popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Crypt%20C.dll

Generic Malware Malicious Library Admin Tool (Sysinternals etc ...) Antivirus UPX Malicious Packer PWS KeyLogger Socket AntiDebug DLL OS Processor Check PE32 PE File AntiVM
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 March 19, 2025, 11:08 a.m. March 19, 2025, 11:23 a.m.
Size 5.5MB
Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 8d252f7a6ff4f929d86cf7feb95a5b08
SHA256 46a1eec81e8b0d889b6fde07a85405874d4b21da998b34e8b91fd852d1ddb458
CRC32 020AC372
ssdeep 98304:DW0704A7pKmwDNRdBYaAGmOGio38um37R6BJZO4A5cfebV/FkZQ:DW044gnwPnbAGmO83OR6BJZ9ATF
Yara
  • Admin_Tool_IN_Zero - Admin Tool Sysinternals
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Malicious_Packer_Zero - Malicious Packer
  • IsDLL - (no description)
  • Antivirus - Contains references to security software
  • IsPE32 - (no description)
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
107.173.160.166 Active Moloch
196.251.116.36 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 196.251.116.36:443 -> 192.168.56.101:49204 2400037 ET DROP Spamhaus DROP Listed Traffic Inbound group 38 Misc Attack
TCP 196.251.116.36:443 -> 192.168.56.101:49204 2260003 SURICATA Applayer Protocol detection skipped Generic Protocol Command Decode

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name:
0 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

CryptGenKey

 crypto_handle: 0x002b4fb8
algorithm_identifier: 0x00000001 ()
flags: 67108865
key:
provider_handle: 0x002acff0
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: ¤RSA27x…0ó vÈ4q0ï¢Ö50¨…W[N·P¡Kdl~»kÆ>Pú]FÌ4d ø6Ãã2°Gì?ü»µìÏC!Nï{½³ã9:e0{-ª”û‚e³ÄµcIzê­y™öq!çüþb5ÎN& >ãWŒõ7½Ö\´ €œx‹Ð5ú)×Xä;ç7勜£OÇj’ëõ5Zº¦wÒv›Å扶h·ð¯˜a§šl7?óݖi=i–üö“šª·¡ÌEþII c¿|óŒÝás ùôá¢&Þb~¤K…O’8VLÊ äñv²hÖ î˜¾ŒQïÌRÔfe¹ô:çff¹öÑó넅ةà8§'~ã¯s„ !Ù¿Wœzªo ŽÜwP];^fgG9Dê–öÒÔ±5âƒËÓãWù¤æ–žê4áï¢+€k–ßDËÔ£·=P#K45†XÿJÙŽí¡ —qÀàŒ@ cnC2«Päth°Œ/2=´/¦ØTUʞ’¤·üý ßF¿ì¼ÂmAHŸš;h9HÊ%‚8pã&„ß“ž ÿ§vŸ©Pѵk‘š™^m/fFl^ 4LÂÝ2¯×¾ ³Å÷‰ ‘ÿ%`ÏA꟟’´½Kݦ€””ävQÆR•4©FŠ#)‚0ÉYÿ%kr1w&ŽpçPÕF‡_üxv#zó×úvSV¶¥Ž5µYäqyð *² :ˆbFaáó¨LÚ"ñmköCKytÐÀì…]s<"
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: ¤RSA17x…0ó vÈ4q0ï¢Ö50¨…W[N·P¡Kdl~»kÆ>Pú]FÌ4d ø6Ãã2°Gì?ü»µìÏC!Nï{½³ã9:e0{-ª”û‚e³ÄµcIzê­y™öq!çüþb5ÎN& >ãWŒõ7½Ö\´ €œx‹Ð
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptGenKey

 crypto_handle: 0x002b4fb8
algorithm_identifier: 0x00000001 ()
flags: 67108865
key:
provider_handle: 0x002a0ff0
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: ¤RSA2ó+¦Í’óxW´+[•BŠW@ïA½“òSÓ #Fåò¼áÍðú´´¶íž¦_º,á}Ðç¾U]Ö>³SÃI V`SP(®öÆÔ.ÑíÑâµä:Žq¢ Âf½“ºIñ[2æúÌ($jG3ÐSºwežY}$“fBUv¤}³±è Ĺ鿂âÑí!)[ï}]ºç­ú,(wðւ™º˜nj¹fºAë/ÀÓ«bz³ƨy.&â™øÝ/˜q3¶Q)aðvĹ¯"ý,9l›}ðD=/DèöZN™p0Ž,ùN¥ÚtgÞ/H„q«Má2˜ .½w~Obæ>@ð‡®®[©ŸÆäß?r‹â¸ìt3©i׸¨ÌRrÂÄ*ñ²š¼÷Ò¢UÞ¢³»K boC<-ï&‰€þòÓgÄ·jh†€Ï5Ù'ÄX«PìÛ,”¿i¶#D…ô¤ WŠyPX>™™©“>‹KF Å©Ìbòȁ)ê°²u4RW9)¯ˆ|Xép-¦³Ù=År´Ç²¤o„ðcÒ°š/“[‹Òùmfìæ¤KЖ:Ó¹ †Æ3„âöèµùÀþõ¶îš6ö] ðE&WúâçöVA>yזóª–5hÏÝ‘nPPYNhLd¶ÌX`“ ãÌQg?päÇôS²K˜¿$è@ñYþ«„+=“ $jX Å6rxË[öÞÿ£Ï¦û´ƒd½/ªMúÃÁ캀ùÁ*oÇOÇE
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 7
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: ¤RSA1ó+¦Í’óxW´+[•BŠW@ïA½“òSÓ #Fåò¼áÍðú´´¶íž¦_º,á}Ðç¾U]Ö>³SÃI V`SP(®öÆÔ.ÑíÑâµä:Žq¢ Âf½“ºIñ[2æúÌ($jG3ÐSºwežY}$“fBUv¤
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptGenKey

