1dd788c0...ee50 | Grouped Behavior
Try VMRay Analyzer
VTI SCORE: 93/100
Target: win10_64 | exe
Classification: Riskware, Keylogger, Trojan

1dd788c038b4d8d2d3302d7a33162322d0896c7d17888e2fa34204b66c9aee50 (SHA256)

gabkrj.jpg.exe

Windows Exe (x86-32)

Created at 2018-04-03 14:29:00

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x66c Analysis Target High (Elevated) gabkrj.jpg.exe "C:\Users\CIiHmnxMn6Ps\Desktop\gabkrj.jpg.exe" -
#2 0xe44 Child Process High (Elevated) explorer.exe "C:\Windows\System32\explorer.exe" /c select, C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe #1
#3 0xe78 RPC Server Medium explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding #2
#4 0xe98 Child Process Medium vfggggg.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe" #3
#5 0xec8 Child Process Medium vfggggg.exe "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe" #4

Behavior Information - Grouped by Category

Process #1: gabkrj.jpg.exe
207 0
»
Information Value
ID #1
File Name c:\users\ciihmnxmn6ps\desktop\gabkrj.jpg.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\gabkrj.jpg.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:22, Reason: Analysis Target
Unmonitor End Time: 00:02:22, Reason: Terminated by Timeout
Monitor Duration 00:02:00
OS Process Information
»
Information Value
PID 0x66c
Parent PID 0x5dc (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AD4
0x C10
0x C48
0x C4C
0x C50
0x C7C
0x C80
0x E24
0x E2C
0x E30
0x E34
0x E3C
0x E40
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
gabkrj.jpg.exe 0x001e0000 0x002d1fff Memory Mapped File Readable, Writable, Executable True True False
private_0x00000000002e0000 0x002e0000 0x002fffff Private Memory Readable, Writable True False False -
pagefile_0x00000000002e0000 0x002e0000 0x002effff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000002f0000 0x002f0000 0x002f3fff Private Memory Readable, Writable True False False -
private_0x0000000000300000 0x00300000 0x00300fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000310000 0x00310000 0x00323fff Pagefile Backed Memory Readable True False False -
private_0x0000000000330000 0x00330000 0x0036ffff Private Memory Readable, Writable True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000470000 0x00470000 0x00473fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000480000 0x00480000 0x00480fff Pagefile Backed Memory Readable True False False -
private_0x0000000000490000 0x00490000 0x00491fff Private Memory Readable, Writable True False False -
private_0x00000000004a0000 0x004a0000 0x004dffff Private Memory Readable, Writable True False False -
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory Readable, Writable True False False -
locale.nls 0x004f0000 0x005adfff Memory Mapped File Readable False False False -
private_0x00000000005b0000 0x005b0000 0x005b0fff Private Memory Readable, Writable True False False -
pagefile_0x00000000005c0000 0x005c0000 0x005c0fff Pagefile Backed Memory Readable True False False -
private_0x00000000005d0000 0x005d0000 0x0060ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000610000 0x00610000 0x00610fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000620000 0x00620000 0x00620fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000630000 0x00630000 0x0063ffff Private Memory - True False False -
private_0x0000000000640000 0x00640000 0x0064ffff Private Memory Readable, Writable True False False -
private_0x0000000000650000 0x00650000 0x0065ffff Private Memory - True False False -
private_0x0000000000660000 0x00660000 0x0066ffff Private Memory - True False False -
private_0x0000000000670000 0x00670000 0x0076ffff Private Memory Readable, Writable True False False -
private_0x0000000000770000 0x00770000 0x0086ffff Private Memory Readable, Writable True False False -
private_0x0000000000870000 0x00870000 0x0096ffff Private Memory Readable, Writable True False False -
private_0x0000000000970000 0x00970000 0x0097ffff Private Memory - True False False -
private_0x0000000000980000 0x00980000 0x0098ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000990000 0x00990000 0x00b17fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000b20000 0x00b20000 0x00ca0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000cb0000 0x00cb0000 0x020affff Pagefile Backed Memory Readable True False False -
private_0x00000000020b0000 0x020b0000 0x020bffff Private Memory - True False False -
private_0x00000000020c0000 0x020c0000 0x020cffff Private Memory - True False False -
pagefile_0x00000000020d0000 0x020d0000 0x020d0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000020e0000 0x020e0000 0x020effff Private Memory Readable, Writable True False False -
private_0x00000000020f0000 0x020f0000 0x0212ffff Private Memory Readable, Writable True False False -
private_0x0000000002130000 0x02130000 0x0222ffff Private Memory Readable, Writable True False False -
private_0x0000000002230000 0x02230000 0x0226ffff Private Memory Readable, Writable True False False -
private_0x0000000002270000 0x02270000 0x0227ffff Private Memory Readable, Writable, Executable True False False -
sortdefault.nls 0x02280000 0x025b6fff Memory Mapped File Readable False False False -
private_0x00000000025c0000 0x025c0000 0x045bffff Private Memory Readable, Writable True False False -
private_0x00000000045c0000 0x045c0000 0x0465ffff Private Memory Readable, Writable True False False -
private_0x00000000045c0000 0x045c0000 0x045cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000045d0000 0x045d0000 0x045d1fff Pagefile Backed Memory Readable True False False -
private_0x00000000045e0000 0x045e0000 0x0462ffff Private Memory Readable, Writable True False False -
private_0x00000000045e0000 0x045e0000 0x0461ffff Private Memory Readable, Writable True False False -
private_0x0000000004620000 0x04620000 0x0462ffff Private Memory Readable, Writable True False False -
private_0x0000000004630000 0x04630000 0x04633fff Private Memory Readable, Writable True False False -
private_0x0000000004640000 0x04640000 0x04643fff Private Memory Readable, Writable True False False -
pagefile_0x0000000004650000 0x04650000 0x04650fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004650000 0x04650000 0x04653fff Pagefile Backed Memory Readable True False False -
private_0x0000000004660000 0x04660000 0x0475ffff Private Memory Readable, Writable True False False -
l_intl.nls 0x04760000 0x04762fff Memory Mapped File Readable False False False -
pagefile_0x0000000004770000 0x04770000 0x04770fff Pagefile Backed Memory Readable True False False -
private_0x0000000004780000 0x04780000 0x0478ffff Private Memory Readable, Writable True False False -
private_0x0000000004790000 0x04790000 0x0479ffff Private Memory - True False False -
private_0x00000000047a0000 0x047a0000 0x047affff Private Memory - True False False -
private_0x00000000047b0000 0x047b0000 0x057affff Private Memory Readable, Writable True False False -
private_0x00000000047b0000 0x047b0000 0x047bffff Private Memory Readable, Writable True False False -
private_0x00000000047b0000 0x047b0000 0x047b3fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000047c0000 0x047c0000 0x047cffff Private Memory - True False False -
private_0x00000000047d0000 0x047d0000 0x047dffff Private Memory Readable, Writable True False False -
private_0x00000000047d0000 0x047d0000 0x0493ffff Private Memory Readable, Writable, Executable True False False -
sorttbls.nlp 0x047d0000 0x047d4fff Memory Mapped File Readable False False False -
