popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

sdd.dll

Gen1 Generic Malware Malicious Library Antivirus UPX OS Processor Check PE32 PE File DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Oct. 23, 2021, 9:40 a.m. Oct. 23, 2021, 9:55 a.m.
Size 2.5MB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 de8b54a938ac18f15cad804d79a0e19d
SHA256 2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd
CRC32 9E6BBCE1
ssdeep 49152:ZgZziYTt//YDt2Z/fZMdzUAOC5n+LlrxFTGWgKq:Z0ziYTKh2Z/f6AAOGarxFTG/v
PDB Path c:\oxygen\They\Miss-decide\Oxygen\Dog.pdb
Yara
  • PE_Header_Zero - PE File Signature
  • OS_Processor_Check_Zero - OS Processor Check
  • IsPE32 - (no description)
  • Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen
  • IsDLL - (no description)
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file
  • Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

Name Response Post-Analysis Lookup
localhost
SOA localhost,root.localhost,2011040901,3600,1800,604800,43200
A 127.0.0.1
NS localhost
127.0.0.1
2.101.124.164.in-addr.arpa
PTR ns.lgtelecom.com
PTR ns.dacom.co.kr
PTR ns.lgdacom.net
IP Address Status Action
164.124.101.2 Active Moloch
185.158.250.216 Active Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name:
0 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: Unable to find type [Windows.Security.Credentials.PasswordVault,Windows.Securit
console_handle: 0x00000023
1 1 0

WriteConsoleW

 buffer: y.Credentials,ContentType=WindowsRuntime]: make sure that the assembly containi
console_handle: 0x0000002f
1 1 0

WriteConsoleW

 buffer: ng this type is loaded.
console_handle: 0x0000003b
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\tmpFCD9.tmp.ps1:1 char:107
console_handle: 0x00000047
1 1 0

WriteConsoleW

 buffer: + [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credential
console_handle: 0x00000053
1 1 0

WriteConsoleW

 buffer: s,ContentType=WindowsRuntime] <<<<
console_handle: 0x0000005f
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidOperation: (Windows.Securit...=WindowsRun
console_handle: 0x0000006b
1 1 0

WriteConsoleW

 buffer: time:String) [], RuntimeException
console_handle: 0x00000077
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : TypeNotFound
console_handle: 0x00000083
1 1 0

WriteConsoleW

 buffer: New-Object : Cannot find type [Windows.Security.Credentials.PasswordVault]: mak
console_handle: 0x000000a3
1 1 0

WriteConsoleW

 buffer: e sure the assembly containing this type is loaded.
console_handle: 0x000000af
1 1 0

WriteConsoleW

 buffer: At C:\Users\test22\AppData\Local\Temp\tmpFCD9.tmp.ps1:2 char:12
console_handle: 0x000000bb
1 1 0

WriteConsoleW

 buffer: + (new-object <<<< Windows.Security.Credentials.PasswordVault).RetrieveAll() |
console_handle: 0x000000c7
1 1 0

WriteConsoleW

 buffer: % { $_.RetrievePassword(); $_ } > "C:\Users\test22\AppData\Local\Temp\tmpFCDA.
console_handle: 0x000000d3
1 1 0

WriteConsoleW

 buffer: tmp"
console_handle: 0x000000df
1 1 0

WriteConsoleW

 buffer: + CategoryInfo : InvalidType: (:) [New-Object], PSArgumentExcepti
console_handle: 0x000000eb
1 1 0

WriteConsoleW

 buffer: on
console_handle: 0x000000f7
1 1 0

WriteConsoleW

 buffer: + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewOb
console_handle: 0x00000103
1 1 0

WriteConsoleW

 buffer: jectCommand
console_handle: 0x0000010f
1 1 0
Time & API Arguments Status Return Repeated

