(‹ÁLD$ LÀff„¸OìÄNM@ ÷éÁú‹ÂÁèоÂkÐ4¶ÁÿÁ*Â9A0@ÿƒù|ÓHD$ IÇÀÿÿÿÿ€IÿÀB€<uöHT$ H ²]-资H Ž˜#HƒÄ8é1þÌÌÌÌÌHƒì(H ]-è€ßH y˜#HƒÄ(éþHƒì(èç H‰Ø,-HƒÄ(ÃÌÌÌÌÌÌÌÌÌÌÌHƒì(èÇ H‰°,-HƒÄ(ÃÌÌÌÌÌÌÌÌÌÌ̋Ç$H c™#f‰l¢,¶óÆ$ˆa¢,é¦ýÌÌÌÌÌÌÌÌÌÌH ©™#éýÌÌÌÌH š#é€ýÌÌÌÌHƒì(€=Õ?-u è-xÆÇ?- fo}ì$H.ì$E3ÀH‰¼?-H ½?-ó½?-APèt_3ÉH‰»?-‰ ½?-HÇ H‹§?-H‰HH ¬™#HƒÄ(éÿüÌÌÌHƒì(€=U?-u è­wÆG?- foýë$H®ë$E3ÀH‰l?-H m?-óm?-APèô^3ÉH‰k?-‰ m?-HÇH‹W?-H‰HH l™#HƒÄ(éüÌÌÌHƒì(€=Õ>-u è-wÆÇ>- fo}ë$H.ë$E3ÀH‰$?-H %?-ó%?-APèt^3ÉH‰#?-‰ %?-H‰H‹?-H‰HH 0™#HƒÄ(éüÌÌÌÌÌÌÌé»vÌÌÌÌÌÌÌÌÌÌÌHƒì(E3ÀH ú ,AP èI^Hƒ=ù ,H‰ú ,v*HÇ H‹ ê ,L‹Û ,HƒÁIƒè tIÁà3Òè¾#H ÷˜#HƒÄ(éŠûÌÌÌÌÌÌÌÌÌÌÌÌÌÌHƒì(E3ÀH j ,3ÒèÛ]H ™#H‰m ,HƒÄ(éPûÌÌÌÌHƒì(H  ,è0”H   ,è#”Æ´ , H ™#HƒÄ(éûÌÌÌÌÌÌÌÌÌÌÌÌHƒì(H  ,è`ڐH À ,èSÚÆä , H E™#HƒÄ(éØúÌÌÌÌÌÌÌÌÌÌÌÌ黡ÌÌÌHƒì(H -?-è4áH ‘™#HƒÄ(é¤úHƒì(A¹ H×@-E3ÀH ]@-èh,H m™#HƒÄ(étú@SHƒì ¹ èÐåH ¡@-H‹ØèI9H" %E3ÀH‹ÓH‰ @-H ~@-è9"H r™#HƒÄ [é$úH‹C-Lê?-L‰C-H ÒtH‹HcHL‰DPL‹óB-H‹ôB-H ÒtH‹HcHL‰DPÃÌÌHƒì(H •?-èLàH ™#HƒÄ(é¼ùH m™#é°ùH ™#é¤ùHƒì(A¹ HWA-E3ÀH Ý@-èh+H u™#HƒÄ(étù@SHƒì ¹èÐäH !A-H‹ØèI8H"%E3ÀH‹ÓH‰A-H þ@-è9!H z™#HƒÄ [é$ùH‹q@-Hj@-H‰B-HcHH‹B-H‰DPH‹ request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:58 a.m.	buffer: MZÿÿ¸@ິ Í!¸ LÍ!This program cannot be run in DOS mode. $þäš~º ô-º ô-º ô-Õó_-  ô-Õój-  ô-Õó^-ç ô-³ýg-½ ô-º õ-Æ ô-Õó[-» ô-Õón-» ô-Õói-» ô-Richº ô-PEL íê[dà  ÒÀ»ið@   ]ÖPp˜" \ÖØN@Ì .text´ÐÒ `.datahsðx Ö@À.rsrc˜" p$ N@@ÝôÜâÜݐؤØÂØÐØâØòØÙÙ2ÙBÙPÙ`Ùtٌ٪ÙÈÙØÙîÙÚÚ.ÚDÚ^ÚvÚ†Ú˜Ú°ÚvØÞÚôÚÛÛ&Û8ÛFÛZÛpÛ‚Û–ÛªÛ¾ÛÞÛòÛÜÜ,ÜBÜNÜ^ܦàšàŽà|à^ØJØ:ØÄÚ(Ø0ÝFÝVÝbÝn݂ݐݠݲÝÈÝÚÝöÝÞ(Þ8ÞLÞXÞpÞˆÞ’ÞžÞ°Þ¼ÞÊÞØÞâÞøÞß"ß.ß>ßfß~ß–ß®ßÈßâßôßàà2àLàTàjà¼Ü®Ü ÜŽÜ€ÜÈÜ*t@’€@®@«@1•@˜O@¡`@k`@Unknown exceptionð?