 crypto_handle: 0x002b5338
algorithm_identifier: 0x00006610 ()
flags: 1
key: f ÂWl=èa½j­éLòAÀ‚d…È1ëŸ~Uàô@”ï
provider_handle: 0x002d0870
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b5338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ÂWl=èa½j­éLòAÀ‚d…È1ëŸ~Uàô@”ï
crypto_handle: 0x002b5338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b5078
algorithm_identifier: 0x00006610 ()
flags: 1
key: f ,+Lg!–06Üöº±U͕ØAb°ÕQ¡§ýtG¯…
provider_handle: 0x002d1870
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ,+Lg!–06Üöº±U͕ØAb°ÕQ¡§ýtG¯…
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b5338
algorithm_identifier: 0x00006610 ()
flags: 1
key: f *_IÏÎ<ÄcҊk@r(×lÑUÿl¶€7çqí˜oW
provider_handle: 0x002d1870
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b5338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f *_IÏÎ<ÄcҊk@r(×lÑUÿl¶€7çqí˜oW
crypto_handle: 0x002b5338
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b5078
algorithm_identifier: 0x00006610 ()
flags: 1
key: f 8-£ŠÚÉ©ø;n7ž¥ì*wñ·Î¬@ÉôXE)L
provider_handle: 0x002d1870
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f 8-£ŠÚÉ©ø;n7ž¥ì*wñ·Î¬@ÉôXE)L
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b4fb8
algorithm_identifier: 0x00006610 ()
flags: 1
key: f ”ë !LS¦Ôë;lð÷ÛB˜p²KªQÈ,z÷[Æ|¼
provider_handle: 0x002d22b8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ”ë !LS¦Ôë;lð÷ÛB˜p²KªQÈ,z÷[Æ|¼
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b5078
algorithm_identifier: 0x00006610 ()
flags: 1
key: f ‡-J¾pI¤ë³mJk“”ðøjsý£CBŽñ¡ Ø Ä
provider_handle: 0x002d22b8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ‡-J¾pI¤ë³mJk“”ðøjsý£CBŽñ¡ Ø Ä
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b4fb8
algorithm_identifier: 0x00006610 ()
flags: 1
key: f ÎZýü,}3oÅËíð‘µåL@0ûr´_±ÆÉ“7È
provider_handle: 0x002d22b8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ÎZýü,}3oÅËíð‘µåL@0ûr´_±ÆÉ“7È
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b5078
algorithm_identifier: 0x00006610 ()
flags: 1
key: f …;CÊýÑÇ¢ _8S\‡œÝ}}{ßÚJyi¥ˆÀ‹Š
provider_handle: 0x002d22b8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f …;CÊýÑÇ¢ _8S\‡œÝ}}{ßÚJyi¥ˆÀ‹Š
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b4fb8
algorithm_identifier: 0x00006610 ()
flags: 1
key: f *@/07ŸgH˜ïhøNO2°Ö¿oö¥À±‹vØ;k
provider_handle: 0x002d22b8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f *@/07ŸgH˜ïhøNO2°Ö¿oö¥À±‹vØ;k
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b5078
algorithm_identifier: 0x00006610 ()
flags: 1
key: f 0ĝϷ¸`SeñU»ÁCÎÖä¿S‘—rDù‚±
provider_handle: 0x002d22b8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f 0ĝϷ¸`SeñU»ÁCÎÖä¿S‘—rDù‚±
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b4fb8
algorithm_identifier: 0x00006610 ()
flags: 1
key: f @(ëè/z‡°+‘Œ9–7ÒÍÉ÷Êv<Ê®imsû f
provider_handle: 0x002d22b8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f @(ëè/z‡°+‘Œ9–7ÒÍÉ÷Êv<Ê®imsû f
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b5078
algorithm_identifier: 0x00006610 ()
flags: 1
key: f ρÇOÑ<Ež†`¢,ƀÍ΢`˜‰¨jmÛÏÚ(ãk
provider_handle: 0x002d22b8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ρÇOÑ<Ež†`¢,ƀÍ΢`˜‰¨jmÛÏÚ(ãk
crypto_handle: 0x002b5078
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b4fb8
algorithm_identifier: 0x00006610 ()
flags: 1
key: f ‘gi‰ŠsVzÝÉDRž·{Òy0PYŠÏÔ%ò7®
provider_handle: 0x002d22b8
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptExportKey

 buffer: f ‘gi‰ŠsVzÝÉDRž·{Òy0PYŠÏÔ%ò7®
crypto_handle: 0x002b4fb8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 8
1 1 0

