popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

cabal.exe

Emotet Generic Malware .NET framework(MSIL) Malicious Library Downloader UPX Anti_VM MSOffice File .NET DLL PE File DLL OS Processor Check PE32 .NET EXE CAB
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Feb. 19, 2025, 11 a.m. Feb. 19, 2025, 11:04 a.m.
Size 102.5KB
Type PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5 c0b915db483249fbb011d4c73d0dbf1f
SHA256 1e997ac3340205e49c67004ba0d78f67e4696eaaecaa239e6aa8bdb357496ab9
CRC32 DFE03B56
ssdeep 1536:1jOHRPqUVgGanX+DFVZHJqtBy3dbEKshUtjG9X4n4PZHJqtBy3dbTZH1ttBc3dbj:gRTV9uX+/tktGn8cGVtktGZtXt4d
PDB Path C:\Users\Jasper & Dave\Desktop\DBZ\Launcher Project\Launcher1\1\MMOParadox Expansion Launcher - Copy\cabal\obj\Remote Debug\cabal.pdb
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult
  • Is_DotNET_EXE - (no description)
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
s4.gtsystems.hu
CNAME shadowman.dnse.hu
A 185.6.188.137
IP Address Status Action
168.138.162.78 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49162 -> 168.138.162.78:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 168.138.162.78:80 -> 192.168.56.101:49162 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 168.138.162.78:80 -> 192.168.56.101:49162 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 168.138.162.78:80 -> 192.168.56.101:49162 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic
TCP 192.168.56.101:49166 -> 168.138.162.78:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 168.138.162.78:80 -> 192.168.56.101:49166 2014819 ET INFO Packed Executable Download Misc activity
TCP 168.138.162.78:80 -> 192.168.56.101:49166 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 168.138.162.78:80 -> 192.168.56.101:49166 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 168.138.162.78:80 -> 192.168.56.101:49166 2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) Misc activity
TCP 192.168.56.101:49162 -> 168.138.162.78:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 168.138.162.78:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49162 -> 168.138.162.78:80 2027250 ET INFO Dotted Quad Host DLL Request Potentially Bad Traffic
TCP 192.168.56.101:49168 -> 168.138.162.78:80 2016141 ET INFO Executable Download from dotted-quad Host Potentially Bad Traffic
TCP 168.138.162.78:80 -> 192.168.56.101:49168 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 168.138.162.78:80 -> 192.168.56.101:49168 2016538 ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download Potentially Bad Traffic
TCP 168.138.162.78:80 -> 192.168.56.101:49168 2021076 ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b1f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b1f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b0f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b0f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b0f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b0f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b0f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b0f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b170
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b7f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b7f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045bdb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b4f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b970
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045bbb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045baf0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b6f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045bcb0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045bc70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b8f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b2b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b730
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045ba70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045ba70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045ba70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b430