ð?33ÿ€CorExitProcessmscoree.dllHH:mm:ssdddd, MMMM dd, yyyyMM/dd/yyPMAMDecemberNovemberOctoberSeptemberAugustJulyJuneAprilMarchFebruaryJanuaryDecNovOctSepAugJulJunMayAprMarFebJanSaturdayFridayThursdayWednesdayTuesdayMondaySundaySatFriThuWedTueMonSunHH:mm:ssdddd, MMMM dd, yyyyMM/dd/yyPMAMDecemberNovemberOctoberSeptemberAugustJulyJuneAprilMarchFebruaryJanuaryDecNovOctSepAugJulJunMayAprMarFebJanSaturdayFridayThursdayWednesdayTuesdayMondaySundaySatFriThuWedTueMonSunKERNEL32.DLLFlsFreeFlsSetValueFlsGetValueFlsAllocàO@¯|@ððÿà €€€ÿÀÀÿ€ÊòIqÊòIñ`B¢ `B¢YóøÂn¥ YóøÂn¥tancossinmodffloorceilatanexp10ð?acosasinloglog10exppowruntime error TLOSS error SING error DOMAIN error R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough spac request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL ݱÒf_˜%à  #âG`Zâf°H@  Æˆÿe P³B`³ä ³Ü"ô«Hàa³ .textôáGâG`P`.datahHèG@`À.rdataž H þG@`@/4¼“ÀH”žH@0@.bssôáf`L€`À.edataBP³2L@0@.idataä `³ 4L@0À.CRT4p³>L@0À.tls€³@L@0À.relocÜ"³$BL@0B/14ÀÁfZ@B/29ħ ÐÁ¨ nZ@B/41XL€ÃN\@B/55BãÐÃäd\@B/67TÀÄH]@0B/80a àÄ f]@B/91‹ ðČ p]@B/102À€Æü^@BÍ´&´&ƒì1Àf=@MZÇà6ó ÇÜ6ó ÇØ6ó ÇÐ6ó u‹<@º@PEŠ@t`£`Œ¡ì6ó ÀtBÇ$è6ÓGè9ÓG‹7ó‰è4ÓG‹è6ó‰èüFƒ=ˆ tN1ÀƒÄÍ´&Ç$ èôÒGë¼f·Qfú t=fúuŽƒ¹„v ‹‘ø1À Ò•ÀésÿÿÿvÇ$À ‡èô G1ÀƒÄͶƒyt†Nÿÿÿ‹‰è1À É•Àé<ÿÿÿ´&t&ƒì,¡Ô6óÇD$`Œ£`Œ¡Ì6óÇD$`Œ‰D$ÇD$ `ŒÇ$$`ŒèfÒGƒÄ,ÃfL$ƒäð1ÀÿqüU‰åWVU¤S‰×Q¹ƒìx‹5ì6óó« ö  d¡‹5bó‹x1Ûët&9Ç„Ç$èÿփì‰Øð±=Ä6ó ÀuÞ¡È6ó1ۃø „ ¡È6ó À„yÇ`Œ ¡È6óƒø „ö Û„¡ð«ˆ ÀtÇD$ÇD$Ç$ÿЃìèÏýFÇ$‡ÿbóƒì£7óÇ$@èN×GèÙûFÇ`Œ@èRÑG1ɋ ÀuëM„ÒtDƒá t'¹ ƒÀ ¶€ú ~ç‰Ëƒó €ú"DËë荴&v„Òtt&¶P ƒÀ „Òt€ú ~ð£`Œ‹ì6ó Ût¸ öEÐ  ⣈‹$`Œ4‰4$èèÏG‹ `Œ‰E ÛŽ‚ ‰ÃFü‰×‰EŒ ЉE”‹ƒÃƒÇ‰$èPÏGp ‰4$è­ÏG‰Cü‹Oü‰t$‰L$‰$è‡ÏG9}”uʋEŒEÇ‹E£ `ŒèùF¡`Œ‹<bó‰‰D$¡ `Œ‰D$¡$`Œ‰$è‹ `Œ£`Œ É„ò‹`Œ Ò„¡eðY[^_]aüÍt&·EÔéÿÿÿ´&¡È6ó» ƒø  ÿýÿÿÇ$è©ÏG¡È6óƒø  þÿÿÇD$póÇ$póègÏGÇÈ6ó Û ìýÿÿ‡Ä6óéáýÿÿ´&v‰$ÿüaóƒìéOýÿÿ´&è;ÏG¡`ŒeðY[^_]aüÃfÇD$póÇ$póÇÈ6ó èòÎGénýÿÿ‹EéÁþÿÿ‰$è½ÎG´&¶Çì6ó é±üÿÿÇì6óé¡üÿÿƒì‹D$ ‰$è™ÎG À”ÀƒÄ¶À÷ØАU‰åWVSƒìÇ$ ˆÿðaóƒì Àts‰ÃÇ$ ˆÿbó‹=øaóƒì£(`ŒÇD$ ˆ‰$ÿ׃ì‰ÆÇD$) ˆ‰$ÿ×£ˆƒì ötÇD$,`ŒÇ$ÀˆÿÖÇ$ @è^ÿÿÿeô[^_]ͶLj¾ëÀ´&´&U‰åƒì¡ˆ Àt Ç$ÀˆÿС(`Œ Àt‰$ÿèaóƒìÉÐU‰åWVSì ÇEÜû@ÇEà@ÇEä ‹Eä‹D ܐÿàé´ ‹E\‹‰Â‹E<‹‰MԋET‹‰]ЋE@‹0‰űE‹8‰}ȋE‹‰EċE4݋E0݋E‹‰MÀ‹E8‹‰]¼‹E݋E‹0‰u¸‹E‹8‰}´‹ED‹‰E°‹E‹‰M¬‹E‹‰]¨‹ELp$‰u¤‹EX‹8‰} ‹E(݋ED‹‰Eœ‹E<‹‰M˜‹E$‹‰]”‹Ed‹8‹EP‹0‹E,‹‹E0݋E0݋E ÝÙ΋E‹‹E‹‰E‹EH‹‰”$˜‹Uԉ”$”‹UЉ”$‹Ủ”$Œ‹Uȉ”$ˆ‹Uĉ”$„Ý\$|ÙÌÝ\$tÙʋUÀ‰T$p‹U¼‰T$lÝ\$d‹U¸‰T$`‹U´‰T$\‹U°‰T$X‹U¬‰T$T‹U¨‰T$P‹U¤‰T$L‹U ‰T$HÝ\$@‹Uœ‰T$<‹U˜‰T$8‹U”‰T$4‰|$0‰t$,‰\$(Ý\$ ÇD$P ˆÝ\$Ý\$‰L$‹u‰t$‰$èŠþA‹U`‰éGþÿÿÄ [^_]ÃU‰åìÈÇ HÿÿÿeÇ Lÿÿÿ?â‚ÇEð E‰ PÿÿÿE‰ TÿÿÿE‰ XÿÿÿE‰ \ÿÿÿE‰ `ÿÿÿE‰ dÿÿÿE ‰ hÿÿÿE$‰ lÿÿÿE(‰ pÿÿÿE,‰ tÿÿÿE0‰ xÿÿÿE4‰ |ÿÿÿE8‰E€E<‰E„E@‰EˆED‰EŒEH‰EEL‰E”EP‰E˜ET‰EœEX‰E E\‰E¤E`‰E¨Ed‰E¬Eh‰E°El‰E´Ep‰E¸Et‰E¼Ex‰EÀE|‰Eč €‰Eȍ „‰E̍ ˆ‰EЍ Œ‰Eԍ ‰E؍ ”‰E܍ ˜‰Eà œ‰Eä  ‰Eè ¤‰Eì‹Eðƒø w‹Eð‹„ Hÿÿÿ•Pÿÿÿ‰$ÿÐëáÉÃU‰å‹E‹@‹‹=þ‹EÇ@ë‹EÇ@]ÃU‰åƒì(ÇEìˆ@ÇEðŒ@ÇEô ‹Eô‹D ìëëÿà‹E‰$èƒr ÇEô‹Eô‹D ìëãÉÃU‰åƒì8ÇEè @ÇEìÕ@ÇEðþ@ÇEô‹Eô‹D èÿà‹E‰D$‹E‰D$‹E‰D$‹E‰D$‹E‰$è’<ë"‹E request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL ×Ýc’¿à! & @àa 0: Ðˆ* Ð0 ¨@ <  Ð .text„%&`P`.data|'@(,@`À.rdatapD pF T@`@.bss(À€`À.edataˆ*Ð,š@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48€  @@B/19RȐ Ê" @B/31]'`(ì @B/45š-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZx @xº´ Í!¸ LÍ!This program cannot be run in DOS mode.$PEL ó4cà"! 4p  Ð Ëý @AH S› Ȑ xF P/  ð#”   ¤ @ .text• `.rdataÄ @@.data<F0  @À.00cfg€  @@.rsrcx  @@.relocð#  $" @B request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZx @xº´ Í!¸ LÍ!This program cannot be run in DOS mode.$PEL ¤4cà"! ¶^ À¹  € jª @A `ãWä·, ° P/0 ØAS¼øhРì¼ÜäZ .textaµ¶ `.rdata” Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@ º´ Í!¸ LÍ!This program cannot be run in DOS mode. $ٓ1Cò_ò_ò_)n°Ÿò_”ŠÌ‹ò_ò^"ò_Ϛ^žò_Ϛ\•ò_Ϛ[Óò_ϚZÑò_Ϛ_œò_Ϛ œò_Ϛ]œò_Richò_PEL ‚ê0]à"! (‚`Ù@ ð,à@Ag‚Ï èr  ðœèA°¬=`x8¸w@päÀc@.text’&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZx @xº´ Í!