private_0x00000000047e0000 0x047e0000 0x047effff Private Memory Readable, Writable True False False -
sortkey.nlp 0x047e0000 0x04820fff Memory Mapped File Readable False False False -
pagefile_0x0000000004830000 0x04830000 0x04830fff Pagefile Backed Memory Readable True False False -
mscorrc.dll 0x04830000 0x04883fff Memory Mapped File Readable True False False -
private_0x0000000004890000 0x04890000 0x0489ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000004890000 0x04890000 0x04916fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000048a0000 0x048a0000 0x048affff Private Memory Readable, Writable True False False -
private_0x0000000004920000 0x04920000 0x0492ffff Private Memory Readable, Writable True False False -
private_0x0000000004930000 0x04930000 0x0493ffff Private Memory Readable, Writable, Executable True False False -
private_0x00000000057b0000 0x057b0000 0x058dffff Private Memory Readable, Writable True False False -
private_0x00000000058e0000 0x058e0000 0x059dffff Private Memory Readable, Writable True False False -
~fontcache-system.dat 0x059e0000 0x05a55fff Memory Mapped File Readable False False False -
private_0x0000000005a60000 0x05a60000 0x05b5ffff Private Memory Readable, Writable True False False -
~fontcache-fontface.dat 0x05b60000 0x06b5ffff Memory Mapped File Readable False False False -
private_0x0000000006b60000 0x06b60000 0x06c5ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000006c60000 0x06c60000 0x07151fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000007160000 0x07160000 0x07217fff Pagefile Backed Memory Readable True False False -
private_0x0000000007220000 0x07220000 0x0722ffff Private Memory - True False False -
private_0x0000000007230000 0x07230000 0x0726ffff Private Memory Readable, Writable True False False -
private_0x0000000007270000 0x07270000 0x0736ffff Private Memory Readable, Writable True False False -
user32.dll.mui 0x07370000 0x07374fff Memory Mapped File Readable False False False -
private_0x0000000007380000 0x07380000 0x07383fff Private Memory Readable, Writable True False False -
private_0x0000000007390000 0x07390000 0x0739ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000007390000 0x07390000 0x0739dfff Pagefile Backed Memory Readable, Writable True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
culture.dll 0x71dc0000 0x71dc7fff Memory Mapped File Readable, Writable, Executable True False False -
rsaenh.dll 0x71dd0000 0x71dfefff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x71e00000 0x71e1afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x71e20000 0x71e32fff Memory Mapped File Readable, Writable, Executable False False False -
system.core.ni.dll 0x71e40000 0x72075fff Memory Mapped File Readable, Writable, Executable True False False -
dwrite.dll 0x72080000 0x7226ffff Memory Mapped File Readable, Writable, Executable False False False -
gdiplus.dll 0x72270000 0x723dafff Memory Mapped File Readable, Writable, Executable False False False -
system.windows.forms.ni.dll 0x723e0000 0x72fbffff Memory Mapped File Readable, Writable, Executable True False False -
system.drawing.ni.dll 0x72fc0000 0x73148fff Memory Mapped File Readable, Writable, Executable True False False -
system.ni.dll 0x73150000 0x738f2fff Memory Mapped File Readable, Writable, Executable True False False -
mscorjit.dll 0x73900000 0x7395afff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x73960000 0x74459fff Memory Mapped File Readable, Writable, Executable True False False -
msvcr80.dll 0x74460000 0x744fafff Memory Mapped File Readable, Writable, Executable False False False -
mscorwks.dll 0x74500000 0x74aaffff Memory Mapped File Readable, Writable, Executable True False False -
version.dll 0x74ab0000 0x74ab7fff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x74ac0000 0x74b37fff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x74b40000 0x74b98fff Memory Mapped File Readable, Writable, Executable True False False -
dwmapi.dll 0x74ba0000 0x74bbcfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74bc0000 0x74c34fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x74c40000 0x74cd0fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75070000 0x7507efff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75080000 0x750c3fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x750d0000 0x755acfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x755b0000 0x7696efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76f60000 0x76f6bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x77090000 0x77249fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x773d0000 0x773d5fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77430000 0x77519fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x777f0000 0x77833fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x778a0000 0x7792cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77990000 0x77a0afff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007ee44000 0x7ee44000 0x7ee46fff Private Memory Readable, Writable True False False -
private_0x000000007ee47000 0x7ee47000 0x7ee49fff Private Memory Readable, Writable True False False -
private_0x000000007ee4a000 0x7ee4a000 0x7ee4cfff Private Memory Readable, Writable True False False -
private_0x000000007ee4d000 0x7ee4d000 0x7ee4ffff Private Memory Readable, Writable True False False -
pagefile_0x000000007ee50000 0x7ee50000 0x7ef4ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007ef50000 0x7ef50000 0x7ef72fff Pagefile Backed Memory Readable True False False -
private_0x000000007ef74000 0x7ef74000 0x7ef74fff Private Memory Readable, Writable True False False -
private_0x000000007ef76000 0x7ef76000 0x7ef76fff Private Memory Readable, Writable True False False -
private_0x000000007ef77000 0x7ef77000 0x7ef79fff Private Memory Readable, Writable True False False -
private_0x000000007ef7a000 0x7ef7a000 0x7ef7cfff Private Memory Readable, Writable True False False -
private_0x000000007ef7d000 0x7ef7d000 0x7ef7ffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ffc03e6ffff Private Memory Readable True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 71 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe 930.50 KB MD5: b4f28747a0a9317123f0ef109c580844
SHA1: 295fee553b1e703722cd1923697284bac3061190
SHA256: 1dd788c038b4d8d2d3302d7a33162322d0896c7d17888e2fa34204b66c9aee50
False
c:\users\ciihmnxmn6ps\appdata\local\microsoft\clr_v2.0_32\usagelogs\gabkrj.jpg.exe.log 0.49 KB MD5: fd3d0e05e03d25299b53c2b79e305a50
SHA1: 60891af9062c582bdbc2cbde2644923ff6c5090b
SHA256: 1b46868960518b8db06677acaf4b666fc11f45062dad4f3b5e9bb6b7c3ec50a2
False
c:\windows\microsoft.net\framework\v2.0.50727\config\security.config.cch.new 0.39 KB MD5: 4d7d35e73bf7a5ad3bbcd5615e4b63b6
SHA1: 75014d5e24ca9f9075754b0eff01d36875da50ef
SHA256: de5fc81223c5754407a4b833a07b27f1348b34f383c80961a2e17eb6dc105bcb
False
c:\windows\microsoft.net\framework\v2.0.50727\config\security.config.cch 0.39 KB MD5: 4d7d35e73bf7a5ad3bbcd5615e4b63b6
SHA1: 75014d5e24ca9f9075754b0eff01d36875da50ef
SHA256: de5fc81223c5754407a4b833a07b27f1348b34f383c80961a2e17eb6dc105bcb
False
c:\windows\microsoft.net\framework\v2.0.50727\config\enterprisesec.config.cch.new 0.39 KB MD5: 4d7d35e73bf7a5ad3bbcd5615e4b63b6
SHA1: 75014d5e24ca9f9075754b0eff01d36875da50ef
SHA256: de5fc81223c5754407a4b833a07b27f1348b34f383c80961a2e17eb6dc105bcb
False
c:\windows\microsoft.net\framework\v2.0.50727\config\enterprisesec.config.cch 0.39 KB MD5: 4d7d35e73bf7a5ad3bbcd5615e4b63b6
SHA1: 75014d5e24ca9f9075754b0eff01d36875da50ef