CryptGenKey

 crypto_handle: 0x002b5078
algorithm_identifier: 0x00006610 ()
flags: 1
key: f  úÜ*!/(òÎÛ4xIàr÷\ø°j÷V¨ŽÍbˆ
provider_handle: 0x002d22b8
1 1 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file C:\Program Files\Mozilla Firefox\firefox.exe
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\NoModify
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe\Path
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
reg_get_key_uniz+0x3d reg_get_key_unistr-0x2 @ 0x736ddf99
New_advapi32_RegEnumValueW@32+0xb9 New_advapi32_RegOpenKeyExA@20-0xff @ 0x736e3991
TMethodImplementationIntercept+0xb777e init-0x25a1da @ 0x34f75ea
TMethodImplementationIntercept+0xbb4b5 init-0x2564a3 @ 0x34fb321
TMethodImplementationIntercept+0xbb821 init-0x256137 @ 0x34fb68d
TMethodImplementationIntercept+0xbb9fe init-0x255f5a @ 0x34fb86a
TMethodImplementationIntercept+0xbbbc8 init-0x255d90 @ 0x34fba34
TMethodImplementationIntercept+0xba881 init-0x2570d7 @ 0x34fa6ed
TMethodImplementationIntercept+0x185edf init-0x18ba79 @ 0x35c5d4b
TMethodImplementationIntercept+0x186883 init-0x18b0d5 @ 0x35c66ef
TMethodImplementationIntercept+0x186f9c init-0x18a9bc @ 0x35c6e08
TMethodImplementationIntercept+0x187059 init-0x18a8ff @ 0x35c6ec5
TMethodImplementationIntercept+0x190dcf init-0x180b89 @ 0x35d0c3b
TMethodImplementationIntercept+0x1903f7 init-0x181561 @ 0x35d0263
TMethodImplementationIntercept+0x1afe12 init-0x161b46 @ 0x35efc7e
TMethodImplementationIntercept+0x1afee3 init-0x161a75 @ 0x35efd4f
TMethodImplementationIntercept+0x2ff0cb init-0x1288d @ 0x373ef37
__dbk_fcall_wrapper-0x797e @ 0x3269dca
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x755c33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: 66 c7 00 00 00 8b 45 14 89 04 24 e8 3a fa ff ff
exception.symbol: reg_get_key_uni+0x9c reg_get_key_uniz-0x12
exception.instruction: mov word ptr [eax], 0
exception.module: monitor-x86.dll
exception.exception_code: 0xc0000005
exception.offset: 57162
exception.address: 0x736ddf4a
registers.esp: 72146952
registers.edi: 0
registers.eax: 67502080
registers.ebp: 72146992
registers.edx: 65536
registers.ebx: 0
registers.esi: 0
registers.ecx: 67502080
1 0 0
Time & API Arguments Status Return Repeated

bind

 ip_address: 127.0.0.1
socket: 600
port: 17506
1 0 0

listen

 socket: 600
backlog: 0
1 0 0

bind

 ip_address: 127.0.0.1
socket: 1044
port: 17511
1 0 0

listen

 socket: 1044
backlog: 5
1 0 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49167
1 1096 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49171
1 1104 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49172
1 624 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49173
1 1132 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49174
1 748 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49180
1 1468 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49181
1 1480 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49188
1 1524 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49189
1 1512 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49190
1 1148 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49191
1 1164 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49193
1 1028 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49194
1 1504 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49196
1 752 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49197
1 768 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49198
1 752 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49199
1 760 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49200
1 980 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49201
1 784 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49202
1 756 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49203
1 980 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49205
1 1544 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49206
1 1536 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49207
1 532 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49208
1 1548 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49209
1 1484 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49210
1 1500 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49211
1 532 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49212
1 744 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49213
1 1200 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49214
1 532 0

accept

 ip_address: 127.0.0.1
socket: 1044
port: 49215
1 1028 0

accept

 ip_address: 127.0.0.1
socket: 600
port: 49216
1 648 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73660000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73551000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73514000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x735e2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73c11000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 5779456
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02cd0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 5836800
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x03260000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73be1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73bb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75bf1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75d41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75e61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76161000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73931000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x733e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73381000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73361000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73321000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d41000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2552
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00820000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73291000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76f2f000
process_handle: 0xffffffff
1 0 0
description rundll32.exe tried to sleep 856 seconds, actually delayed analysis time by 856 seconds
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13312876544
free_bytes_available: 13312876544
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13308608512
free_bytes_available: 0
root_path: C:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\test22\AppData\Local\Google\Chrome\User Data
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Preferences
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file C:\Users\test22\AppData\Roaming\Opera\wand.dat
file C:\Users\test22\AppData\Local\Programs\Opera\
file C:\Users\test22\AppData\Local\Yandex\YandexBrowser\Application\browser.exe
registry HKEY_CURRENT_USER\Software\Opera Software
file C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\prefs.js
wmi SELECT * FROM Win32_NetworkAdapter
wmi SELECT * FROM Win32_OperatingSystem
wmi SELECT * FROM Win32_ComputerSystem
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000448
process_name: rundll32.exe
process_identifier: 2864
1 1 0