¸ LÍ!This program cannot be run in DOS mode.$PEL Ð4cà"! Ø.`£  pl- @Aä&úÞÄ@ Px P/`\ ° ð |Ê\€&@.text‰×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\ ` @B request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZx @xº´ Í!¸ LÍ!This program cannot be run in DOS mode.$PEL ó4cà"! ÌðPÏ  Sg@ADvS —wð°€ÀP/ÀÈ58qà {Œ.text&ËÌ `.rdataÔ«à¬Ð@@.data˜|@À.00cfg „@@.rsrc€°†@@.relocÈ5À6Š@B request_handle: 0x00cc000c	1	1	0
InternetReadFile Sept. 2, 2024, 10:59 a.m.	buffer: MZÿÿ¸@躴 Í!¸ LÍ!This program cannot be run in DOS mode. $ÀÅäՄ¤Š†„¤Š†„¤Š†08e††¤Š†Ü†¤Š†„¤‹†¬¤Š†Ö̉‡—¤Š†Ö̎‡¤Š†Ö̏‡Ÿ¤Š†Ö̊‡ ¤Š†ÖÌu† ¤Š†Ö̈‡ ¤Š†Rich„¤Š†PEL |ê0]à"! ސÙð 0 Ôm @Aàã ¸ Œ úðA  € 8¸ @ ´.textôÜÞ `.dataôðâ@À.idata„ ä@@.rsrc ê@@.reloc î@B request_handle: 0x00cc000c	1	1	0
recv Sept. 2, 2024, 10:53 a.m.	buffer: HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Mon, 02 Sep 2024 02:04:55 GMT Content-Type: application/octet-stream Content-Length: 514560 Last-Modified: Sun, 01 Sep 2024 13:24:10 GMT Connection: keep-alive ETag: "66d46afa-7da00" Accept-Ranges: bytes MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL ÝOŽÐà! 0Ò>ñ @ @@ ìðOÄ   H.textDÑ Ò `.rsrcÄÔ@@.reloc Ø@B ñH©äG ¸W€Ã¨£^ã㙒YQ×=È(¶®êås‹ûà2$ã(|cFOH:<ї•iv$Þ:§S¡‚(‚ÀOt!Ç"ÚOlÿ‘¯·,¥^êl ¶Ø¿š½wgdùÓ½SUJJ)»Ž·ºã¢¯€¯wôIvVìˆ¾yµÇ^WÃx'f©Ú“³0Hg¶•V{fÿ“UAX‚òoƒ¦¡O§ Ûú¿R)¸‚Ö³¸°–ATýé]L—Ú%cJ½vú9í}#-V°Ö%~GµN'™ðI è5v°;IIà‰)ŽHÅqZ§ü<˜+(|M „îؒ¿{ƒ„²3ø¾UÇ¿aîútU ½     ¨¨ÜÐ f[ÉÇÇÉ[f ÐÜ  7ðð7¤¤       üü  FF ..   öö ŸŸ   DD 77    44    øø   ·· ÄÄ   11 BB    ww    <<  ÄÄ ¦¦    QQ   ÀÀ ¹¹  ÌÌ ìì    ÁÁ    ÏÏ    mm   ôô ÔÔ   ®® ÞÞ    ùù   MM ""   OO ;;   ïï ŠŠ    ll    aa    AA    ss received: 2800 socket: 928	1	2800	0

