popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cabal.exe

Emotet Generic Malware .NET framework(MSIL) Malicious Library UPX MSOffice File .NET DLL PE File DLL OS Processor Check PE32 .NET EXE CAB
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 Feb. 18, 2025, 5:32 p.m. Feb. 18, 2025, 5:34 p.m.
Size 102.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 c70277566ea794b1017c1c2c635799da
SHA256 b9e2b98038d7f4cad845c3b85c7286ab599f3fa8f2a4ad0fbb0e718756316e84
CRC32 838CAE0C
ssdeep 1536:KTG7BHq5LVgGaPXiDFMZHJqtBy3dbEKThUtjG9X4n4PZHJqtBy3dbNJZH1ttBc3d:VBILV9uXiqtktGndcGVtktGltXt4d
PDB Path C:\Users\Jasper & Dave\Desktop\DBZ\Launcher Project\Launcher1\1\MMOParadox Expansion Launcher\cabal\obj\Remote Debug\cabal.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
s4.gtsystems.hu
CNAME shadowman.dnse.hu
A 185.6.188.137
185.6.188.137
IP Address Status Action
168.138.162.78 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49162 -> 168.138.162.78:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 168.138.162.78:80 -> 192.168.56.102:49162 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 168.138.162.78:80 -> 192.168.56.102:49162 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 168.138.162.78:80 -> 192.168.56.102:49162 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.102:49167 -> 168.138.162.78:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 168.138.162.78:80 -> 192.168.56.102:49167 2014819 ET INFO Packed Executable Download Misc activity
TCP 168.138.162.78:80 -> 192.168.56.102:49167 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 168.138.162.78:80 -> 192.168.56.102:49167 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 168.138.162.78:80 -> 192.168.56.102:49167 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity
TCP 192.168.56.102:49162 -> 168.138.162.78:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49162 -> 168.138.162.78:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.102:49162 -> 168.138.162.78:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633980
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633980
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633880
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633a80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633b00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633f40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633d40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633ac0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00634780
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00634600
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633e40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633d80
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633a00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633d00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00633e00
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00634000
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00634700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00634700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00634700
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00634100
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00634440
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006342c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c9900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c9900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c99c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c99c0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c9900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006c9900
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2f38