CryptGenKey

 crypto_handle: 0x006089d8
algorithm_identifier: 0x00000001 ()
flags: 67108865
key:
provider_handle: 0x00608028
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006089d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: ¤RSA2ÎÛj.O°‰°‹Ña”=½ÅߒTJr…âÇÕ\†I19N@ËùÄàn/^ŠWŠW"¨8¥;pÖjH³³ètOO·Ñ…™à·ÿà$UoåöJ€.dîÏÝ»7{§Ž™ÌÅú×ãµ6n6F™¦q‘w¢¶qÍHöìMl4ï҉­ÇØthȦwM^Î/K‚Én@P@ûOҚÜïºݘ%Þ^ҞÍ?Z)èQ¸W±¶â³)s Šöè) <hå«¥–GÜ%ú¨W§âҍƒ¹&þö' <¯ÞÓã3~Qž;·Óܖ©íösý†… ù8Jðˆ^«+… l²Ç Yü ¹É]-âç™<«’*ž{ß9 ö'ƃˆæ$e,9pÙÙg÷ñÆ2úŽ}º4pc ¾ÿdY=U pdC]€¢y® H;i"&/4ñ’p ]:«MŠa;ÑkhϑŠ•ôO†}WÛv³¥Ü|ەž!¯iž†S·Fn#f¥›¾±Pãn }ep±ó$Qšãr#Y~8:R‡±ÿg¿ÇˆëE¿`õ|ªÅÙlÃÀ•ÓÃ8=ˆâ&38“*áÚÔç™éRw^¶Ëþ­m¯õnÍ@µcZNPº¦^ãI[ôèõ½±/ ôR!í‰e‡@D¿ót((5×AMå0Ø[ʜ먀RFˆüs[N鈘â¢Ó‚B5·”ãDf-­Dí›í'E'0ýn9P–«ŽÊ™ýWšrLóS(\¹ !
crypto_handle: 0x006089d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006089d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: ¤RSA1ÎÛj.O°‰°‹Ña”=½ÅߒTJr…âÇÕ\†I19N@ËùÄàn/^ŠWŠW"¨8¥;pÖjH³³ètOO·Ñ…™à·ÿà$UoåöJ€.dîÏÝ»7{§Ž™ÌÅú×ãµ6n6F™¦q‘w¢¶qÍHöìMl4ï҉
crypto_handle: 0x006089d8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptGenKey

 crypto_handle: 0x0060cd28
algorithm_identifier: 0x00006610 ()
flags: 1
key: f S¹Më’°àÅ®y2Äqï÷A Áõç_ö† °Å£8QÂ
provider_handle: 0x0060cda0
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0060cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f S¹Më’°àÅ®y2Äqï÷A Áõç_ö† °Å£8QÂ
crypto_handle: 0x0060cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x0060cd28
algorithm_identifier: 0x00006610 ()
flags: 1
key: f 2±”u_«EԞÀص%Å·/~Ëm`{øZ›2
provider_handle: 0x0060cda0
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0060cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f 2±”u_«EԞÀص%Å·/~Ëm`{øZ›2
crypto_handle: 0x0060cd28
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x006589f8
algorithm_identifier: 0x00000001 ()
flags: 67108865
key:
provider_handle: 0x00658048
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006589f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: ¤RSA2wì Ž-­Ä&ò„YuŸ›µ¿àuqˆ‘®ÛԎâ˯蘓œµÖ&¥¼RîÚ©· #J?¤ÛReïšWœ3×ê®òü–Š“Ì ¿ýŽ±ÐKÉ¡ߙ6Ðc^téhdTó8îrÑ´8ØØ°îmð=b´iÒÁþj­ LąÚíÉä¸/ÇÁmú´ éqÌËlÌïâ›Nxª6§‘”B®À Q[‹„f,Èl'€Æ0ç70}ZTZ-í„<Š§ùË¡š3žáÓ$¤úK5a±ã2dÒ<•ådm©Šîª‡þ!:î>• ÓÕPÁ_-pë8ï´¦`»ã_ÓKkdà†ÂÉÑhÒÁæšûCdl»"¸6ªÿ‘ŽîÇòÁÑRÊà"øbÆÆ*—^`ìp‘xöÒ;‡$†fÝmRóO×È;Òl«Ì«úÏy³­³ —ã¤W-äØXW¶Ñ³â¾ù°VÁ Ì`ÔD]^)[<XҞ”|•êÓ±g™†Q×èS™ñœk‘N Š0@Û)zg_«Céï.-Ýð¡q0 Ðœß¬Nµpïȍ½–Y¢ ìâҎYÐÉØRÔòøºÝ–QMîqhå삾E²%Aë¸ÒPuÚäså¤p‡Î£äwkÚ3£—V?ÞâkÛ48¤e±™ï=ˆ» Û¾}¢0Û"Ét 8—%º¢íö,@Æ¡ ¤:jeª—Ióª@ЎLm(4~/d½Oyºv!—à¶Î5ð™„%6ºïêl3ŸyÜ7„?
crypto_handle: 0x006589f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006589f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: ¤RSA1wì Ž-­Ä&ò„YuŸ›µ¿àuqˆ‘®ÛԎâ˯蘓œµÖ&¥¼RîÚ©· #J?¤ÛReïšWœ3×ê®òü–Š“Ì ¿ýŽ±ÐKÉ¡ߙ6Ðc^téhdTó8îrÑ´8ØØ°îmð=b´iÒÁþj­ LÄ
crypto_handle: 0x006589f8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptGenKey

 crypto_handle: 0x0065cd48
algorithm_identifier: 0x00006610 ()
flags: 1
key: f y²£øì·QƖAéÀ‡÷ ¸‚ïʗ"røà#
provider_handle: 0x0065cdc0
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0065cd48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f y²£øì·QƖAéÀ‡÷ ¸‚ïʗ"røà#
crypto_handle: 0x0065cd48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x0065cd48
algorithm_identifier: 0x00006610 ()
flags: 1
key: f øGIC±<>±Êhä :f?¤^ÒÄENJÎ9+<¬8=
provider_handle: 0x0065cdc0
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0065cd48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f øGIC±<>±Êhä :f?¤^ÒÄENJÎ9+<¬8=
crypto_handle: 0x0065cd48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x005889f0
algorithm_identifier: 0x00000001 ()
flags: 67108865
key:
provider_handle: 0x00588040
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005889f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: ¤RSA2™ñ• Îg©Îže×ŠÜ õsÿ”7a¤•]TZMQº_äãÄíôÉÌuiuX¹‰“ñ§â˜Ž6Z/½‚âú'ʏN~YÜD?2ô¸è{Ù£‰Zo‹RÄd̳<Çx“á³£¯¤ñnZþ‹LD~• ó@ëùÄ*ТÉà…"ÔÀ/ƒïÍÚ&v^Ê¥Ìÿc¡”™Læq¬ßöpc>T´NܚY(ÃòVTk“©shÅÒoQXÒ¥EqÛÝì]¹Q7%¹"‡›0²àçµ&2>ö÷‡ªbÅáL~1üúD]¼­3Ò/¯Ã Ùœ9×±@OàÆhÆ!F‚WîøŒõï»5ïŠjQƒ=À#çŠ<·úÌ9¹¢¾õm’nwvJlM‡wÀÜ3nÛâ~=·£ùŠÿÇØë”:©z*/Æ8Ýxé¬UÍ]'±´ë7ÐÖ[$`DVœÁÅ?l4ë‹å¿í|dj `½J•­ffëþÿ%2КÞi{4ùÄW~¨y5¾~øI[îtìª<oaäEòš#éö.…í‹”pZîaì‘l"±š–{ˆ£{³_wV‹¨ÂŠ÷JSþnM¤4J2¸™'×ыց3{ŠOð1ôOÆ+‰w |Iêÿ¹iŽ*¹¿E’þÞ:6ùÛ´ë-,#Y°O|PÂõuóöÙ²Zšp;ÿ 1=¶æa6š…“„…6»I$#=¯’~9ØÊÃô¾¸²ÌñŒ½­¦ ®
crypto_handle: 0x005889f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x005889f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: ¤RSA1™ñ• Îg©Îže×ŠÜ õsÿ”7a¤•]TZMQº_äãÄíôÉÌuiuX¹‰“ñ§â˜Ž6Z/½‚âú'ʏN~YÜD?2ô¸è{Ù£‰Zo‹RÄd̳<Çx“á³£¯¤ñnZþ‹LD~• ó@ëùÄ*Т
crypto_handle: 0x005889f0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptGenKey

 crypto_handle: 0x0058cd40
algorithm_identifier: 0x00006610 ()
flags: 1
key: f vlöä|ºíO¿_P3%€Æ ~®âۇò ‰*Ë
provider_handle: 0x0058cdb8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058cd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f vlöä|ºíO¿_P3%€Æ ~®âۇò ‰*Ë
crypto_handle: 0x0058cd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x0058cd40
algorithm_identifier: 0x00006610 ()
flags: 1
key: f ãk"Ww\¾¦°\‹Ó-š=¸üžJ‹”Áv&0$‡x
provider_handle: 0x0058cdb8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0058cd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ãk"Ww\¾¦°\‹Ó-š=¸üžJ‹”Áv&0$‡x
crypto_handle: 0x0058cd40
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x004a8b70
algorithm_identifier: 0x00000001 ()
flags: 67108865
key:
provider_handle: 0x004cd1d0
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004a8b70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: ¤RSA2çdpùCøæ”Ú0'ô{½1ˆ½P{o*x&cü \mЄ'‹Ò‰~|‘‰º ®«rñ6´OÌĝØ {Á [¡~Ib,ðf¾0Ð93}¥ð†ï„;ÍëXeÓtõíÌìHê<€ïn*õn¦tí=)pÖ@¤tp©£±çW“@ÙaåëÑ¿¢#Ëa;¼y&;Óì5Ä£7ö>_ú‘{©j-1€‹C%¯Íªƒ‚Ð 19“ø¡^³%rú¿àßíG'RXÍ9fúÖ^}ñ‘ÁNÙªÖ>}Åó]tܟoÜM ü—o ŸÊÌ._§^|®¡´ÑE9 %ZoñÍ<.aWäï+Ïé!«¾)ºSñ3çñxú?Ù1×G$\ 0l_3 ¬æ‘<Õj<˜¿:¿q£W-ÚM9‡Ò• }×ё(eÖ· JÄ³=qvp²ý€2†Þý_‰®•æ#þ¼BÔ'2¡uf¨NkPÞqM ٘4iU…“rƒp‘Un·_VmK?;ËD²CÑD¸hÛþk‡þµå¯•í™øä%}“µ€æÑ~HÒúêK¸o;pŒCŸœ-Ï–/íb«¹«þŒM]ã,›îŸZ@)kº1lYÄq› Îƒ«FMŸ_?TŒ˜… = Šz#Ž¸hÎ~Ùýa,í´¡¼ŽÞDÈHµÀÑÙ}Œ`\[š’ü±98‡õÊ©ò?jx“øe&Ôs…¸dBzë³À5R0Y¢%µl͌qLÚd^°»ÊËvê0ˆùÊ
crypto_handle: 0x004a8b70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004a8b70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: ¤RSA1çdpùCøæ”Ú0'ô{½1ˆ½P{o*x&cü \mЄ'‹Ò‰~|‘‰º ®«rñ6´OÌĝØ {Á [¡~Ib,ðf¾0Ð93}¥ð†ï„;ÍëXeÓtõíÌìHê<€ïn*õn¦tí=)pÖ@¤tp©£±çW“@Ù
crypto_handle: 0x004a8b70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptGenKey

 crypto_handle: 0x004a93b0
algorithm_identifier: 0x00006610 ()
flags: 1
key: f ³®±Dðröh¿‚ZãõJ'-‘_tt›Þvý¾¸
provider_handle: 0x004cd390
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004a93b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ³®±Dðröh¿‚ZãõJ'-‘_tt›Þvý¾¸
crypto_handle: 0x004a93b0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x004a9270
algorithm_identifier: 0x00006610 ()
flags: 1
key: f Ë7ÛYsBÒItOâË Š§»ÍºµWÿJF˦ÀReÓ
provider_handle: 0x004df038
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004a9270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f Ë7ÛYsBÒItOâË Š§»ÍºµWÿJF˦ÀReÓ
crypto_handle: 0x004a9270
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x004a8b70
algorithm_identifier: 0x00006610 ()
flags: 1
key: f c\sÖÏFÊØ÷¿/x )ij„ÈoŽåãá.]Áû·
provider_handle: 0x004df038
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004a8b70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f c\sÖÏFÊØ÷¿/x )ij„ÈoŽåãá.]Áû·
crypto_handle: 0x004a8b70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x004a8b70
algorithm_identifier: 0x00006610 ()
flags: 1
key: f ,ÊþJ¿˜Ñ iý‰‡|Ñ)THÕ]¨æ”•uU+å/
provider_handle: 0x004df038
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x004a8b70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ,ÊþJ¿˜Ñ iý‰‡|Ñ)THÕ]¨æ”•uU+å/
crypto_handle: 0x004a8b70
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
pdb_path c:\oxygen\They\Miss-decide\Oxygen\Dog.pdb
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files (x86)\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
dbkFCallWrapperAddr+0x5ba20 TMethodImplementationIntercept-0x7cac8 sdd+0xbbb68 @ 0x73d5bb68
First+0x709ac1e4 __dbk_fcall_wrapper-0x6f44 sdd+0x9544 @ 0x73ca9544
First+0x709ac671 __dbk_fcall_wrapper-0x6ab7 sdd+0x99d1 @ 0x73ca99d1

exception.instruction_r: 8b 06 89 04 24 8b 1c 24 83 e3 fe 85 db 75 30 e8
exception.instruction: mov eax, dword ptr [esi]
exception.exception_code: 0xc0000005
exception.symbol: First+0x709ab72e __dbk_fcall_wrapper-0x79fa sdd+0x8a8e
exception.address: 0x73ca8a8e
registers.esp: 3142732
registers.edi: 1943830196
registers.eax: 78421807
registers.ebp: 3142764
registers.edx: 78421807
registers.ebx: 11312832
registers.esi: 78421807
registers.ecx: 3142764
1 0 0

__exception__

 stacktrace: 
dbkFCallWrapperAddr+0x5ba20 TMethodImplementationIntercept-0x7cac8 sdd+0xbbb68 @ 0x73d5bb68
Surpriseten+0x70a5c1e4 __dbk_fcall_wrapper-0x6f44 sdd+0x9544 @ 0x73ca9544
Surpriseten+0x70a5c671 __dbk_fcall_wrapper-0x6ab7 sdd+0x99d1 @ 0x73ca99d1

exception.instruction_r: 8b 06 89 04 24 8b 1c 24 83 e3 fe 85 db 75 30 e8
exception.instruction: mov eax, dword ptr [esi]
exception.exception_code: 0xc0000005
exception.symbol: Surpriseten+0x70a5b72e __dbk_fcall_wrapper-0x79fa sdd+0x8a8e
exception.address: 0x73ca8a8e
registers.esp: 652988
registers.edi: 1943830196
registers.eax: 98082607
registers.ebp: 653020
registers.edx: 98082607
registers.ebx: 30973632
registers.esi: 98082607
registers.ecx: 653020
1 0 0