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section	{u'size_of_data': u'0x0002de00', u'virtual_address': u'0x00001000', u'entropy': 7.989358439733405, u'name': u' \\x00 ', u'virtual_size': u'0x00068000'}				entropy	7.98935843973				description	A section with a high entropy has been found
section	{u'size_of_data': u'0x001a5a00', u'virtual_address': u'0x00320000', u'entropy': 7.953732717298406, u'name': u'xzgvtied', u'virtual_size': u'0x001a6000'}				entropy	7.9537327173				description	A section with a high entropy has been found
entropy	0.994152046784				description	Overall entropy of this PE file is high

Expresses interest in specific running processes (2 events)

process	system
process	cmd.exe

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (32 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Sept. 2, 2024, 10:59 a.m.	snapshot_handle: 0x0000043c process_name: 1.exe process_identifier: 2928		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000b0 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000f8 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000f8 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000f8 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000f8 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000f8 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000f8 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000f8 process_name: conhost.exe process_identifier: 2692		0	0
Process32NextW Sept. 2, 2024, 10:52 a.m.	snapshot_handle: 0x00000000000000f8 process_name: conhost.exe process_identifier: 2692		0	0

Yara rule detected in process memory (11 events)

description	Take ScreenShot				rule	ScreenShot
description	PWS Memory				rule	Generic_PWS_Memory_Zero
description	RedLine stealer				rule	RedLine_Stealer_m_Zero
description	(no description)				rule	DebuggerCheck__GlobalFlags
description	(no description)				rule	DebuggerCheck__QueryInfo
description	(no description)				rule	DebuggerHiding__Thread
description	(no description)				rule	DebuggerHiding__Active
description	(no description)				rule	ThreadControl__Context
description	(no description)				rule	SEH__vectored
description	Checks if being debugged				rule	anti_dbg
description	Bypass DEP				rule	disable_dep

Queries for potentially installed applications (50 out of 52 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000294 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko) base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1	0	0
RegOpenKeyExA Sept. 2, 2024, 10:59 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561} base_handle: 0x80000002 key_handle: 0x00000298 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BB8B979E-E336-47E7-96BC-1031C1B94561}	1	0	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Sept. 2, 2024, 10:52 a.m.	status_code: 0x00000000 process_identifier: 1156 process_handle: 0x00000000000000b4		0	0
NtTerminateProcess Sept. 2, 2024, 10:52 a.m.	status_code: 0x00000000 process_identifier: 1156 process_handle: 0x00000000000000b4	1	0	0

Communicates with host for which no DNS query was performed (7 events)

host	154.216.17.170
host	185.215.113.16
host	185.215.113.17
host	185.215.113.19
host	185.215.113.26
host	95.179.250.45
host	95.216.143.20

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000001e8	1	0	0

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 514 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA Sept. 2, 2024, 10:58 a.m.	class_name: OLLYDBG window_name:		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Sept. 2, 2024, 10:58 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (5 events)

description	1.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
description	axplong.exe tried to sleep 1703 seconds, actually delayed analysis time by 1703 seconds
description	RegAsm.exe tried to sleep 185 seconds, actually delayed analysis time by 185 seconds
description	explorer.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
description	Hkbsse.exe tried to sleep 151 seconds, actually delayed analysis time by 151 seconds