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2eb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2eb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2eb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2eb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2eb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x007e2eb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path C:\Users\Jasper & Dave\Desktop\DBZ\Launcher Project\Launcher1\1\MMOParadox Expansion Launcher\cabal\obj\Remote Debug\cabal.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output//resources.xml
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output//client/update.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output//client/7z.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output//client/SevenZipSharp.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output//client/System.Windows.Interactivity.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/updates/update_1.7z
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/custom.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/ability.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/achievement.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/assistant.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/cabal.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/caz.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/change_shape.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/cont.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/cont2.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/data.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/destroy.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/extra_obj.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/global.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/help.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/item.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/keymap.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/klog.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/mapinfo.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/market.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/maze.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/mob.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/mobex.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/quest.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/smob.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/title.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/usersetting.dat
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/FX/EFX/Arms/skull_13_keep.efx
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/FX/EFX/Arms/skull_13_keep_15.efx
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/FX/EFX/buff/mbuff_keep__888.efx
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/FX/SRC/ebm/skull_13_keep_r.ebm
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/FX/SRC/ebm/skull_13_keep_r2.ebm
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/FX/SRC/ebm/skull_13_keep_r3.ebm
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/Item/arms/Skull_13_keep.EBM
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/Item/bike/bike_46.ebm
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/Language/English/achievement_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/Language/English/cabal_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/Language/English/caz_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/Language/English/cont2_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/Language/English/cont_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/Language/English/extra_obj_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/Language/English/help.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/Language/English/keymap_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output/client/Data/Language/English/klog.enc