SHA256: de5fc81223c5754407a4b833a07b27f1348b34f383c80961a2e17eb6dc105bcb
False
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\CIiHmnxMn6Ps\Desktop\gabkrj.jpg.config type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.default type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.default type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.default type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe type = file_attributes False 1
Fn
Copy C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe source_filename = C:\Users\CIiHmnxMn6Ps\Desktop\gabkrj.jpg.exe, copy_flags = COPY_FILE_RESTARTABLE True 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\Desktop\gabkrj.jpg.exe:Zone.Identifier - False 1
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe - False 1
Fn
Registry (25)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\MediaPermission - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\WebBrowserPermission - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\MediaPermission - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\WebBrowserPermission - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgJITDebugLaunchSetting, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgManagedDebugger, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\MediaPermission value_name = Xml, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\MediaPermission value_name = Xml, data = <IPermission class="System.Security.Permissions.MediaPermission, WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Audio="SafeAudio" Video="SafeVideo" Image="SafeImage"/>, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\WebBrowserPermission value_name = Xml, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\WebBrowserPermission value_name = Xml, data = <IPermission class="System.Security.Permissions.WebBrowserPermission, WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Level="Safe"/>, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\MediaPermission value_name = Xml, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\MediaPermission value_name = Xml, data = <IPermission class="System.Security.Permissions.MediaPermission, WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Audio="SafeAudio" Video="SafeVideo" Image="SafeImage"/>, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\WebBrowserPermission value_name = Xml, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\WebBrowserPermission value_name = Xml, data = <IPermission class="System.Security.Permissions.WebBrowserPermission, WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Level="Safe"/>, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet - True 1
Fn
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create explorer.exe show_window = SW_SHOWNORMAL True 1
Fn
Module (16)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\user32.dll base_address = 0x74d70000 True 2
Fn
Get Handle c:\users\ciihmnxmn6ps\desktop\gabkrj.jpg.exe base_address = 0x1e0000 True 7
Fn
Get Filename c:\users\ciihmnxmn6ps\desktop\gabkrj.jpg.exe process_name = c:\users\ciihmnxmn6ps\desktop\gabkrj.jpg.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\gabkrj.jpg.exe, size = 2048 True 1
Fn
Get Filename c:\users\ciihmnxmn6ps\desktop\gabkrj.jpg.exe process_name = c:\users\ciihmnxmn6ps\desktop\gabkrj.jpg.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\gabkrj.jpg.exe, size = 2048 True 4
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x77cbcaa0 True 2
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Window (13)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 True 1
Fn
Create PPppp class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 True 1
Fn
Create .NET-BroadcastEventWindow.2.0.0.0.378734a.0 class_name = .NET-BroadcastEventWindow.2.0.0.0.378734a.0, wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 2009844384 True 2
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 36112562 True 1
Fn
Set Attribute PPppp class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 2009844384 True 2
Fn
Set Attribute PPppp class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 36112610 True 1
Fn
Set Attribute PPppp class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551608, new_long = 0 False 1
Fn
Set Attribute PPppp class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551600, new_long = 47120384 True 1
Fn
Set Attribute PPppp class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551596, new_long = 327680 True 1
Fn
Set Attribute .NET-BroadcastEventWindow.2.0.0.0.378734a.0 class_name = .NET-BroadcastEventWindow.2.0.0.0.378734a.0, index = 18446744073709551612, new_long = 2009844384 True 1
Fn
System (131)
»
Operation Additional Information Success Count Logfile
Sleep duration = 100 milliseconds (0.100 seconds) True 127
Fn
Get Info type = Operating System True 4
Fn
Process #2: explorer.exe
0 0
»
Information Value
ID #2
File Name c:\windows\syswow64\explorer.exe
Command Line "C:\Windows\System32\explorer.exe" /c select, C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:04, Reason: Child Process
Unmonitor End Time: 00:02:22, Reason: Terminated by Timeout
Monitor Duration 00:01:18
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe44
Parent PID 0x66c (c:\users\ciihmnxmn6ps\desktop\gabkrj.jpg.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E48
0x E4C
0x E50
0x E54
0x E58
0x E5C
0x E60
0x E64
0x E68
0x E6C
0x E70
0x E74
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000800000 0x00800000 0x0081ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000800000 0x00800000 0x0080ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000810000 0x00810000 0x00813fff Private Memory Readable, Writable True False False -
private_0x0000000000820000 0x00820000 0x00821fff Private Memory Readable, Writable True False False -
explorer.exe.mui 0x00820000 0x00827fff Memory Mapped File Readable False False False -
pagefile_0x0000000000830000 0x00830000 0x00843fff Pagefile Backed Memory Readable True False False -
private_0x0000000000850000 0x00850000 0x0088ffff Private Memory Readable, Writable True False False -
private_0x0000000000890000 0x00890000 0x008cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000008d0000 0x008d0000 0x008d3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000008e0000 0x008e0000 0x008e2fff Pagefile Backed Memory Readable True False False -
private_0x00000000008f0000 0x008f0000 0x008f1fff Private Memory Readable, Writable True False False -
locale.nls 0x00900000 0x009bdfff Memory Mapped File Readable False False False -
private_0x00000000009c0000 0x009c0000 0x009fffff Private Memory Readable, Writable True False False -
private_0x0000000000a00000 0x00a00000 0x00a3ffff Private Memory Readable, Writable True False False -
private_0x0000000000a40000 0x00a40000 0x00a40fff Private Memory Readable, Writable True False False -
private_0x0000000000a50000 0x00a50000 0x00a5ffff Private Memory Readable, Writable True False False -
private_0x0000000000a60000 0x00a60000 0x00a9ffff Private Memory Readable, Writable True False False -
private_0x0000000000aa0000 0x00aa0000 0x00adffff Private Memory Readable, Writable True False False -
private_0x0000000000ae0000 0x00ae0000 0x00b1ffff Private Memory Readable, Writable True False False -
private_0x0000000000b20000 0x00b20000 0x00b5ffff Private Memory Readable, Writable True False False -
private_0x0000000000b60000 0x00b60000 0x00b60fff Private Memory Readable, Writable True False False -