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Amadeus.exe				reg_value	C:\Users\test22\1000238002\Amadeus.exe
file	C:\Windows\Tasks\axplong.job
file	C:\Windows\Tasks\Hkbsse.job

Attempts to access Bitcoin/ALTCoin wallets (1 event)

file	C:\Users\test22\AppData\Roaming\electrum\wallets

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 2, 2024, 10:58 a.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL óûÆáà  0ìÐ fº @  @ ºO ÄÉ ø¹  H.textLê ì `.rsrcÄÉ Ì ð@@.reloc¼@B base_address: 0x00400000 process_identifier: 2580 process_handle: 0x000001e8	1	1	0
WriteProcessMemory Sept. 2, 2024, 10:58 a.m.	buffer: °h: base_address: 0x00450000 process_identifier: 2580 process_handle: 0x000001e8	1	1	0
WriteProcessMemory Sept. 2, 2024, 10:58 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2580 process_handle: 0x000001e8	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 2, 2024, 10:58 a.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL óûÆáà  0ìÐ fº @  @ ºO ÄÉ ø¹  H.textLê ì `.rsrcÄÉ Ì ð@@.reloc¼@B base_address: 0x00400000 process_identifier: 2580 process_handle: 0x000001e8	1	1	0

Collects information about installed applications (38 events)

Time & API	Arguments	Status	Return	Repeated
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1	0	0
RegQueryValueExA Sept. 2, 2024, 10:59 a.m.	key_handle: 0x00000298 regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1	0	0

Harvests credentials from local email clients (4 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\00000004
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Process injection	Process 2500 called NtSetContextThread to modify thread in remote process 2580
Time & API	Arguments	Status	Return	Repeated
NtSetContextThread Sept. 2, 2024, 10:58 a.m.	registers.eip: 2005598660 registers.esp: 3342004 registers.edi: 0 registers.eax: 4373094 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000002c process_identifier: 2580	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Process injection	Process 2500 resumed a thread in remote process 2580
Time & API	Arguments	Status	Return	Repeated
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x0000002c suspend_count: 1 process_identifier: 2580	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Sept. 2, 2024, 10:58 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 52 83 ec 04 89 3c 24 89 exception.symbol: random+0x202215 exception.instruction: in eax, dx exception.module: random.exe exception.exception_code: 0xc0000096 exception.offset: 2105877 exception.address: 0x262215 registers.esp: 8519200 registers.edi: 134889 registers.eax: 1447909480 registers.ebp: 3990859796 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 2497561 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (1 event)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress Sept. 2, 2024, 10:52 a.m.	ordinal: 0 function_address: 0x000000000000000c function_name: wine_get_version module: ntdll module_address: 0x00000000776c0000		-1073741511	0

Executed a process and injected code into it, probably while unpacking (45 events)