request GET http://168.138.162.78/output//resources.xml
request GET http://168.138.162.78/output//client/update.exe
request GET http://168.138.162.78/output//client/7z.dll
request GET http://168.138.162.78/output//client/SevenZipSharp.dll
request GET http://168.138.162.78/output//client/System.Windows.Interactivity.dll
request GET http://168.138.162.78/output/updates/update_1.7z
request GET http://168.138.162.78/output/client/custom.dll
request GET http://168.138.162.78/output/client/Data/ability.enc
request GET http://168.138.162.78/output/client/Data/achievement.enc
request GET http://168.138.162.78/output/client/Data/assistant.enc
request GET http://168.138.162.78/output/client/Data/cabal.enc
request GET http://168.138.162.78/output/client/Data/caz.enc
request GET http://168.138.162.78/output/client/Data/change_shape.enc
request GET http://168.138.162.78/output/client/Data/cont.enc
request GET http://168.138.162.78/output/client/Data/cont2.enc
request GET http://168.138.162.78/output/client/Data/data.enc
request GET http://168.138.162.78/output/client/Data/destroy.enc
request GET http://168.138.162.78/output/client/Data/extra_obj.enc
request GET http://168.138.162.78/output/client/Data/global.enc
request GET http://168.138.162.78/output/client/Data/help.enc
request GET http://168.138.162.78/output/client/Data/item.enc
request GET http://168.138.162.78/output/client/Data/keymap.enc
request GET http://168.138.162.78/output/client/Data/klog.enc
request GET http://168.138.162.78/output/client/Data/mapinfo.enc
request GET http://168.138.162.78/output/client/Data/market.enc
request GET http://168.138.162.78/output/client/Data/maze.enc
request GET http://168.138.162.78/output/client/Data/mob.enc
request GET http://168.138.162.78/output/client/Data/mobex.enc
request GET http://168.138.162.78/output/client/Data/msg.enc
request GET http://168.138.162.78/output/client/Data/quest.enc
request GET http://168.138.162.78/output/client/Data/smob.enc
request GET http://168.138.162.78/output/client/Data/title.enc
request GET http://168.138.162.78/output/client/Data/usersetting.dat
request GET http://168.138.162.78/output/client/Data/FX/EFX/Arms/skull_13_keep.efx
request GET http://168.138.162.78/output/client/Data/FX/EFX/Arms/skull_13_keep_15.efx
request GET http://168.138.162.78/output/client/Data/FX/EFX/buff/mbuff_keep__888.efx
request GET http://168.138.162.78/output/client/Data/FX/SRC/ebm/skull_13_keep_r.ebm
request GET http://168.138.162.78/output/client/Data/FX/SRC/ebm/skull_13_keep_r2.ebm
request GET http://168.138.162.78/output/client/Data/FX/SRC/ebm/skull_13_keep_r3.ebm
request GET http://168.138.162.78/output/client/Data/Item/arms/Skull_13_keep.EBM
request GET http://168.138.162.78/output/client/Data/Item/bike/bike_46.ebm
request GET http://168.138.162.78/output/client/Data/Language/English/achievement_msg.enc
request GET http://168.138.162.78/output/client/Data/Language/English/cabal_msg.enc
request GET http://168.138.162.78/output/client/Data/Language/English/caz_msg.enc
request GET http://168.138.162.78/output/client/Data/Language/English/cont2_msg.enc
request GET http://168.138.162.78/output/client/Data/Language/English/cont_msg.enc
request GET http://168.138.162.78/output/client/Data/Language/English/extra_obj_msg.enc
request GET http://168.138.162.78/output/client/Data/Language/English/help.enc
request GET http://168.138.162.78/output/client/Data/Language/English/keymap_msg.enc
request GET http://168.138.162.78/output/client/Data/Language/English/klog.enc