private_0x0000000000b70000 0x00b70000 0x00b73fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000b80000 0x00b80000 0x00b80fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000b90000 0x00b90000 0x00b90fff Pagefile Backed Memory Readable True False False -
private_0x0000000000ba0000 0x00ba0000 0x00baffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000bb0000 0x00bb0000 0x00bb0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000bc0000 0x00bc0000 0x00bc1fff Pagefile Backed Memory Readable True False False -
private_0x0000000000bd0000 0x00bd0000 0x00ccffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000cd0000 0x00cd0000 0x00e57fff Pagefile Backed Memory Readable True False False -
private_0x0000000000e60000 0x00e60000 0x00e9ffff Private Memory Readable, Writable True False False -
explorer.exe 0x00ea0000 0x01276fff Memory Mapped File Readable, Writable, Executable False False False -
pagefile_0x0000000001280000 0x01280000 0x0527ffff Pagefile Backed Memory - True False False -
pagefile_0x0000000005280000 0x05280000 0x05400fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000005410000 0x05410000 0x0680ffff Pagefile Backed Memory Readable True False False -
private_0x0000000006810000 0x06810000 0x0684ffff Private Memory Readable, Writable True False False -
private_0x0000000006850000 0x06850000 0x0688ffff Private Memory Readable, Writable True False False -
private_0x0000000006890000 0x06890000 0x068cffff Private Memory Readable, Writable True False False -
pagefile_0x00000000068d0000 0x068d0000 0x068d0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000068e0000 0x068e0000 0x068effff Private Memory Readable, Writable True False False -
sortdefault.nls 0x068f0000 0x06c26fff Memory Mapped File Readable False False False -
private_0x0000000006c30000 0x06c30000 0x06c6ffff Private Memory Readable, Writable True False False -
private_0x0000000006c70000 0x06c70000 0x06caffff Private Memory Readable, Writable True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db 0x06cb0000 0x06cc2fff Memory Mapped File Readable True False False -
private_0x0000000006cd0000 0x06cd0000 0x06d0ffff Private Memory Readable, Writable True False False -
private_0x0000000006d10000 0x06d10000 0x06d4ffff Private Memory Readable, Writable True False False -
private_0x0000000006d50000 0x06d50000 0x06d8ffff Private Memory Readable, Writable True False False -
private_0x0000000006d90000 0x06d90000 0x06dcffff Private Memory Readable, Writable True False False -
private_0x0000000006dd0000 0x06dd0000 0x06e0ffff Private Memory Readable, Writable True False False -
private_0x0000000006e10000 0x06e10000 0x06e4ffff Private Memory Readable, Writable True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x71050000 0x71070fff Memory Mapped File Readable, Writable, Executable False False False -
dxgi.dll 0x71080000 0x710fdfff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x71100000 0x71118fff Memory Mapped File Readable, Writable, Executable False False False -
dcomp.dll 0x71120000 0x711bbfff Memory Mapped File Readable, Writable, Executable False False False -
d3d11.dll 0x711c0000 0x713d2fff Memory Mapped File Readable, Writable, Executable False False False -
twinapi.dll 0x713e0000 0x71478fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x71ac0000 0x71c01fff Memory Mapped File Readable, Writable, Executable False False False -
explorerframe.dll 0x73ff0000 0x74419fff Memory Mapped File Readable, Writable, Executable False False False -
gdiplus.dll 0x74420000 0x7458afff Memory Mapped File Readable, Writable, Executable False False False -
wpdshext.dll 0x74590000 0x74777fff Memory Mapped File Readable, Writable, Executable False False False -
devobj.dll 0x74780000 0x747a0fff Memory Mapped File Readable, Writable, Executable False False False -
mmdevapi.dll 0x747b0000 0x74803fff Memory Mapped File Readable, Writable, Executable False False False -
devdispitemprovider.dll 0x74810000 0x74829fff Memory Mapped File Readable, Writable, Executable False False False -
playtodevice.dll 0x74830000 0x74884fff Memory Mapped File Readable, Writable, Executable False False False -
dlnashext.dll 0x74890000 0x748fefff Memory Mapped File Readable, Writable, Executable False False False -
actxprxy.dll 0x74900000 0x74b06fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74b10000 0x74b3efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x74b40000 0x74b5afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74b60000 0x74b72fff Memory Mapped File Readable, Writable, Executable False False False -
sppc.dll 0x74b80000 0x74b9cfff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ba0000 0x74bbcfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74bc0000 0x74c34fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x74c40000 0x74cd0fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x74eb0000 0x75024fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x75030000 0x75065fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75070000 0x7507efff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75080000 0x750c3fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x750d0000 0x755acfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x755b0000 0x7696efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76f60000 0x76f6bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x77090000 0x77249fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77430000 0x77519fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x77760000 0x777e1fff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x777f0000 0x77833fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x778a0000 0x7792cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77990000 0x77a0afff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x77ae0000 0x77aedfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x77ba0000 0x77c31fff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007f9b8000 0x7f9b8000 0x7f9bafff Private Memory Readable, Writable True False False -
private_0x000000007f9bb000 0x7f9bb000 0x7f9bdfff Private Memory Readable, Writable True False False -
private_0x000000007f9be000 0x7f9be000 0x7f9c0fff Private Memory Readable, Writable True False False -
private_0x000000007f9c1000 0x7f9c1000 0x7f9c3fff Private Memory Readable, Writable True False False -
private_0x000000007f9c4000 0x7f9c4000 0x7f9c6fff Private Memory Readable, Writable True False False -
private_0x000000007f9c7000 0x7f9c7000 0x7f9c9fff Private Memory Readable, Writable True False False -
private_0x000000007f9ca000 0x7f9ca000 0x7f9ccfff Private Memory Readable, Writable True False False -
private_0x000000007f9cd000 0x7f9cd000 0x7f9cffff Private Memory Readable, Writable True False False -
pagefile_0x000000007f9d0000 0x7f9d0000 0x7facffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007fad0000 0x7fad0000 0x7faf2fff Pagefile Backed Memory Readable True False False -
private_0x000000007faf5000 0x7faf5000 0x7faf7fff Private Memory Readable, Writable True False False -
private_0x000000007faf8000 0x7faf8000 0x7faf8fff Private Memory Readable, Writable True False False -
private_0x000000007fafb000 0x7fafb000 0x7fafdfff Private Memory Readable, Writable True False False -
private_0x000000007fafe000 0x7fafe000 0x7fafefff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7dfc03e6ffff Private Memory Readable True False False -
pagefile_0x00007dfc03e70000 0x7dfc03e70000 0x7ffc03e6ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
Process #3: explorer.exe
0 0
»
Information Value
ID #3