__exception__

 stacktrace: 
dbkFCallWrapperAddr+0x5ba20 TMethodImplementationIntercept-0x7cac8 sdd+0xbbb68 @ 0x73d5bb68
Zg5YNWk4+0x7086c1e4 __dbk_fcall_wrapper-0x6f44 sdd+0x9544 @ 0x73ca9544
Zg5YNWk4+0x7086c671 __dbk_fcall_wrapper-0x6ab7 sdd+0x99d1 @ 0x73ca99d1

exception.instruction_r: 8b 06 89 04 24 8b 1c 24 83 e3 fe 85 db 75 30 e8
exception.instruction: mov eax, dword ptr [esi]
exception.exception_code: 0xc0000005
exception.symbol: Zg5YNWk4+0x7086b72e __dbk_fcall_wrapper-0x79fa sdd+0x8a8e
exception.address: 0x73ca8a8e
registers.esp: 2488756
registers.edi: 1943830196
registers.eax: 99655471
registers.ebp: 2488788
registers.edx: 99655471
registers.ebx: 32546496
registers.esi: 99655471
registers.ecx: 2488788
1 0 0
Time & API Arguments Status Return Repeated

bind

 ip_address: 127.0.0.1
socket: 692
port: 19584
1 0 0

listen

 socket: 692
backlog: 0
1 0 0

bind

 ip_address: 127.0.0.1
socket: 868
port: 19585
1 0 0

listen

 socket: 868
backlog: 5
1 0 0

accept

 ip_address: 127.0.0.1
socket: 692
port: 49181
1 1016 0

bind

 ip_address: 127.0.0.1
socket: 716
port: 19584
4294967295 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d4a000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 24576
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73f18000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002b0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2404
region_size: 2916352
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75271000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x768e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x767c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74dc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76b41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73af1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74081000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74011000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ff1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x739f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 16662528
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02531000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fe1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7755f000
process_handle: 0xffffffff
1 0 0
description rundll32.exe tried to sleep 257 seconds, actually delayed analysis time by 257 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 10225041408
free_bytes_available: 0
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file C:\Users\test22\AppData\Roaming\Opera\wand.dat
file C:\Users\test22\AppData\Local\Programs\Opera\
registry HKEY_CURRENT_USER\Software\Opera Software
file C:\Users\test22\AppData\Local\Temp\tmpFCD9.tmp.ps1
file C:\Users\test22\AppData\Local\Temp\tmp8B2.tmp.ps1
file C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline powershell -Executionpolicy bypass -File "C:\Users\test22\AppData\Local\Temp\tmpFCD9.tmp.ps1"
cmdline powershell -Executionpolicy bypass -File "C:\Users\test22\AppData\Local\Temp\tmp8B2.tmp.ps1"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\test22\AppData\Local\Temp\tmpFCD9.tmp.ps1"
cmdline "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\test22\AppData\Local\Temp\tmp8B2.tmp.ps1"
wmi SELECT * FROM Win32_NetworkAdapter
wmi SELECT * FROM Win32_OperatingSystem
wmi SELECT * FROM Win32_ComputerSystem
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -Executionpolicy bypass -File "C:\Users\test22\AppData\Local\Temp\tmpFCD9.tmp.ps1"
filepath: powershell
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: powershell
parameters: -Executionpolicy bypass -File "C:\Users\test22\AppData\Local\Temp\tmp8B2.tmp.ps1"
filepath: powershell
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000001f4
process_name: smss.exe
process_identifier: 232
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: csrss.exe
process_identifier: 312
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: wininit.exe
process_identifier: 340
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: csrss.exe
process_identifier: 360
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: winlogon.exe
process_identifier: 404
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: svchost.exe
process_identifier: 572
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: svchost.exe
process_identifier: 652
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: svchost.exe
process_identifier: 716
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: svchost.exe
process_identifier: 792
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: svchost.exe
process_identifier: 836
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: audiodg.exe
process_identifier: 896
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: svchost.exe
process_identifier: 988
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: spoolsv.exe
process_identifier: 1032
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: svchost.exe
process_identifier: 1084
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: taskhost.exe
process_identifier: 1152
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: svchost.exe
process_identifier: 1372
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: sppsvc.exe
process_identifier: 1676
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: svchost.exe
process_identifier: 1748
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: dwm.exe
process_identifier: 1900
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: explorer.exe
process_identifier: 1924
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: pw.exe
process_identifier: 2016
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: SearchIndexer.exe
process_identifier: 1180
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: SearchFilterHost.exe
process_identifier: 1124
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: pw.exe
process_identifier: 2872
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: taskhost.exe
process_identifier: 2968
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: SearchProtocolHost.exe
process_identifier: 1288
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: rundll32.exe
process_identifier: 2316
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: rundll32.exe
process_identifier: 2116
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: svchost.exe
process_identifier: 2164
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: rundll32.exe
process_identifier: 1804
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: cmd.exe
process_identifier: 2728
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: conhost.exe
process_identifier: 2736
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: pw.exe
process_identifier: 2812
1 1 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: 婰Ljİ
process_identifier: 196608
0 0