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x008c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d92000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x007d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003c2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003dc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ca000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ea000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e7000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003da000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6f5e2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003eb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ec000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003fc000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00ab6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003db000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e8000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ed000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e363000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003ee000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x006f4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 3040
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x07ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00340000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d11000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d12000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00a30000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b30000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003e2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00455000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0045b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00457000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description update.exe tried to sleep 145 seconds, actually delayed analysis time by 145 seconds
file C:\Users\test22\AppData\Local\Temp\custom.dll
file C:\Users\test22\AppData\Local\Temp\SevenZipSharp.dll
file C:\Users\test22\AppData\Local\Temp\7z.dll
file C:\Users\test22\AppData\Local\Temp\System.Windows.Interactivity.dll
file C:\Users\test22\AppData\Local\Temp\update.exe
file C:\Users\test22\AppData\Local\Temp\update.exe
file C:\Users\test22\AppData\Local\Temp\custom.dll
file C:\Users\test22\AppData\Local\Temp\SevenZipSharp.dll
file C:\Users\test22\AppData\Local\Temp\System.Windows.Interactivity.dll
file C:\Users\test22\AppData\Local\Temp\update.exe
file C:\Users\test22\AppData\Local\Temp\7z.dll
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Date: Tue, 18 Feb 2025 08:32:32 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Mon, 25 Nov 2024 11:50:49 GMT ETag: "7ea400-627bb57ff9840" Accept-Ranges: bytes Content-Length: 8299520 Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL™dDgà 0N~TVl~ €~@ `…l~O€~€Qà~ Ìj~  H.text\L~ N~ `.rsrc€Q€~RP~@@.reloc à~¢~@B8l~H¸hÜ| ”å8…}0N((( þs o (&~( šo! €Þ s½z*$ D 0o" t s½z *0Ô(# o$ (% Žiþ ,rprQp(& &(' r]p(% Žiþþ ,rqprQp(& &(' r½p(% Žiþþ,rprQp(& &(' rÉp(% Žiþþ,rprQp(& &(' *0}(( ,es) s* o+ o, s- +" …rÛp(. o/ &X Žiþ-Ño! + ráp+*Rrãps0 (1 *0s  o o2 &*"(3 *.rp€*&(4 *09~þ ,"r/pÐ(5 o6 s7 €~ +*0 ~ +*"€*0!(rgp~o8 t# +*0!(ryp~o8 t# +*0!(r‘p~o8 t# +*0!(r«p~o8 t +*0!(rµp~o8 t +*0!(rÃp~o8 t# +*0!(rÛp~o8 t# +*0!(rõp~o8 t# +*0!(r p~o8 t# +*0!(r!p~o8 t# +*0!(r9p~o8 t# +*0 ~ +*"(9 *Vs(: t€*0Ns<}}}s; }}(< (1þ s= (> *0û ~\%-&~[þÀs? %€\s@ oA {{oB sC }{þ!sD oE {þ"sF oG {oH {o:rMpo©(I oJ oK (L r“p%oM Œ¢%oN Œ¢%oO Œ¢%oP Œ¢(Q *0€ sR oS ~rÛp~(T sU ~ ~(V oW rßp~(V (X }Þ! rùp~(V (X }Þ*O^!0Ò ~ ~(V (( ,{+ 9‚~ ~sn}{or&r+p~(V (X sC }{þ#sD oE {þ$sF oG {oH +(r;p~(V (X {!rYpoY *0z ~ rÛp~ (T (Z o[ }Þ