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052a638
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0045b9b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052aa78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052aa78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052abb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052abb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052aa78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0052aa78
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b150
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b1d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b1d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b0d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b0d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b0d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b0d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b0d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0051b0d0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
pdb_path C:\Users\Jasper & Dave\Desktop\DBZ\Launcher Project\Launcher1\1\MMOParadox Expansion Launcher - Copy\cabal\obj\Remote Debug\cabal.pdb
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0//resources0.xml
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0//client/update.exe
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0//client/7z.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0//client/SevenZipSharp.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0//client/System.Windows.Interactivity.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/updates/update_1.7z
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/custom.dll
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/ability.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/achievement.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/assistant.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/cabal.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/caz.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/change_shape.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/cont.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/cont2.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/data.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/destroy.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/extra_obj.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/global.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/item.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/keymap.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/mapinfo.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/market.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/maze.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/mob.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/quest.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/smob.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/achievement_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/cabal_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/caz_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/cont2_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/cont_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/extra_obj_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/help.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/keymap_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/klog.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/script.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/script_msg.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Language/English/tip.enc
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/Map/world_01.mcl
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/UI/Icon/force010.dds
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/UI/Icon/skill264.dds
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/UI/Icon/skill265.dds
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Data/UI/Icon/skill266.dds
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Guild/1_1.gld