Process32NextW

 snapshot_handle: 0x000001f0
process_name: rundll32.exe
process_identifier: 2196
1 1 0

Process32NextW

 snapshot_handle: 0x000001f0
process_name: 岐Ȑİ
process_identifier: 3145728
0 0

Process32NextW

 snapshot_handle: 0x000001f4
process_name: mscorsvw.exe
process_identifier: 2976
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 1158
family: 0
1 0 0
section {u'size_of_data': u'0x000a8200', u'virtual_address': u'0x00001000', u'entropy': 6.8310394209760315, u'name': u'.text', u'virtual_size': u'0x000a8009'} entropy 6.83103942098 description A section with a high entropy has been found
entropy 0.266125840918 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x00000168
options: 0
access: 0x02000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4A03706F-666A-4037-7777-5F2748764D10}
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x0000016c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}
1 0 0
cmdline "C:\Windows\system32\nslookup.exe" -type=any localhost
wmi SELECT * FROM Win32_ComputerSystem
buffer Buffer with sha1: 6bf666690a7f906fbcd5dfca1bd449b85deda11a
host 185.158.250.216
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
file C:\ProgramData\FlashFXP\4\History.dat
file C:\Users\test22\AppData\Local\FlashFXP\4\Quick.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\4\Quick.dat
file C:\ProgramData\FlashFXP\3\Sites.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\3\Sites.dat
file C:\ProgramData\FlashFXP\4\Quick.dat
file C:\Users\test22\AppData\Local\FlashFXP\4\History.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\3\History.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\3\Quick.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\4\History.dat
file C:\ProgramData\FlashFXP\3\History.dat
file C:\ProgramData\FlashFXP\4\Sites.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\4\Sites.dat
file C:\Users\test22\AppData\Local\FlashFXP\3\Quick.dat
file C:\Users\test22\AppData\Local\FlashFXP\3\History.dat
file C:\Users\test22\AppData\Local\FlashFXP\3\Sites.dat
file C:\Users\test22\AppData\Local\FlashFXP\4\Sites.dat
file C:\ProgramData\FlashFXP\3\Quick.dat
file C:\ProgramData\VanDyke\Config\Sessions\
file C:\Users\test22\AppData\Local\VanDyke\Config\Sessions\
file C:\Users\test22\AppData\Roaming\VanDyke\Config\Sessions\
file C:\Users\test22\AppData\Local\FTP Explorer\profiles.xml
file C:\ProgramData\FTP Explorer\profiles.xml
file C:\Users\test22\AppData\Roaming\FTP Explorer\profiles.xml
file C:\ProgramData\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Roaming\SmartFTP\History.dat
file C:\Users\test22\AppData\Local\SmartFTP\History.dat
file C:\ProgramData\SmartFTP\Client 2.0\Favorites\Favorites.dat
file C:\ProgramData\SmartFTP\History.dat
file C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\Favorites.dat
file C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file C:\Users\test22\AppData\Roaming\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Local\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file C:\ProgramData\SmartFTP\Client 2.0\Favorites\
file C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Favorites.dat
file C:\Users\test22\AppData\Roaming\TurboFTP\addrbk.dat
file C:\Users\test22\AppData\Roaming\FTPRush\RushSite.xml
file C:\Users\test22\wcx_ftp.ini
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\SOFTWARE\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far\SavedDialogHistory\FTPHost
registry HKEY_CURRENT_USER\Software\Far2\SavedDialogHistory\FTPHost
registry HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander
registry HKEY_CURRENT_USER\Software\Ghisler\Windows Commander
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Options
file C:\Users\test22\AppData\Roaming\Digsby\Digsby.dat
file C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
file C:\Users\test22\AppData\Roaming\.purple\accounts.xml
file C:\ProgramData\.purple\accounts.xml
file C:\Users\test22\AppData\Local\Trillian\users\global\accounts.ini
file C:\ProgramData\Trillian\users\global\accounts.ini
file C:\Users\test22\AppData\Roaming\Trillian\users\global\accounts.ini
registry HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry HKEY_CURRENT_USER\Software\Paltalk
Time & API Arguments Status Return Repeated