received: 2920
socket: 1188
1 2920 0

recv

 buffer: HTTP/1.1 200 OK Date: Tue, 18 Feb 2025 08:32:36 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Fri, 09 Aug 2024 11:30:03 GMT ETag: "24e00-61f3e76dea4c0" Accept-Ranges: bytes Content-Length: 151040 Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL˜ivLà! Dc €@ À|@…ÐbK€P  Pb  H.text$C D `.rsrcP€F@@.reloc  L@BcH+47 ¨q'P &ódø2Møý¯0ys|6E÷ÅnšPÅÀðÔ挍=Ã@¥DÇyÅû[°,È vLCŸ2Ä@ё·Ö{Á³‹[ŸŠœr.ótŠéØe» »4ÇáB1ÔgÓWQP íüu·C³‰[KA'G“oïFyÒʯ‹Ëů>ƒ°µ‡ªh8ö:• ú¹Ô@„Îù ógŠ8Ðq•ûH…¢ R,„¿±ˆ(›µp™†ëŽÁ\S,“þän³åÔsž¸ô¤†é<Êë%8íE¶ÿZX­ï´åŸä}GÍý#ÛÀYäÏ+FZP_Çi$XøyA:!¡×„ªt0O~o -~s o ~o o -~o o ~X€*0O~o -~s o ~o o -~o o ~X€*Vs! €s" €*0Ó~,~-(~~# ($ ,o~(% - rpsÖz~(8%€~# ($ , r3psÖz~rcp(:~# ($ ,~(9&r‰psÖzu^, ¥^(*u_, ¥_(*r±pr½p(& s' z09(( -"~() o*  þþs+ €(, *F~rp(- *0k(. (o/ s o8Þ ,o0 ÜÞ& Þ6%q  (1 - þ +(2 `s3  ** " . 0_sI oqos o’Þ& Þ8%q  (1 - þ +(2 `s3  **  0 (1 ,(1 , (4 *s3 €s5 rp(&r9p(& rUp(4 (,X rqp(4 (9ÂX @·~(1 - þ +(2 _s3 (2 - (1 þ+,s~(1 -  þ  +(2 _s3   (2 -  (1 þ+,/~  (1 -  þ  + (2 `s3 €r‹p(&rp €(&r¯p@(&rÉp (&ráp (&rùp(&Þ ,o0 Üs5 (6 r po7 o8 s5   (&  (& (4 (,X (4 (9ÑX@Ã~  (1 - þ + (2 _s3 (2 - (1 þ+,{~(1 - þ +(2 _s3 (2 - (1 þ+,3~(1 - þ +(2 `s3 €  (&  @(&  (&  (&  €(&Þ , o0 ÜÞ ,o0 Ü(,E(4 _,3~(1 - þ +(2 `
received: 2920
socket: 1188
1 2920 0

recv

 buffer: HTTP/1.1 200 OK Date: Tue, 18 Feb 2025 08:32:36 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Fri, 09 Aug 2024 11:30:03 GMT ETag: "9c00-61f3e76dea4c0" Accept-Ranges: bytes Content-Length: 39936 Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELduüKà! ’®° À ; † @…\°OÀ¨à Œ¯  H.text´ ’ `.rsrc¨À”@@.reloc àš@B°H4OX` xD¹ P €{càéÞ2 ò ŽÊq„Z,ѸCµ­•3ïnюZ7¶û“Rê³÷ÏõØT{yF")i$JMv‡¶,a¸Ý“ÓîÍU¤øM:,Ú ˜Z³Q:°cÅNÌ{¤«<ñŒ¹Þòöh%‹ú«ò¹:s¸TÐ÷Z³gSIŒì ý6( { *0&(  þ s o s } *0K( { o þ ,3 +&( Œ { o! Œ . *X ( 2Ñ*0L{ o" ,=(# (㍠Р($ o% ¢(& o% ¢(' s( z*0 o) Edèj*o* o+ +1o, ¥  (- o. Þ{ (/ o0 Üo1 -Æݙu,o2 Üo3 o+  +! o, ¥  o4 { o5 & o1 -ÖÞ u  , o2 Üo* o+  +1 o, ¥  (- o. Þ{ (/ o0 Ü o1 -ÆÝæ u  , o2 Üo3 o+  +! o, ¥   o4 { o5 & o1 -Öݓ u,o2 Ü{ o6 +o7 o4 o1 -æÞ ,o2 Üs } (8 +(9 (- o. (: -ÞÞþ o2 Ü*d@P1Ar”.ÂóäA%G1xš¸ ×&ý(; *0J(; .@(; ,s< z(l-~= (> ¥A-(? } (@ oA *joB (? } (@ *0){  (C t  |(+ 3ß*0){  (E t  |(+ 3ß*6( {*6( {*:(F }***0(& (G t *j{,{sH oI *(*0œ(;(, (Ýs( z,Z(o& oJ -G(# (ç (& o% ¢o& o% ¢(o% ¢(' s( z(? }(@ (o*‚o(? }(@ (*FÐ ($ (*2(¥ *(K *07(L +(M (N o(O -ãÞþo2 Ü*!(01(L +(M o(O -éÞþo2 Ü*"V(N , (N o*>o,o*s*{ *"} *:(R (%*{ *{*{*0 ¢(+*0T(R Ð ($ oJ -&(# (⍠o% ¢(' sS z} }}*0  (({(T Þ&Þt *0< (Y oZ
received: 2920
socket: 1188
1 2920 0

recv

 buffer: HTTP/1.1 200 OK Date: Tue, 18 Feb 2025 08:32:43 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Wed, 17 Oct 2018 01:04:20 GMT ETag: "14000-578624008cd00" Accept-Ranges: bytes Content-Length: 81920 Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Î ¥…ŠAË֊AË֊AËÖ>Ý:փAËÖ>Ý8ÖÿAËÖ>Ý9֒AËÖ±ÈיAËÖ±ÎזAËÖ±ÏךAËփ9X֏AË֊AÊÖÑAËÖÎ׉AËÖË׋AËÖ4֋AËÖÉ׋AËÖRichŠAËÖPELÀ]š[à! ¾Šá А@à&D$'(pà€`pì@Ð .textê½¾ `.rdataŽ]Ð^Â@@.dataœ0 @À.gfidsÌP*@@.tls `,@À.rsrcàp.@@.reloc`€0@B¡0£ 8ÃÌÌÌÌÌU‹ì¸×àBÿЃøu‹E‹…ŒÇ ]¸Yp@ÿЃøwT¶€¬ÿ$…”‹E‹…œÇ ]‹E‹…¬Ç ]‹E‹…¼Ç ]‹E‹…ÌÇ ]‹E‹…ÜÇ ]Â3À]GUcqÌÌÌÌÌÌÌÌSV‹505¹Whjj(hœ5jh05¹è­hèjj(hœ5jh05¹‹Ø葃Ä0‹Î‹øÿ<0…Àt.ƒ;u)¡05¹‹Î_^[ǀ0HE¡05¹Ç€H1Åÿ%@0‹ƒøtƒø t ƒøtƒøu6jÿÿD0ƒÄ…Àtjjh[¹ <ºÿ0_^[Ãjÿj¹Pºÿ0_^[ÃÌÌU‹ì‹E‹…Àu]ÃSVW‹} 3Ʌÿ~*_ÿU ‹rR;Ët‹…Àt A;Ï|ê_^[]Ã_^3À[]ÃÆ_^[]ÃÌÌÌÌÌÌÌ»½Å hGÃ6‰E3ÿ-88hqEÃÌÌÌÌÌÌÌÌÌÌÌÌÌ̋A,Hƒøw#¶€pÿ$…`ÙDÓÃÙLÓÃÙPÓø×àBÿЅÀuàÙHÓÃf>7ELÌÌÌÌÌÇXÓ‹ÁÃÌÌÌÌÌÌÌÇXÓÃÌÌÌÌÌÌÌÌÌU‹ìöEV‹ñÇXÓt jVèHƒÄ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì¡P03ʼnEüV‹uEøPj@j@VÿÐ…Àu^‹Mü3Íè‹å] ŠEˆ‹E +ƃè‰FEøPÿuøj@VÿЋMü¸3Í^èØ‹å] ÌÌU‹ìjÿhœÍd¡P¡P03ÅPEôd£d¡,‹ ¨:‹ ˆ¡X:;~>hX:è= ƒÄƒ=X:ÿu(¹T:ÇEüèÛþÿÿhàÍè°hX:è̓ĸT:‹Môd‰ Y‹å]ÃU‹ìƒm ujjjhjjÿÐè ¸] ÌÌÌÌU‹ìƒì¡P03ʼnEüVWhéhhlEèÿÿÿ‹Èè£þÿÿhéhðhGèÿþÿÿ‹Èèˆþÿÿhéhh(Bèäþÿÿ‹ÈèmþÿÿhéhÐhÃ@èÉþÿÿ‹ÈèRþÿÿhéh hüüBè®þÿÿ‹Èè7þÿÿ‹5ЍEøPj@jhåCHÿ֍EøÇåCH88PÿuøjhåCHÿ֍EøPj@jhüCHÿ֍EøÇüCH88PÿuøjhüCHÿ֍EøPj@jhDHÿ֍EøÇDH88PÿuøjhDHÿ֍EøPj@jhtDHÿ֍EøÇtDH¤8PÿuøjhtDHÿ֍EøPj@jhdDHÿ֍EøÇdDH9PÿuøjhdDHÿ֍EøPj@jh“HHÿ֍EøÇ“HH9Pÿuøjh“HHÿ֍EøPj@jhµHHÿ֍EøǵHH9PÿuøjhµHHÿ֍EøPj@jhJHÿ֍EøÇJH|9PÿuøjhJHÿ֍EøPj@jh ÁKÿ֍EøÇ ÁK|9Pÿuøjh ÁKÿ֍EøPj@jh:ÂKÿ֍EøÇ:ÂK|9Pÿuøjh:ÂKÿ֍EøPj@jhwLHÿ֍EøÇwLHè9Pÿuøjhw