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Guild/1_102.gld
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Guild/1_103.gld
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Guild/1_104.gld
suspicious_features GET method with no useragent header, Connection to IP address suspicious_request GET http://168.138.162.78/output0/client/Guild/1_105.gld
request GET http://168.138.162.78/output0//resources0.xml
request GET http://168.138.162.78/output0//client/update.exe
request GET http://168.138.162.78/output0//client/7z.dll
request GET http://168.138.162.78/output0//client/SevenZipSharp.dll
request GET http://168.138.162.78/output0//client/System.Windows.Interactivity.dll
request GET http://168.138.162.78/output0/updates/update_1.7z
request GET http://168.138.162.78/output0/client/custom.dll
request GET http://168.138.162.78/output0/client/Data/ability.enc
request GET http://168.138.162.78/output0/client/Data/achievement.enc
request GET http://168.138.162.78/output0/client/Data/assistant.enc
request GET http://168.138.162.78/output0/client/Data/cabal.enc
request GET http://168.138.162.78/output0/client/Data/caz.enc
request GET http://168.138.162.78/output0/client/Data/change_shape.enc
request GET http://168.138.162.78/output0/client/Data/cont.enc
request GET http://168.138.162.78/output0/client/Data/cont2.enc
request GET http://168.138.162.78/output0/client/Data/data.enc
request GET http://168.138.162.78/output0/client/Data/destroy.enc
request GET http://168.138.162.78/output0/client/Data/extra_obj.enc
request GET http://168.138.162.78/output0/client/Data/global.enc
request GET http://168.138.162.78/output0/client/Data/item.enc
request GET http://168.138.162.78/output0/client/Data/keymap.enc
request GET http://168.138.162.78/output0/client/Data/mapinfo.enc
request GET http://168.138.162.78/output0/client/Data/market.enc
request GET http://168.138.162.78/output0/client/Data/maze.enc
request GET http://168.138.162.78/output0/client/Data/mob.enc
request GET http://168.138.162.78/output0/client/Data/quest.enc
request GET http://168.138.162.78/output0/client/Data/smob.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/achievement_msg.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/cabal_msg.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/caz_msg.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/cont2_msg.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/cont_msg.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/extra_obj_msg.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/help.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/keymap_msg.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/klog.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/msg.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/script.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/script_msg.enc
request GET http://168.138.162.78/output0/client/Data/Language/English/tip.enc
request GET http://168.138.162.78/output0/client/Data/Map/world_01.mcl
request GET http://168.138.162.78/output0/client/Data/UI/Icon/force010.dds
request GET http://168.138.162.78/output0/client/Data/UI/Icon/skill264.dds
request GET http://168.138.162.78/output0/client/Data/UI/Icon/skill265.dds
request GET http://168.138.162.78/output0/client/Data/UI/Icon/skill266.dds
request GET http://168.138.162.78/output0/client/Guild/1_1.gld
request GET http://168.138.162.78/output0/client/Guild/1_102.gld
request GET http://168.138.162.78/output0/client/Guild/1_103.gld
request GET http://168.138.162.78/output0/client/Guild/1_104.gld
request GET http://168.138.162.78/output0/client/Guild/1_105.gld
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00540000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727a2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 1966080