Process32NextW

 snapshot_handle: 0x00000448
process_name: rundll32.exe
process_identifier: 2948
1 1 0

Process32NextW

 snapshot_handle: 0x00000550
process_name: chrome.exe
process_identifier: 2256
1 1 0
section {u'size_of_data': u'0x00582200', u'virtual_address': u'0x00001000', u'entropy': 7.176750282629421, u'name': u'.text', u'virtual_size': u'0x0058202c'} entropy 7.17675028263 description A section with a high entropy has been found
entropy 0.999556973241 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x000002e8
process_name:
process_identifier: 1995716766
0 0

Process32NextW

 snapshot_handle: 0x00000448
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x0000041c
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x0000041c
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000488
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000488
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000488
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000488
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x000004a0
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x000004a0
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x000004a0
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x000004a0
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000458
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000458
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000458
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000458
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x000002e0
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x000002e0
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x000002e0
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000430
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x0000046c
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x0000046c
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000470
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000450
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x000002ec
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x000002ec
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000288
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000288
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000478
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000478
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000478
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000488
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000488
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x0000041c
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x0000041c
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000454
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000454
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000454
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x00000454
process_name: rundll32.exe
process_identifier: 2988
0 0

Process32NextW

 snapshot_handle: 0x000005a0
process_name: WmiPrvSE.exe
process_identifier: 2172
0 0

Process32NextW

 snapshot_handle: 0x000005a0
process_name: WmiPrvSE.exe
process_identifier: 2172
0 0

Process32NextW

 snapshot_handle: 0x000005a0
process_name: WmiPrvSE.exe
process_identifier: 2172
0 0

Process32NextW

 snapshot_handle: 0x000005c0
process_name: WmiPrvSE.exe
process_identifier: 2172
0 0

Process32NextW

 snapshot_handle: 0x00000550
process_name: WmiPrvSE.exe
process_identifier: 2172
0 0

Process32NextW

 snapshot_handle: 0x00000550
process_name: chrome.exe
process_identifier: 2456
0 0

Process32NextW

 snapshot_handle: 0x00000550
process_name: chrome.exe
process_identifier: 2456
0 0

Process32NextW

 snapshot_handle: 0x00000550
process_name: chrome.exe
process_identifier: 2456
0 0

Process32NextW

 snapshot_handle: 0x00000550
process_name: chrome.exe
process_identifier: 2456
0 0

Process32NextW

 snapshot_handle: 0x00000550
process_name: WmiPrvSE.exe
process_identifier: 2172
0 0

Process32NextW

 snapshot_handle: 0x00000550
process_name: WmiPrvSE.exe
process_identifier: 2172
0 0
description Communications over RAW Socket rule Network_TCP_Socket
description PWS Memory rule Generic_PWS_Memory_Zero
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Run a KeyLogger rule KeyLogger
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x000003c8
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x000003cc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
base_handle: 0x80000002
key_handle: 0x000003bc
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
base_handle: 0x80000002
key_handle: 0x0000040c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}
1 0 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2256
process_handle: 0x000005b8
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2256
process_handle: 0x000005b8
1 0 0
wmi SELECT * FROM Win32_ComputerSystem
buffer Buffer with sha1: 63bcb8a7dadf7974c7c6a90f15f051c5acc97498
host 107.173.160.166
host 196.251.116.36
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 2988
region_size: 2260992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00280000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000444
1 0 0
file C:\Program Files (x86)\AVAST Software\Browser\Application\AvastBrowser.exe
file C:\Program Files\AVAST Software\Browser\Application\AvastBrowser.exe
file C:\Users\test22\AppData\Local\AVAST Software\Browser\Application\AvastBrowser.exe
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving
registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonZoneCrossing
file C:\ProgramData\FlashFXP\4\History.dat
file C:\Users\test22\AppData\Local\FlashFXP\4\Quick.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\4\Quick.dat
file C:\ProgramData\FlashFXP\3\Sites.dat
file C:\ProgramData\FlashFXP\4\Quick.dat
file C:\Users\test22\AppData\Local\FlashFXP\4\History.dat
file C:\Users\test22\AppData\Local\FlashFXP\3\Sites.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\3\Quick.dat
file C:\ProgramData\FlashFXP\3\Quick.dat
file C:\ProgramData\FlashFXP\3\History.dat
file C:\ProgramData\FlashFXP\4\Sites.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\4\History.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\4\Sites.dat
file C:\Users\test22\AppData\Local\FlashFXP\3\Quick.dat
file C:\Users\test22\AppData\Local\FlashFXP\3\History.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\3\History.dat
file C:\Users\test22\AppData\Local\FlashFXP\4\Sites.dat
file C:\Users\test22\AppData\Roaming\FlashFXP\3\Sites.dat
file C:\ProgramData\VanDyke\Config\Sessions\
file C:\Users\test22\AppData\Local\VanDyke\Config\Sessions\
file C:\Users\test22\AppData\Roaming\VanDyke\Config\Sessions\
file C:\Users\test22\AppData\Local\FTP Explorer\profiles.xml
file C:\ProgramData\FTP Explorer\profiles.xml
file C:\Users\test22\AppData\Roaming\FTP Explorer\profiles.xml
file C:\ProgramData\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Roaming\SmartFTP\History.dat
file C:\Users\test22\AppData\Local\SmartFTP\History.dat
file C:\ProgramData\SmartFTP\Client 2.0\Favorites\Favorites.dat
file C:\ProgramData\SmartFTP\History.dat
file C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\Favorites.dat
file C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file C:\Users\test22\AppData\Roaming\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Local\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file C:\ProgramData\SmartFTP\Client 2.0\Favorites\
file C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Favorites.dat
file C:\Users\test22\AppData\Roaming\TurboFTP\addrbk.dat
file C:\Users\test22\AppData\Roaming\FTPRush\RushSite.xml
file C:\Users\test22\wcx_ftp.ini
file C:\Users\test22\AppData\Roaming\FileZilla\sitemanager.xml
file C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry HKEY_CURRENT_USER\SOFTWARE\Far\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\SOFTWARE\Far2\Plugins\FTP\Hosts
registry HKEY_CURRENT_USER\Software\Far\SavedDialogHistory\FTPHost
registry HKEY_CURRENT_USER\Software\Far2\SavedDialogHistory\FTPHost
registry HKEY_LOCAL_MACHINE\Software\Ghisler\Windows Commander
registry HKEY_CURRENT_USER\Software\Ghisler\Windows Commander
registry HKEY_CURRENT_USER\Software\Ghisler\Total Commander
registry HKEY_LOCAL_MACHINE\Software\Ghisler\Total Commander
registry HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Main
Time & API Arguments Status Return Repeated