File Name c:\windows\explorer.exe
Command Line C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:08, Reason: RPC Server
Unmonitor End Time: 00:02:22, Reason: Terminated by Timeout
Monitor Duration 00:01:14
Remarks No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xe78
Parent PID 0x248 (c:\windows\system32\svchost.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E90
0x E8C
0x E88
0x E84
0x E80
0x E7C
0x E94
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000ad0000 0x00ad0000 0x00adffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000ae0000 0x00ae0000 0x00ae6fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000af0000 0x00af0000 0x00b03fff Pagefile Backed Memory Readable True False False -
private_0x0000000000b10000 0x00b10000 0x00b8ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000b90000 0x00b90000 0x00b93fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000ba0000 0x00ba0000 0x00ba2fff Pagefile Backed Memory Readable True False False -
private_0x0000000000bb0000 0x00bb0000 0x00bb1fff Private Memory Readable, Writable True False False -
locale.nls 0x00bc0000 0x00c7dfff Memory Mapped File Readable False False False -
private_0x0000000000c80000 0x00c80000 0x00c86fff Private Memory Readable, Writable True False False -
private_0x0000000000c90000 0x00c90000 0x00d8ffff Private Memory Readable, Writable True False False -
private_0x0000000000d90000 0x00d90000 0x00e0ffff Private Memory Readable, Writable True False False -
explorer.exe.mui 0x00e10000 0x00e17fff Memory Mapped File Readable False False False -
private_0x0000000000e20000 0x00e20000 0x00e20fff Private Memory Readable, Writable True False False -
private_0x0000000000e30000 0x00e30000 0x00e30fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000e40000 0x00e40000 0x00e40fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000e50000 0x00e50000 0x00e50fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000e60000 0x00e60000 0x00e60fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000e70000 0x00e70000 0x00e72fff Pagefile Backed Memory Readable True False False -
private_0x0000000000e80000 0x00e80000 0x00e8ffff Private Memory Readable, Writable True False False -
private_0x0000000000e90000 0x00e90000 0x00f0ffff Private Memory Readable, Writable True False False -
private_0x0000000000f10000 0x00f10000 0x00f1ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000f20000 0x00f20000 0x010a7fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000010b0000 0x010b0000 0x01230fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001240000 0x01240000 0x0263ffff Pagefile Backed Memory Readable True False False -
sortdefault.nls 0x02640000 0x02976fff Memory Mapped File Readable False False False -
private_0x0000000002980000 0x02980000 0x029fffff Private Memory Readable, Writable True False False -
private_0x0000000002a00000 0x02a00000 0x02a7ffff Private Memory Readable, Writable True False False -
private_0x0000000002a80000 0x02a80000 0x02afffff Private Memory Readable, Writable True False False -
cversions.2.db 0x02b00000 0x02b03fff Memory Mapped File Readable True False False -
pagefile_0x0000000002b10000 0x02b10000 0x02b11fff Pagefile Backed Memory Readable True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000b.db 0x02b20000 0x02b62fff Memory Mapped File Readable True False False -
cversions.2.db 0x02b70000 0x02b73fff Memory Mapped File Readable True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db 0x02b80000 0x02c0afff Memory Mapped File Readable True False False -
propsys.dll.mui 0x02c10000 0x02c20fff Memory Mapped File Readable False False False -
private_0x0000000002c30000 0x02c30000 0x02caffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002cb0000 0x02cb0000 0x02cb0fff Pagefile Backed Memory Readable, Writable True False False -
shell32.dll.mui 0x02cc0000 0x02d20fff Memory Mapped File Readable False False False -
windows.storage.dll.mui 0x02d30000 0x02d37fff Memory Mapped File Readable False False False -
pagefile_0x0000000002d40000 0x02d40000 0x02d40fff Pagefile Backed Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
pagefile_0x00007df5ff650000 0x7df5ff650000 0x7ff5ff64ffff Pagefile Backed Memory - True False False -
private_0x00007ff6e70dc000 0x7ff6e70dc000 0x7ff6e70ddfff Private Memory Readable, Writable True False False -
private_0x00007ff6e70de000 0x7ff6e70de000 0x7ff6e70dffff Private Memory Readable, Writable True False False -
pagefile_0x00007ff6e70e0000 0x7ff6e70e0000 0x7ff6e71dffff Pagefile Backed Memory Readable True False False -
pagefile_0x00007ff6e71e0000 0x7ff6e71e0000 0x7ff6e7202fff Pagefile Backed Memory Readable True False False -
private_0x00007ff6e7204000 0x7ff6e7204000 0x7ff6e7205fff Private Memory Readable, Writable True False False -
private_0x00007ff6e7206000 0x7ff6e7206000 0x7ff6e7207fff Private Memory Readable, Writable True False False -
private_0x00007ff6e7208000 0x7ff6e7208000 0x7ff6e7209fff Private Memory Readable, Writable True False False -
private_0x00007ff6e720a000 0x7ff6e720a000 0x7ff6e720bfff Private Memory Readable, Writable True False False -
private_0x00007ff6e720c000 0x7ff6e720c000 0x7ff6e720dfff Private Memory Readable, Writable True False False -
private_0x00007ff6e720e000 0x7ff6e720e000 0x7ff6e720efff Private Memory Readable, Writable True False False -
explorer.exe 0x7ff6e73b0000 0x7ff6e77fdfff Memory Mapped File Readable, Writable, Executable False False False -
explorerframe.dll 0x7ffbf4520000 0x7ffbf49affff Memory Mapped File Readable, Writable, Executable False False False -
twinapi.dll 0x7ffbf4cf0000 0x7ffbf4da9fff Memory Mapped File Readable, Writable, Executable False False False -
pcacli.dll 0x7ffbf4fc0000 0x7ffbf4fcefff Memory Mapped File Readable, Writable, Executable False False False -
actxprxy.dll 0x7ffbf5460000 0x7ffbf58c9fff Memory Mapped File Readable, Writable, Executable False False False -
urlmon.dll 0x7ffbf6fc0000 0x7ffbf7156fff Memory Mapped File Readable, Writable, Executable False False False -
iertutil.dll 0x7ffbf9380000 0x7ffbf96f5fff Memory Mapped File Readable, Writable, Executable False False False -
comctl32.dll 0x7ffbfb2d0000 0x7ffbfb543fff Memory Mapped File Readable, Writable, Executable False False False -
propsys.dll 0x7ffbfd5b0000 0x7ffbfd732fff Memory Mapped File Readable, Writable, Executable False False False -
dxgi.dll 0x7ffbfe650000 0x7ffbfe6ebfff Memory Mapped File Readable, Writable, Executable False False False -
d3d11.dll 0x7ffbfe6f0000 0x7ffbfe992fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x7ffbfe9a0000 0x7ffbfe9c1fff Memory Mapped File Readable, Writable, Executable False False False -
sppc.dll 0x7ffbfe9f0000 0x7ffbfea14fff Memory Mapped File Readable, Writable, Executable False False False -
slc.dll 0x7ffbfea20000 0x7ffbfea45fff Memory Mapped File Readable, Writable, Executable False False False -
dcomp.dll 0x7ffbfed00000 0x7ffbfedd0fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x7ffbff0d0000 0x7ffbff147fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x7ffbff170000 0x7ffbff205fff Memory Mapped File Readable, Writable, Executable False False False -
mpr.dll 0x7ffbffad0000 0x7ffbffaebfff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x7ffbffdc0000 0x7ffbffdf2fff Memory Mapped File Readable, Writable, Executable False False False -