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00b60000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00422000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00555000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00557000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0043c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0042a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00546000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00547000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0043a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2636
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6eb92000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef58000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7ef40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0055c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x005a6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0043b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00548000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bc1000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0054e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bc2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bc3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00bc4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2636
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x08c00000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2860
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002c0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00300000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72101000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2860
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72102000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2860
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02810000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02970000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00462000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00495000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0049b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00497000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2860
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0047c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
description update.exe tried to sleep 145 seconds, actually delayed analysis time by 145 seconds
file C:\Users\test22\AppData\Local\Temp\SevenZipSharp.dll
file C:\Users\test22\AppData\Local\Temp\cabalmain.exe
file C:\Users\test22\AppData\Local\Temp\System.Windows.Interactivity.dll
file C:\Users\test22\AppData\Local\Temp\custom.dll
file C:\Users\test22\AppData\Local\Temp\update.exe
file C:\Users\test22\AppData\Local\Temp\7z.dll
file C:\Users\test22\AppData\Local\Temp\update.exe
file C:\Users\test22\AppData\Local\Temp\custom.dll
file C:\Users\test22\AppData\Local\Temp\SevenZipSharp.dll
file C:\Users\test22\AppData\Local\Temp\System.Windows.Interactivity.dll
file C:\Users\test22\AppData\Local\Temp\cabalmain.exe
file C:\Users\test22\AppData\Local\Temp\7z.dll
file C:\Users\test22\AppData\Local\Temp\update.exe
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 02:02:30 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Thu, 28 Nov 2024 09:51:32 GMT ETag: "639e00-627f606ee9100" Accept-Ranges: bytes Content-Length: 6528512 Content-Type: application/x-msdos-program MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL$=Hgà 0HcTÖgc €c@ d@…„gcO€c€Qàc Lfc  H.textÜGc Hc `.rsrc€Q€cRJc@@.reloc àcœc@B¸gcH¼h@| üäPb0N((( þs o (&~( šo! €Þ s¼z*$ D 0o" t s¼z *0Ô(# o$ (% Žiþ ,rprQp(& &(' r]p(% Žiþþ ,rqprQp(& &(' r½p(% Žiþþ,rprQp(& &(' rÉp(% Žiþþ,rprQp(& &(' *0}(( ,es) s* o+ o, s- +" „rÛp(. o/ &X Žiþ-Ño! + ráp+*Rrãps0 (1 *0s  o o2 &*"(3 *.rp€*&(4 *09~þ ,"r/pÐ(5 o6 s7 €~ +*0 ~ +*"€*0!(rgp~o8 t# +*0!(ryp~o8 t# +*0!(r‘p~o8 t# +*0!(r«p~o8 t +*0!(rµp~o8 t +*0!(rÃp~o8 t# +*0!(rÛp~o8 t# +*0!(rõp~o8 t# +*0!(r p~o8 t# +*0!(r!p~o8 t# +*0!(r9p~o8 t# +*0 ~ +*"(9 *Vs(: t€*0Ns;}}}s; }}(< (0þ s= (> *0û ~[%-&~Zþ¿s? %€[s@ oA {{oB sC }{þ!sD oE {þ"sF oG {oH {o9rMpo¨(I oJ oK (L r“p%oM ŒŒ¢%oN ŒŒ¢%oO ŒŒ¢%oP ŒŒ¢(Q *0€ sR oS ~rÛp~(T sU ~ ~(V oW rßp~(V (X }Þ! rùp~(V (X }Þ*O^!0Ò ~ ~(V (( ,{+ 9‚~ ~sm}{oq&r+p~(V (X sC }{þ#sD oE {þ$sF oG {oH +(r;p~(V (X {#rYpoY *0z ~ rÛp~ (T (Z o[ }Þ
received: 2920