RegQueryValueExW

 key_handle: 0x00000410
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x000003c4
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000041c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000041c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000420
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000420
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000420
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000420
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000428
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000042c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000448
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000448
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000448
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000448
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000448
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Access MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-0015-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000448
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000041c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000042c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000042c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000042c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000042c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000042c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: HttpWatch Professional 9.3.39
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{01B845D4-B73E-4CF7-A377-94BC7BB4F77B}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000448
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000438
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000438
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000438
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000488
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office OneNote MUI (Korean) 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{90120000-00A1-0412-0000-0000000FF1CE}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000041c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000041c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x0000041c
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000488
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Microsoft Office Enterprise 2007
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ENTERPRISE\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000488
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000488
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{1D91F7DA-F517-4727-9E62-B7EA978BE980}\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000488
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: 한컴오피스 한글 2010
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Haansoft HWord 80 Korean\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000430
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: Chrome
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName
1 0 0

RegQueryValueExW

 key_handle: 0x00000490
regkey_r: DisplayName
reg_type: 1 (REG_SZ)
value: EditPlus
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\EditPlus\DisplayName
1 0 0
Time & API Arguments Status Return Repeated

SetWindowsHookExW

 thread_identifier: 0
callback_function: 0x0373d1e8
hook_identifier: 13 (WH_KEYBOARD_LL)
module_address: 0x00000000
1 328047 0
file C:\ProgramData\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Roaming\SmartFTP\History.dat
file C:\Users\test22\AppData\Local\SmartFTP\History.dat
file C:\ProgramData\SmartFTP\Client 2.0\Favorites\Favorites.dat
file C:\ProgramData\SmartFTP\History.dat
file C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\Favorites.dat
file C:\Users\test22\AppData\Local\SmartFTP\Client 2.0\Favorites\
file C:\Users\test22\AppData\Roaming\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Local\SmartFTP\Favorites.dat
file C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\
file C:\ProgramData\SmartFTP\Client 2.0\Favorites\
file C:\Users\test22\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Favorites.dat
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
registry HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Import
registry HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry HKEY_CURRENT_USER\Software\Poco Systems Inc\PocoMail 4
registry HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Scribe\Protocols\mailto\shell
registry HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\6D45B94ED65476A6F9B29C49D3D4A28288EDAC40\Blob
Time & API Arguments Status Return Repeated