userenv.dll 0x7ffbffeb0000 0x7ffbffecefff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x7ffc00170000 0x7ffc00186fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x7ffc002e0000 0x7ffc002eafff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x7ffc004c0000 0x7ffc004ebfff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x7ffc006c0000 0x7ffc006e7fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x7ffc006f0000 0x7ffc0075afff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x7ffc008a0000 0x7ffc008e9fff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x7ffc008f0000 0x7ffc00902fff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x7ffc00910000 0x7ffc0091efff Memory Mapped File Readable, Writable, Executable False False False -
msasn1.dll 0x7ffc00920000 0x7ffc00930fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x7ffc00940000 0x7ffc00f67fff Memory Mapped File Readable, Writable, Executable False False False -
cfgmgr32.dll 0x7ffc00f70000 0x7ffc00fb3fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x7ffc00fc0000 0x7ffc01072fff Memory Mapped File Readable, Writable, Executable False False False -
crypt32.dll 0x7ffc01190000 0x7ffc01350fff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x7ffc01360000 0x7ffc0153cfff Memory Mapped File Readable, Writable, Executable False False False -
clbcatq.dll 0x7ffc01540000 0x7ffc015e4fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x7ffc015f0000 0x7ffc01625fff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x7ffc01640000 0x7ffc016e5fff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x7ffc018a0000 0x7ffc01b1bfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x7ffc01dd0000 0x7ffc01ef5fff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x7ffc01f00000 0x7ffc0204dfff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x7ffc02060000 0x7ffc020fcfff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x7ffc02100000 0x7ffc0215afff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x7ffc02160000 0x7ffc022bbfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x7ffc022c0000 0x7ffc037e4fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x7ffc037f0000 0x7ffc03974fff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x7ffc03a50000 0x7ffc03aa0fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x7ffc03bb0000 0x7ffc03cf0fff Memory Mapped File Readable, Writable, Executable False False False -
oleaut32.dll 0x7ffc03d00000 0x7ffc03dbdfff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x7ffc03dc0000 0x7ffc03e6cfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
Process #4: vfggggg.exe
590 0
»
Information Value
ID #4
File Name c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:11, Reason: Child Process
Unmonitor End Time: 00:02:22, Reason: Terminated by Timeout
Monitor Duration 00:01:11
OS Process Information
»
Information Value
PID 0xe98
Parent PID 0xe78 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x E9C
0x EA0
0x EA4
0x EA8
0x EB0
0x EB4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
vfggggg.exe 0x00410000 0x00501fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000510000 0x00510000 0x0052ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000510000 0x00510000 0x0051ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000520000 0x00520000 0x00523fff Private Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x00531fff Private Memory Readable, Writable True False False -
private_0x0000000000530000 0x00530000 0x00530fff Private Memory Readable, Writable True False False -
pagefile_0x0000000000540000 0x00540000 0x00553fff Pagefile Backed Memory Readable True False False -
private_0x0000000000560000 0x00560000 0x0059ffff Private Memory Readable, Writable True False False -
private_0x00000000005a0000 0x005a0000 0x0069ffff Private Memory Readable, Writable True False False -
pagefile_0x00000000006a0000 0x006a0000 0x006a3fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000006b0000 0x006b0000 0x006b0fff Pagefile Backed Memory Readable True False False -
private_0x00000000006c0000 0x006c0000 0x006c1fff Private Memory Readable, Writable True False False -
locale.nls 0x006d0000 0x0078dfff Memory Mapped File Readable False False False -
private_0x0000000000790000 0x00790000 0x007cffff Private Memory Readable, Writable True False False -
private_0x00000000007d0000 0x007d0000 0x007d0fff Private Memory Readable, Writable True False False -
private_0x00000000007e0000 0x007e0000 0x007effff Private Memory Readable, Writable True False False -
pagefile_0x00000000007f0000 0x007f0000 0x007f0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000800000 0x00800000 0x00800fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000000810000 0x00810000 0x00810fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000000820000 0x00820000 0x0082ffff Private Memory Readable, Writable True False False -
private_0x0000000000830000 0x00830000 0x0083ffff Private Memory - True False False -
private_0x0000000000840000 0x00840000 0x0084ffff Private Memory - True False False -
private_0x0000000000850000 0x00850000 0x0085ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000000000860000 0x00860000 0x0086ffff Private Memory - True False False -
private_0x0000000000870000 0x00870000 0x0087ffff Private Memory - True False False -
private_0x0000000000880000 0x00880000 0x0088ffff Private Memory - True False False -
private_0x0000000000890000 0x00890000 0x0089ffff Private Memory - True False False -
pagefile_0x00000000008a0000 0x008a0000 0x008a0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000008b0000 0x008b0000 0x009affff Private Memory Readable, Writable True False False -
private_0x00000000009b0000 0x009b0000 0x00aaffff Private Memory Readable, Writable True False False -
private_0x0000000000ab0000 0x00ab0000 0x00aeffff Private Memory Readable, Writable True False False -
private_0x0000000000af0000 0x00af0000 0x00b2ffff Private Memory Readable, Writable True False False -
l_intl.nls 0x00b30000 0x00b32fff Memory Mapped File Readable False False False -
pagefile_0x0000000000b40000 0x00b40000 0x00b40fff Pagefile Backed Memory Readable True False False -
private_0x0000000000b50000 0x00b50000 0x00b5ffff Private Memory Readable, Writable True False False -
private_0x0000000000b60000 0x00b60000 0x00b6ffff Private Memory - True False False -
private_0x0000000000b70000 0x00b70000 0x00b7ffff Private Memory - True False False -
private_0x0000000000b80000 0x00b80000 0x00b8ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000b90000 0x00b90000 0x00b91fff Pagefile Backed Memory Readable True False False -
private_0x0000000000ba0000 0x00ba0000 0x00baffff Private Memory Readable, Writable True False False -
pagefile_0x0000000000bb0000 0x00bb0000 0x00d37fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000d40000 0x00d40000 0x00ec0fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000000ed0000 0x00ed0000 0x022cffff Pagefile Backed Memory Readable True False False -
private_0x00000000022d0000 0x022d0000 0x023cffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x023d0000 0x02706fff Memory Mapped File Readable False False False -
private_0x0000000002710000 0x02710000 0x0470ffff Private Memory Readable, Writable True False False -
private_0x0000000004710000 0x04710000 0x047affff Private Memory Readable, Writable True False False -
private_0x0000000004710000 0x04710000 0x04713fff Private Memory Readable, Writable True False False -
private_0x0000000004720000 0x04720000 0x0472ffff Private Memory Readable, Writable True False False -
private_0x0000000004730000 0x04730000 0x0475ffff Private Memory Readable, Writable True False False -
private_0x0000000004730000 0x04730000 0x04733fff Private Memory Readable, Writable True False False -