socket: 1192
1 2920 0

recv

 buffer: HTTP/1.1 200 OK Date: Wed, 19 Feb 2025 02:02:43 GMT Server: Apache/2.4.62 (Debian) Last-Modified: Wed, 17 Oct 2018 01:04:20 GMT ETag: "14000-578624008cd00" Accept-Ranges: bytes Content-Length: 81920 Content-Type: application/x-msdos-program MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Î ¥…ŠAË֊AË֊AËÖ>Ý:փAËÖ>Ý8ÖÿAËÖ>Ý9֒AËÖ±ÈיAËÖ±ÎזAËÖ±ÏךAËփ9X֏AË֊AÊÖÑAËÖÎ׉AËÖË׋AËÖ4֋AËÖÉ׋AËÖRichŠAËÖPELÀ]š[à! ¾Šá А@à&D$'(pà€`pì@Ð .textê½¾ `.rdataŽ]Ð^Â@@.dataœ0 @À.gfidsÌP*@@.tls `,@À.rsrcàp.@@.reloc`€0@B¡0£ 8ÃÌÌÌÌÌU‹ì¸×àBÿЃøu‹E‹…ŒÇ ]¸Yp@ÿЃøwT¶€¬ÿ$…”‹E‹…œÇ ]‹E‹…¬Ç ]‹E‹…¼Ç ]‹E‹…ÌÇ ]‹E‹…ÜÇ ]Â3À]GUcqÌÌÌÌÌÌÌÌSV‹505¹Whjj(hœ5jh05¹è­hèjj(hœ5jh05¹‹Ø葃Ä0‹Î‹øÿ<0…Àt.ƒ;u)¡05¹‹Î_^[ǀ0HE¡05¹Ç€H1Åÿ%@0‹ƒøtƒø t ƒøtƒøu6jÿÿD0ƒÄ…Àtjjh[¹ <ºÿ0_^[Ãjÿj¹Pºÿ0_^[ÃÌÌU‹ì‹E‹…Àu]ÃSVW‹} 3Ʌÿ~*_ÿU ‹rR;Ët‹…Àt A;Ï|ê_^[]Ã_^3À[]ÃÆ_^[]ÃÌÌÌÌÌÌÌ»½Å hGÃ6‰E3ÿ-88hqEÃÌÌÌÌÌÌÌÌÌÌÌÌÌ̋A,Hƒøw#¶€pÿ$…`ÙDÓÃÙLÓÃÙPÓø×àBÿЅÀuàÙHÓÃf>7ELÌÌÌÌÌÇXÓ‹ÁÃÌÌÌÌÌÌÌÇXÓÃÌÌÌÌÌÌÌÌÌU‹ìöEV‹ñÇXÓt jVèHƒÄ‹Æ^]ÂÌÌÌÌÌÌÌÌÌÌÌÌU‹ìƒì¡P03ʼnEüV‹uEøPj@j@VÿÐ…Àu^‹Mü3Íè‹å] ŠEˆ‹E +ƃè‰FEøPÿuøj@VÿЋMü¸3Í^èØ‹å] ÌÌU‹ìjÿhœÍd¡P¡P03ÅPEôd£d¡,‹ ¨:‹ ˆ¡X:;~>hX:è= ƒÄƒ=X:ÿu(¹T:ÇEüèÛþÿÿhàÍè°hX:è̓ĸT:‹Môd‰ Y‹å]ÃU‹ìƒm ujjjhjjÿÐè ¸] ÌÌÌÌU‹ìƒì¡P03ʼnEüVWhéhhlEèÿÿÿ‹Èè£þÿÿhéhðhGèÿþÿÿ‹Èèˆþÿÿhéhh(Bèäþÿÿ‹ÈèmþÿÿhéhÐhÃ@èÉþÿÿ‹ÈèRþÿÿhéh hüüBè®þÿÿ‹Èè7þÿÿ‹5ЍEøPj@jhåCHÿ֍EøÇåCH88PÿuøjhåCHÿ֍EøPj@jhüCHÿ֍EøÇüCH88PÿuøjhüCHÿ֍EøPj@jhDHÿ֍EøÇDH88PÿuøjhDHÿ֍EøPj@jhtDHÿ֍EøÇtDH¤8PÿuøjhtDHÿ֍EøPj@jhdDHÿ֍EøÇdDH9PÿuøjhdDHÿ֍EøPj@jh“HHÿ֍EøÇ“HH9Pÿuøjh“HHÿ֍EøPj@jhµHHÿ֍EøǵHH9PÿuøjhµHHÿ֍EøPj@jhJHÿ֍EøÇJH|9PÿuøjhJHÿ֍EøPj@jh ÁKÿ֍EøÇ ÁK|9Pÿuøjh ÁKÿ֍EøPj@jh:ÂKÿ֍EøÇ:ÂK|9Pÿuøjh:ÂKÿ֍EøPj@jhwLHÿ֍EøÇwLHè9Pÿuøjhw
received: 2920
socket: 1288
1 2920 0

recv

 buffer: pÒÅ0{bHæ@uËIš£Kæ@K~±ä\å@ ú˜ïpÝRp‡̋÷M¬°5âåâå2Œ÷ 8¦¤Ùšê›êZëšX"$ò‹JlM ̌y¹Œði€I"k€ÚàÏ 4M!©Å%xµ 4MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ˆ™VXÌø8 Ìø8 Ìø8 ŀ« Üø8 {; Åø8 {< Æø8 {= Ôø8 {9 Èø8 [¦9 Îø8 ‡€9 Äø8 ª¤ Ïø8 Ìø9 Óù8 ß|1 Þø8 ß|Ç Íø8 ß|: Íø8 RichÌø8 PEL œugà! (ÒÈ¡¨ðà@äZT ø°&°p@ð@ð„.textÑÒ `.rdatapðŽÖ@@.data¤€ d@À.rsrcø p@@.reloc&°&r@BU‹ìQj 蕏WÀ‰Eüh Ý@ÇÇ@£衒ƒÄ‹å]ÃÌÌÌÌÌU‹ìQjèUWÀhTÇ@£Ç0ÇHfÖ@Ç(Ç,ÇLÿÿÿÿÇ$ÇPÿòhÀÝÆ|è’ƒÄ ‹å]ÃÌÌhàÝèû‘YÃÌÌÌÌh@Þèë‘YÃÌÌÌÌh ÞèۑYÃÌÌÌÌU‹ìQj 蕎WÀ‰Eühß@ÇÇ@£ 衑ƒÄ‹å]ÃÌÌÌÌÌj\èYŽh ߉‰@‰@fÇ@ £àèq‘ƒÄÃÌÌÌÌÌÌÌÌjè)Žh0߉‰@‰@fÇ@ £èèA‘ƒÄÃÌÌÌÌÌÌÌÌjèùh@߉‰@‰@fÇ@ £Øè‘ƒÄÃÌÌÌÌÌÌÌÌj(èɍhP߉‰@‰@fÇ@ £ðèᐃÄÃÌÌÌÌÌÌÌÌU‹ìjÿhéÊd¡P¡@€3ÅPEôd£hètƒÄ‰‰@£TÇEüÇ\Ç`ÇdÆEü¹\PjÇhÇlÇP€?è3¯h`ßè>ƒÄ‹Môd‰ Y‹å]ÃÌÌÌÌÌÌÌjèéŒhp߉‰@‰@fÇ@ £ÐèƒÄÃÌÌÌÌÌÌÌÌh€ßèëYÃÌÌÌÌhàèۏYÃÌÌÌÌh`àèˏYÃÌÌÌÌhÀà軏YÃÌÌÌÌU‹ìjÿh‚Ëd¡PìÈ¡@€3ʼnEðPEôd£j WÀDž<ÿÿÿh¬ ,ÿÿÿDž@ÿÿÿ…,ÿÿÿè• Ç…Dÿÿÿ0EÇEüHÿÿÿj WÀDžXÿÿÿh¼ …HÿÿÿDž\ÿÿÿèT Dž`ÿÿÿ@EÆEüdÿÿÿjWÀDžtÿÿÿhÌ …dÿÿÿDžxÿÿÿè Dž|ÿÿÿ`EÆEüM€jWÀÇEhà E€ÇE”èä ÇE˜PEÆEüMœjWÀÇE¬hô EœÇE°èµ ÇE´GÆEüM¸jWÀÇEÈh E¸ÇEÌè† ÇEÐpdÆEüMÔjWÀÇEäh EÔÇEèèW ÇEì dÇEüÇ°Ç´Ç¸j$贊ƒÄ‰‰@£´Ç¼ÇÀÇďÆEü¹¼PjÇȏÇ̏Ç°€?èz¬EðÆEü P…,ÿÿÿPè½h€jj…,ÿÿÿÇEüÿÿÿÿPèȎhÐàèUƒÄ‹Môd‰ Y‹Mð3Íèú‰‹å]ÃÌÌÌÌU‹ìjÿhÉÌd¡P¡@€3ÅPEôd£j$è׉ƒÄ‰‰@£4ÇEüÇ<Ç@ÇDÆEü¹<PjÇHÇLÇ0€?薫hàà行ƒÄ‹Môd‰ Y‹å]ÃÌÌÌÌÌÌÌÌÌÌhðàè{ŒYÃÌÌÌÌjè9‰hPáÇ@£ÇèRŒƒÄÃhuáèDŒYÃÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìV‹ñWÀFPÇXôf֋EƒÀPÿ<òƒÄ‹Æ^]ÂÌ̋I¸ˆô…
received: 2920
socket: 1288
1 2920 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0xffffffff
process_identifier: 2636
process_handle: 0x00000684
0 0
buffer Buffer with sha1: b1ab64ef61669a775c388d9419809573bb8b6ebb
host 168.138.162.78
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 8 (SystemProcessorPerformanceInformation)
1 0 0
file C:\Users\test22\AppData\Local\Temp\Data\data.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_15.gld
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\help.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_231.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_17.gld
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\script_msg.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_218.gld
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\klog.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_199.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_42.gld
file C:\Users\test22\AppData\Local\Temp\Data\destroy.enc