NtWriteFile

 buffer: // Mozilla User Preferences // DO NOT EDIT THIS FILE. // // If you make changes to this file while the application is running, // the changes will be overwritten when the application exits. // // To change a preference value, you can either: // - modify it via the UI (e.g. via about:config in the browser); or // - set it within a user.js file in your profile. user_pref("app.installation.timestamp", "133087271025332031"); user_pref("app.normandy.first_run", false); user_pref("app.normandy.migrationsApplied", 12); user_pref("app.normandy.user_id", "2855b7b1-3af9-4497-acb5-686dcaa31c47"); user_pref("app.shield.optoutstudies.enabled", false); user_pref("app.update.auto.migrated", true); user_pref("app.update.background.lastInstalledTaskVersion", 3); user_pref("app.update.background.previous.reasons", "[\"app.update.auto=false\",\"app.update.langpack.enabled=true and at least one langpack is installed\"]"); user_pref("app.update.background.rolledout", true); user_pref("app.update.lastUpdateTime.addon-background-update-timer", 0); user_pref("app.update.lastUpdateTime.background-update-timer", 1664253878); user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 1664253533); user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1664253765); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1664253506); user_pref("app.update.lastUpdateTime.search-engine-update-timer", 1664253649); user_pref("app.update.lastUpdateTime.services-settings-poll-changes", 0); user_pref("app.update.lastUpdateTime.telemetry_modules_ping", 1664253561); user_pref("app.update.lastUpdateTime.telemetry_untrustedmodules_ping", 0); user_pref("app.update.lastUpdateTime.xpi-signature-verification", 0); user_pref("app.update.migrated.updateDir3.308046B0AF4A39CB", true); user_pref("app.update.service.enabled", false); user_pref("browser.bookmarks.addedImportButton", true); user_pref("browser.bookmarks.restore_default_bookmarks", false); user_pref("browser.contentblocking.category", "custom"); user_pref("browser.contextual-services.contextId", "{45d8cf56-f6a3-47b5-90bb-f1357160be28}"); user_pref("browser.download.viewableInternally.typeWasRegistered.avif", true); user_pref("browser.download.viewableInternally.typeWasRegistered.webp", true); user_pref("browser.laterrun.bookkeeping.profileCreationTime", 1664253506); user_pref("browser.laterrun.bookkeeping.sessionCount", 1); user_pref("browser.laterrun.enabled", true); user_pref("browser.launcherProcess.enabled", true); user_pref("browser.migration.version", 128); user_pref("browser.newtabpage.activity-stream.impressionId", "{58eea94c-a09e-4f5e-9166-73e6a44cdef7}"); user_pref("browser.newtabpage.storageVersion", 1); user_pref("browser.pageActions.persistedActions", "{\"ids\":[\"bookmark\"],\"idsInUrlbar\":[\"bookmark\"],\"idsInUrlbarPreProton\":[],\"version\":1}"); user_pref("browser.pagethumbnails.storage_version", 3); user_pref("browser.proton.toolbar.version", 3); user_pref("browser.region.update.updated", 1664253506); user_pref("browser.safebrowsing.malware.enabled", false); user_pref("browser.safebrowsing.phishing.enabled", false); user_pref("browser.safebrowsing.provider.google4.lastupdatetime", "1664253568000"); user_pref("browser.safebrowsing.provider.google4.nextupdatetime", "1664255363000"); user_pref("browser.safebrowsing.provider.mozilla.lastupdatetime", "1664253603826"); user_pref("browser.safebrowsing.provider.mozilla.nextupdatetime", "1664275203826"); user_pref("browser.search.region", "KR"); user_pref("browser.sessionstore.resume_session_once", true); user_pref("browser.sessionstore.resuming_after_os_restart", true); user_pref("browser.shell.checkDefaultBrowser", false); user_pref("browser.shell.didSkipDefaultBrowserCheckOnFirstRun", true); user_pref("browser.startup.couldRestoreSession.count", 1); user_pref("browser.startup.homepage_override.buildID", "20220922151854"); user_pref("browser.startup.homepage_override.mstone", "105.0.1"); user_p
offset: 0
file_handle: 0x00000278
filepath: C:\Users\test22\AppData\Roaming\Mozilla\Firefox\Profiles\qxo5wa6x.default-release\prefs.js
1 0 0
process system
process lsm.exe
process srvany.exe
process: potential process injection target csrss.exe
process pw.exe
process: potential process injection target smss.exe
process: potential process injection target svchost.exe
process rundll32.exe
process wmiprvse.exe
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2260 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x90,0x94,0x98,0x8c,0x9c,0x7fef496f1e8,0x7fef496f1f8,0x7fef496f208
parent_process chrome.exe martian_process "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x154,0x158,0x15c,0x150,0x160,0x7fef3dd7218,0x7fef3dd7228,0x7fef3dd7238
Time & API Arguments Status Return Repeated

CryptHashData

 buffer: 017bd04f-b3bf-45b6-8167-9e8f41ff87bfIntel64 Family 6 Model 158 Stepping 10Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz7601.17514.amd64fre.win7sp1_rtm.101119-18507b7c15f9-747a-455f-9ba5-f521dde4252d50468-314-9727586-309127C6024AD20181311432220{3d3783a0-703a-11de-8c7a-806e6f6e6963}TEST22-PC58E039D2709917CAEA7B43AF20558078
hash_handle: 0x002b4fb8
flags: 0
1 1 0

CryptHashData

 buffer: 017bd04f-b3bf-45b6-8167-9e8f41ff87bfIntel64 Family 6 Model 158 Stepping 10Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz7601.17514.amd64fre.win7sp1_rtm.101119-18507b7c15f9-747a-455f-9ba5-f521dde4252d50468-314-9727586-309127C6024AD20181311432220{3d3783a0-703a-11de-8c7a-806e6f6e6963}TEST22-PC58E039D2709917CAEA7B43AF20558078
hash_handle: 0x002b4fb8
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0