Time & API	Arguments	Status	Return	Repeated
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 724	1	0	0
CreateProcessInternalW Sept. 2, 2024, 10:58 a.m.	thread_identifier: 2264 thread_handle: 0x000003e8 process_identifier: 2260 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\44111dbc49\axplong.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003f0	1	1	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 2260	1	0	0
CreateProcessInternalW Sept. 2, 2024, 10:58 a.m.	thread_identifier: 2504 thread_handle: 0x00000480 process_identifier: 2500 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000002001\crypted.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000484	1	1	0
CreateProcessInternalW Sept. 2, 2024, 10:58 a.m.	thread_identifier: 2852 thread_handle: 0x0000046c process_identifier: 2848 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000004001\crypteda.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000488	1	1	0
CreateProcessInternalW Sept. 2, 2024, 10:58 a.m.	thread_identifier: 3064 thread_handle: 0x000003b8 process_identifier: 3060 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000005001\Nework.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000005001\Nework.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000005001\Nework.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000049c	1	1	0
CreateProcessInternalW Sept. 2, 2024, 10:58 a.m.	thread_identifier: 2132 thread_handle: 0x00000394 process_identifier: 2128 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000066001\stealc_default2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000066001\stealc_default2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000066001\stealc_default2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000498	1	1	0
CreateProcessInternalW Sept. 2, 2024, 10:59 a.m.	thread_identifier: 2560 thread_handle: 0x00000470 process_identifier: 2572 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000129001\Set-up.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000129001\Set-up.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000129001\Set-up.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004a8	1	1	0
CreateProcessInternalW Sept. 2, 2024, 10:59 a.m.	thread_identifier: 2932 thread_handle: 0x00000490 process_identifier: 2928 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000191001\1.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000191001\1.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000191001\1.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004b0	1	1	0
CreateProcessInternalW Sept. 2, 2024, 10:59 a.m.	thread_identifier: 1440 thread_handle: 0x00000438 process_identifier: 184 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000228001\GetSys.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000228001\GetSys.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000228001\GetSys.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004b4	1	1	0
CreateProcessInternalW Sept. 2, 2024, 10:59 a.m.	thread_identifier: 2692 thread_handle: 0x00000494 process_identifier: 2636 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\1000238002\Amadeus.exe track: 1 command_line: "C:\Users\test22\1000238002\Amadeus.exe" filepath_r: C:\Users\test22\1000238002\Amadeus.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004b0	1	1	0
CreateProcessInternalW Sept. 2, 2024, 10:59 a.m.	thread_identifier: 2076 thread_handle: 0x000004a4 process_identifier: 2072 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000241001\build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000241001\build.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000241001\build.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004b8	1	1	0
CreateProcessInternalW Sept. 2, 2024, 10:59 a.m.	thread_identifier: 1284 thread_handle: 0x00000490 process_identifier: 2228 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000243001\runtime.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000243001\runtime.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000243001\runtime.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004b0	1	1	0
CreateProcessInternalW Sept. 2, 2024, 10:59 a.m.	thread_identifier: 1172 thread_handle: 0x00000488 process_identifier: 1012 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000248001\seidr_build.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000248001\seidr_build.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000248001\seidr_build.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004b0	1	1	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 2500	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x0000015c suspend_count: 1 process_identifier: 2500	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 2500	1	0	0
CreateProcessInternalW Sept. 2, 2024, 10:58 a.m.	thread_identifier: 2584 thread_handle: 0x0000002c process_identifier: 2580 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001e8	1	1	0
NtGetContextThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x0000002c	1	0	0
NtAllocateVirtualMemory Sept. 2, 2024, 10:58 a.m.	process_identifier: 2580 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE) process_handle: 0x000001e8	1	0	0
WriteProcessMemory Sept. 2, 2024, 10:58 a.m.	buffer: MZÿÿ¸@€º´ Í!¸ LÍ!This program cannot be run in DOS mode. $PEL óûÆáà  0ìÐ fº @  @ ºO ÄÉ ø¹  H.textLê ì `.rsrcÄÉ Ì ð@@.reloc¼@B base_address: 0x00400000 process_identifier: 2580 process_handle: 0x000001e8	1	1	0
WriteProcessMemory Sept. 2, 2024, 10:58 a.m.	buffer: base_address: 0x00402000 process_identifier: 2580 process_handle: 0x000001e8	1	1	0
WriteProcessMemory Sept. 2, 2024, 10:58 a.m.	buffer: base_address: 0x00432000 process_identifier: 2580 process_handle: 0x000001e8	1	1	0
WriteProcessMemory Sept. 2, 2024, 10:58 a.m.	buffer: °h: base_address: 0x00450000 process_identifier: 2580 process_handle: 0x000001e8	1	1	0
WriteProcessMemory Sept. 2, 2024, 10:58 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2580 process_handle: 0x000001e8	1	1	0
NtSetContextThread Sept. 2, 2024, 10:58 a.m.	registers.eip: 2005598660 registers.esp: 3342004 registers.edi: 0 registers.eax: 4373094 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000002c process_identifier: 2580	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x0000002c suspend_count: 1 process_identifier: 2580	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 2580	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2580	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x00000234 suspend_count: 1 process_identifier: 2580	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 2580	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2580	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2848	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2848	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x000001b4 suspend_count: 1 process_identifier: 2848	1	0	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x00000134 suspend_count: 1 process_identifier: 3060	1	0	0
CreateProcessInternalW Sept. 2, 2024, 10:58 a.m.	thread_identifier: 660 thread_handle: 0x00000314 process_identifier: 2236 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\054fdc5f70\Hkbsse.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\054fdc5f70\Hkbsse.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\054fdc5f70\Hkbsse.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000324	1	1	0
NtResumeThread Sept. 2, 2024, 10:58 a.m.	thread_handle: 0x000000ec suspend_count: 1 process_identifier: 2236	1	0	0
CreateProcessInternalW Sept. 2, 2024, 10:59 a.m.	thread_identifier: 932 thread_handle: 0x000003cc process_identifier: 792 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000009001\setup2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000009001\setup2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000009001\setup2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003d0	1	1	0
CreateProcessInternalW Sept. 2, 2024, 10:59 a.m.	thread_identifier: 2596 thread_handle: 0x0000039c process_identifier: 2600 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Users\test22\AppData\Local\Temp\1000011001\joffer2.exe track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\1000011001\joffer2.exe" filepath_r: C:\Users\test22\AppData\Local\Temp\1000011001\joffer2.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003dc	1	1	0
NtResumeThread Sept. 2, 2024, 10:52 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2228	1	0	0
NtResumeThread Sept. 2, 2024, 10:52 a.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 2228	1	0	0
NtResumeThread Sept. 2, 2024, 10:52 a.m.	thread_handle: 0x000000000000017c suspend_count: 1 process_identifier: 2228	1	0	0
NtResumeThread Sept. 2, 2024, 10:53 a.m.	thread_handle: 0x0000000000000360 suspend_count: 1 process_identifier: 2228	1	0	0
NtResumeThread Sept. 2, 2024, 10:52 a.m.	thread_handle: 0x0000000000000108 suspend_count: 1 process_identifier: 1012	1	0	0