received: 2920
socket: 1248
1 2920 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 3040
process_handle: 0x00000688
0 0
buffer Buffer with sha1: a9c15c57f4a6c75232819cae314a528ba91b3af6
host 168.138.162.78
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
file C:\Users\test22\AppData\Local\Temp\Data\smob.enc
file C:\Users\test22\AppData\Local\Temp\Data\assistant.enc
file C:\Users\test22\AppData\Local\Temp\Data\title.enc
file C:\Users\test22\AppData\Local\Temp\Data\achievement.enc
file C:\Users\test22\AppData\Local\Temp\Data\destroy.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\keymap_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\FX\SRC\ebm\skull_13_keep_r.ebm
file C:\Users\test22\AppData\Local\Temp\Data\cabal.enc
file C:\Users\test22\AppData\Local\Temp\Data\msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\quest.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\cont2_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\klog.enc
file C:\Users\test22\AppData\Local\Temp\Data\Item\arms\Skull_13_keep.EBM
file C:\Users\test22\AppData\Local\Temp\Data\Item\bike\bike_46.ebm
file C:\Users\test22\AppData\Local\Temp\Data\ability.enc
file C:\Users\test22\AppData\Local\Temp\Data\caz.enc
file C:\Users\test22\AppData\Local\Temp\Data\global.enc
file C:\Users\test22\AppData\Local\Temp\xdata.enc
file C:\Users\test22\AppData\Local\Temp\Data\item.enc
file C:\Users\test22\AppData\Local\Temp\Data\cont2.enc
file C:\Users\test22\AppData\Local\Temp\Data\change_shape.enc
file C:\Users\test22\AppData\Local\Temp\Data\FX\EFX\Arms\skull_13_keep.efx
file C:\Users\test22\AppData\Local\Temp\Data\language\English\klog.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\script.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\language.enc
file C:\Users\test22\AppData\Local\Temp\Data\keymap.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\help.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\cont_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\achievement_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\extra_obj.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\caz_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\FX\SRC\ebm\skull_13_keep_r3.ebm
file C:\Users\test22\AppData\Local\Temp\Data\mobex.enc
file C:\Users\test22\AppData\Local\Temp\Data\FX\SRC\ebm\skull_13_keep_r2.ebm
file C:\Users\test22\AppData\Local\Temp\mainEX.dat
file C:\Users\test22\AppData\Local\Temp\Data\data.enc
file C:\Users\test22\AppData\Local\Temp\Data\FX\EFX\buff\mbuff_keep__888.efx
file C:\Users\test22\AppData\Local\Temp\Data\ui.dat
file C:\Users\test22\AppData\Local\Temp\Data\FX\EFX\Arms\skull_13_keep_15.efx
file C:\Users\test22\AppData\Local\Temp\Data\market.enc
file C:\Users\test22\AppData\Local\Temp\Data\cont.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\tip.enc
file C:\Users\test22\AppData\Local\Temp\Data\mapinfo.enc
file C:\Users\test22\AppData\Local\Temp\Data\Map\world_01.mcl
file C:\Users\test22\AppData\Local\Temp\Data\maze.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\extra_obj_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\help.enc
file C:\Users\test22\AppData\Local\Temp\Data\Object\Character\man8.ech
file C:\Users\test22\AppData\Local\Temp\Data\mob.enc
file C:\Users\test22\AppData\Local\Temp\Data\achievement.enc
file C:\Users\test22\AppData\Local\Temp\Data\mobex.enc