pagefile_0x0000000004740000 0x04740000 0x04740fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000004740000 0x04740000 0x04743fff Pagefile Backed Memory Readable True False False -
private_0x0000000004750000 0x04750000 0x0475ffff Private Memory Readable, Writable True False False -
private_0x0000000004760000 0x04760000 0x0479ffff Private Memory Readable, Writable True False False -
private_0x00000000047a0000 0x047a0000 0x047affff Private Memory - True False False -
private_0x00000000047b0000 0x047b0000 0x048affff Private Memory Readable, Writable True False False -
private_0x00000000048b0000 0x048b0000 0x058affff Private Memory Readable, Writable True False False -
private_0x00000000048b0000 0x048b0000 0x048bffff Private Memory Readable, Writable True False False -
private_0x00000000048b0000 0x048b0000 0x048b3fff Private Memory Readable, Writable, Executable True False False -
private_0x00000000048c0000 0x048c0000 0x048cffff Private Memory - True False False -
private_0x00000000048d0000 0x048d0000 0x048dffff Private Memory Readable, Writable True False False -
private_0x00000000048d0000 0x048d0000 0x049affff Private Memory Readable, Writable, Executable True False False -
sorttbls.nlp 0x048d0000 0x048d4fff Memory Mapped File Readable False False False -
private_0x00000000048e0000 0x048e0000 0x048effff Private Memory Readable, Writable True False False -
sortkey.nlp 0x048e0000 0x04920fff Memory Mapped File Readable False False False -
pagefile_0x0000000004930000 0x04930000 0x04930fff Pagefile Backed Memory Readable True False False -
mscorrc.dll 0x04930000 0x04983fff Memory Mapped File Readable True False False -
private_0x0000000004990000 0x04990000 0x0499ffff Private Memory Readable, Writable True False False -
private_0x00000000049a0000 0x049a0000 0x049affff Private Memory Readable, Writable, Executable True False False -
private_0x00000000049b0000 0x049b0000 0x049bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000049b0000 0x049b0000 0x04a36fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000004a40000 0x04a40000 0x04abffff Private Memory Readable, Writable True False False -
private_0x00000000058b0000 0x058b0000 0x059dffff Private Memory Readable, Writable True False False -
private_0x00000000059e0000 0x059e0000 0x05adffff Private Memory Readable, Writable True False False -
~fontcache-system.dat 0x05ae0000 0x05b55fff Memory Mapped File Readable False False False -
private_0x0000000005b60000 0x05b60000 0x05c5ffff Private Memory Readable, Writable True False False -
~fontcache-fontface.dat 0x05c60000 0x06c5ffff Memory Mapped File Readable False False False -
private_0x0000000006c60000 0x06c60000 0x06d5ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000006d60000 0x06d60000 0x07251fff Pagefile Backed Memory Readable, Writable True False False -
pagefile_0x0000000007260000 0x07260000 0x07317fff Pagefile Backed Memory Readable True False False -
private_0x0000000007320000 0x07320000 0x0735ffff Private Memory Readable, Writable True False False -
private_0x0000000007360000 0x07360000 0x0745ffff Private Memory Readable, Writable True False False -
user32.dll.mui 0x07460000 0x07464fff Memory Mapped File Readable False False False -
private_0x0000000007470000 0x07470000 0x07473fff Private Memory Readable, Writable True False False -
private_0x0000000007480000 0x07480000 0x0748ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000007480000 0x07480000 0x0748dfff Pagefile Backed Memory Readable, Writable True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
windowscodecs.dll 0x71ab0000 0x71c20fff Memory Mapped File Readable, Writable, Executable False False False -
system.core.ni.dll 0x71c30000 0x71e65fff Memory Mapped File Readable, Writable, Executable True False False -
dwrite.dll 0x71e70000 0x7205ffff Memory Mapped File Readable, Writable, Executable False False False -
gdiplus.dll 0x72060000 0x721cafff Memory Mapped File Readable, Writable, Executable False False False -
system.windows.forms.ni.dll 0x721d0000 0x72daffff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x72db0000 0x738a9fff Memory Mapped File Readable, Writable, Executable True False False -
msvcr80.dll 0x738b0000 0x7394afff Memory Mapped File Readable, Writable, Executable False False False -
mscorwks.dll 0x73950000 0x73efffff Memory Mapped File Readable, Writable, Executable True False False -
version.dll 0x73f00000 0x73f07fff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x73f10000 0x73f87fff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x73f90000 0x73fe8fff Memory Mapped File Readable, Writable, Executable True False False -
system.ni.dll 0x74060000 0x74802fff Memory Mapped File Readable, Writable, Executable True False False -
system.drawing.ni.dll 0x74920000 0x74aa8fff Memory Mapped File Readable, Writable, Executable True False False -
mscorjit.dll 0x74ab0000 0x74b0afff Memory Mapped File Readable, Writable, Executable True False False -
culture.dll 0x74b20000 0x74b27fff Memory Mapped File Readable, Writable, Executable True False False -
rsaenh.dll 0x74b30000 0x74b5efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x74b60000 0x74b7afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74b80000 0x74b92fff Memory Mapped File Readable, Writable, Executable False False False -
dwmapi.dll 0x74ba0000 0x74bbcfff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74bc0000 0x74c34fff Memory Mapped File Readable, Writable, Executable False False False -
apphelp.dll 0x74c40000 0x74cd0fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75070000 0x7507efff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75080000 0x750c3fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x750d0000 0x755acfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x755b0000 0x7696efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76f60000 0x76f6bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x77090000 0x77249fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
psapi.dll 0x773d0000 0x773d5fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77430000 0x77519fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x777f0000 0x77833fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x778a0000 0x7792cfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77990000 0x77a0afff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
sysmain.sdb 0x7eea0000 0x7f22ffff Memory Mapped File Readable False False False -
private_0x000000007f227000 0x7f227000 0x7f229fff Private Memory Readable, Writable True False False -
private_0x000000007f22a000 0x7f22a000 0x7f22cfff Private Memory Readable, Writable True False False -
private_0x000000007f22d000 0x7f22d000 0x7f22ffff Private Memory Readable, Writable True False False -
pagefile_0x000000007f230000 0x7f230000 0x7f32ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007f330000 0x7f330000 0x7f352fff Pagefile Backed Memory Readable True False False -
private_0x000000007f355000 0x7f355000 0x7f357fff Private Memory Readable, Writable True False False -
private_0x000000007f358000 0x7f358000 0x7f35afff Private Memory Readable, Writable True False False -
private_0x000000007f35b000 0x7f35b000 0x7f35bfff Private Memory Readable, Writable True False False -
private_0x000000007f35c000 0x7f35c000 0x7f35cfff Private Memory Readable, Writable True False False -
private_0x000000007f35d000 0x7f35d000 0x7f35ffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ffc03e6ffff Private Memory Readable True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 32 entries are omitted.