CryptHashData

 buffer: BFEA4F29BA8F83B4F7C42D9203465C26—@ìúÿÀëTæ@L User: test22 OS: Windows 7 Service Pack 1 (Version 6.1, Build 7601, 64-bit Edition) Computer: TEST22-PC Local_Country: Korea Language: Korean Desktop: 1024x768x32 Uptime: 0d 6h 41m HDDs: C(12692mb/32665mb) Browsers: Firefox=105.0.1.0 IE=9.0.8112.16684 Chrome=65.0.3325.181 Processes: C:\Windows\System32\smss.exe C:\Windows\System32\csrss.exe C:\Windows\System32\wininit.exe C:\Windows\System32\winlogon.exe C:\Windows\System32\services.exe C:\Windows\System32\lsass.exe C:\Windows\System32\lsm.exe C:\Windows\System32\svchost.exe C:\Windows\System32\spoolsv.exe C:\Windows\SysWOW64\srvany.exe C:\Windows\KMService.exe C:\Windows\System32\conhost.exe C:\Windows\System32\taskhost.exe C:\Windows\System32\sppsvc.exe C:\Windows\System32\dwm.exe C:\Windows\explorer.exe C:\Python27\pw.exe C:\Windows\System32\SearchIndexer.exe C:\Windows\SysWOW64\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\wbem\WmiPrvSE.exe Default browser: "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome Installed path: C:\PROGRAM FILES (X86)\EDITPLUS\REMOVE.EXE "C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\OFFICE12\OFFICE SETUP CONTROLLER\SETUP.EXE "C:\PROGRAM FILES (X86)\GOOGLE\CHROME\APPLICATION\65.0.3325.181\INSTALLER\SETUP.EXE MSIEXEC /I {1D91F7DA-F517-4727-9E62-B7EA978BE980} C:\PROGRAM FILES (X86)\_HTTPWATCH\UNINSTALL.EXE MSIEXEC.EXE "C:\PROGRAMDATA\PACKAGE CACHE\{D992C12E-CAB2-426F-BDE3-FB8C53950B0D}\VC_REDIST.X64.EXE Installed names: EditPlus ENTERPRISE Google Chrome Haansoft HWord 80 Korean {01B845D4-B73E-4CF7-A377-94BC7BB4F77B} {60EC980A-BDA2-4CB6-A427-B07A5498B4CA} {90120000-0015-0412-0000-0000000FF1CE} {90120000-0016-0412-0000-0000000FF1CE} {90120000-0018-0412-0000-0000000FF1CE} {90120000-0019-0412-0000-0000000FF1CE} {90120000-001A-0412-0000-0000000FF1CE} {90120000-001B-0412-0000-0000000FF1CE} {90120000-001F-0409-0000-0000000FF1CE} {90120000-001F-0412-0000-0000000FF1CE} {90120000-0028-0412-0000-0000000FF1CE} {90120000-002C-0412-0000-0000000FF1CE} {90120000-0030-0000-0000-0000000FF1CE} {90120000-0044-0412-0000-0000000FF1CE} {90120000-006E-0409-0000-0000000FF1CE} {90120000-006E-0412-0000-0000000FF1CE} {90120000-00A1-0412-0000-0000000FF1CE} {90120000-00BA-0409-0000-0000000FF1CE} {90120000-0114-0412-0000-0000000FF1CE} {939659F3-71D2-461F-B24D-91D05A4389B4} {9B84A461-3B4C-40E2-B44F-CE22E215EE40} {d992c12e-cab2-426f-bde3-fb8c53950b0d} OS Name: Microsoft Windows 7 Professional KN OS Version: 6.1.7601 Build 7601 System Manufacturer: innotek GmbH System Model: VirtualBox System Type: x64-based PC Processor Name: Intel(R) Core(TM) i5-8400 CPU @ 2.80GHz Total Physical Memory: 5,120 MB Network Card [1]: Name: Connection Name: Status: DHCP Enabled: DHCP Server: IP address: MAC Address: 94:DE:27:8C:32:74 Mute: 0 Volume: 67 Wifi: Error Bluetooth: Error Printer: Error Wallpaper: 0 Tray: 2 SystemHiddenFiles: Error BiosTime: 03/19/25 08:48:55 IsBattery: 0 PowerLevel: 255 Profile: {3d3783a0-703a-11de-8c7a-806e6f6e6963} Logical processor count: 2 NUMA Node count: 1 Processor Core count: 2 BFEA4F29BA8F83B4F7C42D9203465C26—@ìÏ2ÂëTæ@CommandID: 1ED0B624FBB9018E4A316298A52BAA96 FileID: 6C04BC2151352FA0057F9B2C8451CB12 FileName: C:\Users\test22\AppData\Local\Temp\1ED0B624FBB9018E4A316298A52BAA96.zip FileSize: 256 PackSize: 256 Log: FileList: C:\Users\test22\Desktop\readme.txt - 10
hash_handle: 0x00333e88
flags: 0
1 1 0
Process injection Process 2552 resumed a thread in remote process 2988
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000434
suspend_count: 1
process_identifier: 2988
1 0 0
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x00000298
suspend_count: 1
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x0000028c
suspend_count: 1
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x000002b8
suspend_count: 1
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x000002b0
suspend_count: 1
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x000002cc
suspend_count: 1
process_identifier: 2552
1 0 0