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Excel MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft PowerPoint MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Publisher MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Outlook MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Word MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - English
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Outils de vérification linguistique 2013 de Microsoft Office - Français
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - Español
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft InfoPath MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft DCF MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft OneNote MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Groove MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM UX MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Lync MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Acrobat Reader DC MUI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Excel MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000016c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft PowerPoint MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName
1 0 0
Elastic malicious (high confidence)
McAfee Artemis!DE8B54A938AC
Sangfor Trojan.Win32.Woreflint.A
Cyren W32/Danabot.AO.gen!Eldorado
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Generik.IMKXXZM
APEX Malicious
Kaspersky UDS:Trojan-Banker.Win32.Danabot
Sophos Mal/Generic-R + Mal/EncPk-AQC
McAfee-GW-Edition Artemis!Trojan
GData Win32.Trojan.PSE.11JGA2V
Kingsoft Win32.Troj.Banker.(kcloud)
ZoneAlarm UDS:DangerousObject.Multi.Generic
Microsoft Trojan:Win32/Casdet!rfn
SentinelOne Static AI - Malicious PE
eGambit Unsafe.AI_Score_74%
Fortinet W32/ZDlder.SBEO!tr
Paloalto generic.ml
file C:\ProgramData\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Roaming\SmartFTP\History.dat
file C:\Users\test22\AppData\Local\SmartFTP\History.dat
file C:\ProgramData\SmartFTP\Client 2.0\Favorites\Favorites.dat
file C:\ProgramData\SmartFTP\History.dat
file C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\Favorites.dat
file C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file C:\Users\test22\AppData\Roaming\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Local\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file C:\ProgramData\SmartFTP\Client 2.0\Favorites\
file C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Favorites.dat
file C:\Users\test22\AppData\Local\Microsoft\Windows Live Mail\
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\c02ebc5353d9cd11975200aa004ae40e\HTTP Password
registry HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Poco Systems Inc\PocoMail 4
registry HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Scribe\Protocols\mailto\shell\open\command
registry HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password2
registry HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\2F211F491D55A37679F69F98A4E9AB8F7341D268\Blob
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\87B55506159A6DE961A856A30E2783AFA1DF56D0\Blob
parent_process powershell.exe martian_process "C:\Windows\system32\nslookup.exe" -type=any localhost
option -executionpolicy bypass value Attempts to bypass execution policy
option -executionpolicy bypass value Attempts to bypass execution policy
option -executionpolicy bypass value Attempts to bypass execution policy
option -executionpolicy bypass value Attempts to bypass execution policy
file C:\Windows\System32\nslookup.exe