file C:\Users\test22\AppData\Local\Temp\Data\smob.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\keymap_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\ability.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_104.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_253.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_32.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_24.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_257.gld
file C:\Users\test22\AppData\Local\Temp\Data\maze.enc
file C:\Users\test22\AppData\Local\Temp\Data\cont2.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_125.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_252.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_208.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_258.gld
file C:\Users\test22\AppData\Local\Temp\Data\achievement.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_99.gld
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\script.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_22.gld
file C:\Users\test22\AppData\Local\Temp\Data\change_shape.enc
file C:\Users\test22\AppData\Local\Temp\Data\global.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_6.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_2.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_28.gld
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\cont_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\extra_obj_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\quest.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_25.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_260.gld
file C:\Users\test22\AppData\Local\Temp\Data\assistant.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\msg.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_192.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_26.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_102.gld
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\cont2_msg.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_92.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_55.gld
file C:\Users\test22\AppData\Local\Temp\Guild\1_145.gld
file C:\Users\test22\AppData\Local\Temp\Data\cont.enc
file C:\Users\test22\AppData\Local\Temp\Guild\1_70.gld
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\cont_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\cabal.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\script_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\caz_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\help.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\cabal_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\maze.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\achievement_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\cont.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\keymap_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\mapinfo.enc
file C:\Users\test22\AppData\Local\Temp\Data\global.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\cont2_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\ability.enc
file C:\Users\test22\AppData\Local\Temp\Data\cont2.enc
file C:\Users\test22\AppData\Local\Temp\Data\item.enc
file C:\Users\test22\AppData\Local\Temp\Data\data.enc
file C:\Users\test22\AppData\Local\Temp\Data\change_shape.enc
file C:\Users\test22\AppData\Local\Temp\Data\achievement.enc
file C:\Users\test22\AppData\Local\Temp\Data\mob.enc
file C:\Users\test22\AppData\Local\Temp\Data\quest.enc
file C:\Users\test22\AppData\Local\Temp\Data\destroy.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\klog.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\tip.enc
file C:\Users\test22\AppData\Local\Temp\Data\keymap.enc
file C:\Users\test22\AppData\Local\Temp\Data\smob.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\extra_obj_msg.enc
file C:\Users\test22\AppData\Local\Temp\Data\extra_obj.enc
file C:\Users\test22\AppData\Local\Temp\Data\caz.enc
file C:\Users\test22\AppData\Local\Temp\Data\market.enc
file C:\Users\test22\AppData\Local\Temp\Data\Language\English\script.enc
file C:\Users\test22\AppData\Local\Temp\xdata.enc
file C:\Users\test22\AppData\Local\Temp\Data\assistant.enc