File has been identified by 43 AntiVirus engines on VirusTotal as malicious (43 events)

Bkav	W32.AIDetectMalware
Elastic	malicious (high confidence)
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Generic.tc
ALYac	Gen:Variant.Kryptik.260
Cylance	Unsafe
VIPRE	Gen:Variant.Kryptik.260
BitDefender	Gen:Variant.Kryptik.260
Cybereason	malicious.b027d4
Arcabit	Trojan.Kryptik.260
Symantec	ML.Attribute.HighConfidence
tehtris	Generic.Malware
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
McAfee	Themida-FWSE!82F430CB027D
Avast	Win32:TrojanX-gen [Trj]
Kaspersky	HEUR:Trojan.Win32.Generic
MicroWorld-eScan	Gen:Variant.Kryptik.260
Emsisoft	Gen:Variant.Kryptik.260 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!82F430CB027D
Trapmine	malicious.high.ml.score
FireEye	Generic.mg.82f430cb027d4089
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
Google	Detected
Avira	TR/Crypt.TPM.Gen
MAX	malware (ai score=81)
Kingsoft	malware.kb.a.712
Gridinsoft	Trojan.Heur!.038120A1
ZoneAlarm	HEUR:Trojan.Win32.Generic
GData	Gen:Variant.Kryptik.260
Varist	W32/Agent.JDU.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.R645974
BitDefenderTheta	Gen:NN.ZexaF.36812.1DWaa4OeCEei
DeepInstinct	MALICIOUS
VBA32	TScope.Malware-Cryptor.SB
Malwarebytes	Trojan.Amadey
Zoner	Probably Heur.ExeHeaderL
Tencent	Trojan-DL.Win32.Deyma.kh
Fortinet	W32/Themida.HZB!tr
AVG	Win32:TrojanX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (D)

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (26 events)

dead_host	192.168.56.103:49193
dead_host	192.168.56.103:49224
dead_host	192.168.56.103:49212
dead_host	192.168.56.103:49247
dead_host	192.168.56.103:49278
dead_host	192.168.56.103:49186
dead_host	192.168.56.103:49208
dead_host	192.168.56.103:49229
dead_host	192.168.56.103:49225
dead_host	192.168.56.103:49210
dead_host	192.168.56.103:49232
dead_host	192.168.56.103:49218
dead_host	192.168.56.103:49285
dead_host	192.168.56.103:49230
dead_host	192.168.56.103:49171
dead_host	192.168.56.103:49267
dead_host	192.168.56.103:49226
dead_host	95.179.250.45:26212
dead_host	192.168.56.103:49179
dead_host	192.168.56.103:49243
dead_host	192.168.56.103:49214
dead_host	192.168.56.103:49231
dead_host	192.168.56.103:49255
dead_host	192.168.56.103:49227
dead_host	192.168.56.103:49251
dead_host	192.168.56.103:49200