CreateProcessInternalW

 thread_identifier: 2868
thread_handle: 0x000003c4
process_identifier: 2864
current_directory:
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\wininet.dll",DispatchAPICall 1
filepath_r: C:\Windows\system32\rundll32.exe
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000003c8
1 1 0

NtResumeThread

 thread_handle: 0x000003fc
suspend_count: 1
process_identifier: 2552
1 0 0

NtResumeThread

 thread_handle: 0x00000404
suspend_count: 1
process_identifier: 2552
1 0 0

CreateProcessInternalW

 thread_identifier: 2952
thread_handle: 0x000003d0
process_identifier: 2948
current_directory:
filepath: C:\Windows\System32\rundll32.exe
track: 1
command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\syswow64\wininet.dll",DispatchAPICall 1
filepath_r: C:\Windows\system32\rundll32.exe
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 0
process_handle: 0x000003cc
1 1 0

NtResumeThread

 thread_handle: 0x000003b8
suspend_count: 1
process_identifier: 2552
1 0 0

CreateProcessInternalW

 thread_identifier: 2992
thread_handle: 0x00000434
process_identifier: 2988
current_directory:
filepath:
track: 1
command_line: "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
inherit_handles: 0
process_handle: 0x00000428
1 1 0

NtAllocateVirtualMemory

 process_identifier: 2988
region_size: 2260992
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x00280000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0x00000444
1 0 0

WriteProcessMemory

 buffer:
base_address: 0x00280000
process_identifier: 2988
process_handle: 0x00000444
1 1 0

NtResumeThread

 thread_handle: 0x00000434
suspend_count: 1
process_identifier: 2988
1 0 0

CreateProcessInternalW

 thread_identifier: 2260
thread_handle: 0x000005c0
process_identifier: 2256
current_directory: C:\Program Files (x86)\Google\Chrome\Application
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: --restore-last-session --remote-debugging-port=9223 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --profile-directory="Default"
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 0 ()
inherit_handles: 4294967295
process_handle: 0x000005b8
1 1 0

CreateProcessInternalW

 thread_identifier: 2464
thread_handle: 0x00000000000000a0
process_identifier: 2456
current_directory:
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=65.0.3325.181 --initial-client-data=0x90,0x94,0x98,0x8c,0x9c,0x7fef496f1e8,0x7fef496f1f8,0x7fef496f208
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000000000000a4
1 1 0

CreateProcessInternalW

 thread_identifier: 2584
thread_handle: 0x0000000000000140
process_identifier: 2592
current_directory:
filepath:
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2260 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6
filepath_r:
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000144
1 1 0

CreateProcessInternalW

 thread_identifier: 2656
thread_handle: 0x0000000000000164
process_identifier: 2652
current_directory:
filepath: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
track: 1
command_line: "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\test22\AppData\Local\Temp --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod= --annotation=ver= --initial-client-data=0x154,0x158,0x15c,0x150,0x160,0x7fef3dd7218,0x7fef3dd7228,0x7fef3dd7238
filepath_r: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000000000000168
1 1 0

NtResumeThread

 thread_handle: 0x00000000000000dc
suspend_count: 1
process_identifier: 2456
1 0 0

NtResumeThread

 thread_handle: 0x00000000000000c8
suspend_count: 1
process_identifier: 2652
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.Danabot.i!c
Cynet Malicious (score: 100)
Skyhigh BehavesLike.Win32.Generic.tc
ALYac Gen:Variant.Jaik.274641
Cylance Unsafe
VIPRE Gen:Variant.Jaik.274641
CrowdStrike win/malicious_confidence_90% (W)
BitDefender Gen:Variant.Jaik.274641
Arcabit Trojan.Jaik.D430D1
Symantec ML.Attribute.HighConfidence
Elastic Windows.Generic.Threat
ESET-NOD32 a variant of Win32/GenKryptik.HHJB
APEX Malicious
Avast MSIL:AgentTesla-D [Pws]
Kaspersky Trojan-PSW.Win32.Stealer.cntg
MicroWorld-eScan Gen:Variant.Jaik.274641
Rising Spyware.Danabot!8.FADB (CLOUD)
Emsisoft Gen:Variant.Jaik.274641 (B)
TrendMicro Trojan.Win32.DANABOT.YXFCRZ
McAfeeD ti!46A1EEC81E8B
CTX dll.trojan.generic
Sophos Mal/Generic-S
SentinelOne Static AI - Malicious PE
FireEye Generic.mg.8d252f7a6ff4f929
Avira TR/Redcap.hafkx
Antiy-AVL Trojan/Win32.Danabot
Gridinsoft Trojan.Win32.Agent.sa
Microsoft Trojan:Win32/Danabot.A!MTB
GData Gen:Variant.Jaik.274641
Varist W32/ABRisk.MVDG-2440
McAfee Artemis!8D252F7A6FF4
DeepInstinct MALICIOUS
Malwarebytes Generic.Malware.AI.DDS
Ikarus Trojan.Win32.Danabot
TrendMicro-HouseCall Trojan.Win32.DANABOT.YXFCRZ
huorong TrojanSpy/Danabot.h
Fortinet W32/PossibleThreat
AVG MSIL:AgentTesla-D [Pws]
alibabacloud Trojan:Win/Danabot.A9OKG