file C:\Users\test22\AppData\Local\Temp\Data\cabal.enc
file C:\Users\test22\AppData\Local\Temp\Data\title.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\tip.enc
file C:\Users\test22\AppData\Local\Temp\Data\maze.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\achievement_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\cont.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\cont_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\script_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\language.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\caz_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\mapinfo.enc
file C:\Users\test22\AppData\Local\Temp\Data\msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\global.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\klog.enc
file C:\Users\test22\AppData\Local\Temp\Data\ability.enc
file C:\Users\test22\AppData\Local\Temp\Data\cont2.enc
file C:\Users\test22\AppData\Local\Temp\Data\item.enc
file C:\Users\test22\AppData\Local\Temp\Data\data.enc
file C:\Users\test22\AppData\Local\Temp\Data\change_shape.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\extra_obj_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\mob.enc
file C:\Users\test22\AppData\Local\Temp\Data\quest.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\keymap_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\klog.enc
file C:\Users\test22\AppData\Local\Temp\Data\destroy.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\script.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\cont2_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\keymap.enc
file C:\Users\test22\AppData\Local\Temp\Data\extra_obj.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\cabal_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\language\English\help.enc
file C:\Users\test22\AppData\Local\Temp\Data\smob.enc
file C:\Users\test22\AppData\Local\Temp\Data\help.enc
file C:\Users\test22\AppData\Local\Temp\Data\caz.enc
file C:\Users\test22\AppData\Local\Temp\Data\market.enc
file C:\Users\test22\AppData\Local\Temp\xdata.enc
file C:\Users\test22\AppData\Local\Temp\Data\assistant.enc
Lionic Trojan.Win32.GameTool.a!c
CAT-QuickHeal Trojan.MFC.S27416719
Skyhigh Artemis!Trojan
ALYac Gen:Variant.MSILHeracles.122902
Cylance Unsafe
VIPRE Gen:Variant.MSILHeracles.122902
Sangfor Suspicious.Win32.Save.a
CrowdStrike win/malicious_confidence_90% (W)
BitDefender Gen:Variant.MSILHeracles.122902
K7GW Trojan ( 700000121 )
K7AntiVirus Trojan ( 700000121 )
Arcabit Trojan.MSILHeracles.D1E016
VirIT Trojan.Win32.MSIL_Heur.A
Symantec Downloader
Elastic malicious (high confidence)
ESET-NOD32 a variant of MSIL/GameTool_AGen.J potentially unsafe
Avast Win32:Malware-gen
Kaspersky HEUR:Trojan-Downloader.MSIL.Agent.gen
NANO-Antivirus Trojan.Win32.GameToolAGen.kvpqde
SUPERAntiSpyware Trojan.Agent/Gen-MSILHeracles
MicroWorld-eScan Gen:Variant.MSILHeracles.122902
Rising Downloader.Agent!8.B23 (CLOUD)
Emsisoft Gen:Variant.MSILHeracles.122902 (B)
DrWeb Trojan.Siggen13.46855
TrendMicro TROJ_GEN.R002C0XKP24
McAfeeD ti!B9E2B98038D7
CTX exe.trojan.msil
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
FireEye Gen:Variant.MSILHeracles.122902
Webroot W32.Trojan.Gen
Google Detected
Kingsoft MSIL.Trojan-Downloader.Agent.gen
Xcitium ApplicUnwnt@#3neeme1nfleva
Microsoft Program:Win32/Wacapew.C!ml
ViRobot Trojan.Win.Z.Gametool_Agen.104960.A
GData Gen:Variant.MSILHeracles.122902
Varist W32/MSIL_Agent.INB.gen!Eldorado
AhnLab-V3 Malware/Win.Generic.R683133
McAfee GenericRXAA-FA!C70277566EA7
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware.AI.DDS
Ikarus Backdoor.Androm
TrendMicro-HouseCall TROJ_GEN.R002C0XKP24
Fortinet Adware/GameTool_AGen
AVG Win32:Malware-gen
Paloalto generic.ml