The remaining entries can be found in flog.txt.
Host Behavior
File (12)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.config type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.default type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.default type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.default type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe type = file_type True 2
Fn
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe:Zone.Identifier - False 1
Fn
Registry (28)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\MediaPermission - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\WebBrowserPermission - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\MediaPermission - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\WebBrowserPermission - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgJITDebugLaunchSetting, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgManagedDebugger, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\MediaPermission value_name = Xml, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\MediaPermission value_name = Xml, data = <IPermission class="System.Security.Permissions.MediaPermission, WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Audio="SafeAudio" Video="SafeVideo" Image="SafeImage"/>, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\WebBrowserPermission value_name = Xml, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet\WebBrowserPermission value_name = Xml, data = <IPermission class="System.Security.Permissions.WebBrowserPermission, WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Level="Safe"/>, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\MediaPermission value_name = Xml, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\MediaPermission value_name = Xml, data = <IPermission class="System.Security.Permissions.MediaPermission, WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Audio="SafeAudio" Video="SafeVideo" Image="SafeImage"/>, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\WebBrowserPermission value_name = Xml, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet\WebBrowserPermission value_name = Xml, data = <IPermission class="System.Security.Permissions.WebBrowserPermission, WindowsBase, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" version="1" Level="Safe"/>, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = dttrgsdcd, type = REG_NONE False 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet - True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\Internet - True 1
Fn
Get Key Info HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets\LocalIntranet - True 1
Fn
Module (313)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\user32.dll base_address = 0x74d70000 True 2
Fn
Get Handle c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe base_address = 0x410000 True 7
Fn
Get Filename c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe, size = 2048 True 1
Fn
Get Filename c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe, size = 2048 True 4
Fn
Get Filename c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\KERNEL32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\KERNELBASE.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\system32\apphelp.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\ADVAPI32.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\msvcrt.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\sechost.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\RPCRT4.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\SspiCli.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\CRYPTBASE.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\bcryptPrimitives.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\SHLWAPI.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\combase.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\GDI32.dll, size = 2048 True 2
Fn
Get Filename c:\windows\syswow64\user32.dll process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\USER32.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\IMM32.DLL, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\MSCTF.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\kernel.appcore.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\VERSION.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9185_none_d0905a48442809b8\MSVCR80.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\shell32.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\windows.storage.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\shcore.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\powrprof.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\profapi.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f87e9c65bcfc0dde0655ce19fb05fe8c\mscorlib.ni.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\ole32.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\b0de8183f9e33cd0fbe10c8db1402653\System.ni.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\cebfffe6cee14413d504056227f496b2\System.Drawing.ni.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\e3f653c6d321c4c528daa164908e0ff8\System.Windows.Forms.ni.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\uxtheme.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\dwmapi.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\DWrite.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\40661cdfbf2201f3d6c5cf6378755082\System.Core.ni.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\CRYPTSP.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\bcrypt.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\system32\rsaenh.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\psapi.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\WindowsCodecs.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\OLEAUT32.dll, size = 2048 True 2
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\shfolder.dll, size = 2048 True 2
Fn
Get Filename c:\windows\syswow64\kernel32.dll process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\KERNEL32.dll, size = 2048 True 1
Fn
Get Filename c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\ntdll.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 5
Fn
Get Filename c:\windows\syswow64\kernel32.dll process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\KERNEL32.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\KERNELBASE.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\system32\apphelp.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\ADVAPI32.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\msvcrt.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\sechost.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\RPCRT4.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\SspiCli.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\CRYPTBASE.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\bcryptPrimitives.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\SHLWAPI.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\combase.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\GDI32.dll, size = 2048 True 4
Fn
Get Filename c:\windows\syswow64\user32.dll process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\USER32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\IMM32.DLL, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\MSCTF.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\kernel.appcore.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\VERSION.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9185_none_d0905a48442809b8\MSVCR80.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\shell32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\windows.storage.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\shcore.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\powrprof.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\profapi.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\f87e9c65bcfc0dde0655ce19fb05fe8c\mscorlib.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\ole32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\b0de8183f9e33cd0fbe10c8db1402653\System.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\cebfffe6cee14413d504056227f496b2\System.Drawing.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\e3f653c6d321c4c528daa164908e0ff8\System.Windows.Forms.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\uxtheme.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\dwmapi.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10240.16384_none_d15682eeaf714889\gdiplus.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\DWrite.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\40661cdfbf2201f3d6c5cf6378755082\System.Core.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\CRYPTSP.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\bcrypt.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\system32\rsaenh.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\psapi.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\WindowsCodecs.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\OLEAUT32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, file_name_orig = C:\Windows\SYSTEM32\shfolder.dll, size = 2048 True 4
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x77cbcaa0 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x7768a510 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Window (12)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 True 1
Fn
Create PPppp class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 True 1
Fn
Create .NET-BroadcastEventWindow.2.0.0.0.378734a.0 class_name = .NET-BroadcastEventWindow.2.0.0.0.378734a.0, wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 2009844384 True 2
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 8718514 True 1
Fn
Set Attribute PPppp class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 2009844384 True 1
Fn
Set Attribute PPppp class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551612, new_long = 8718562 True 1
Fn
Set Attribute PPppp class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551608, new_long = 0 False 1
Fn
Set Attribute PPppp class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551600, new_long = 47120384 True 1
Fn
Set Attribute PPppp class_name = WindowsForms10.Window.8.app.0.378734a, index = 18446744073709551596, new_long = 327680 True 1
Fn
Set Attribute .NET-BroadcastEventWindow.2.0.0.0.378734a.0 class_name = .NET-BroadcastEventWindow.2.0.0.0.378734a.0, index = 18446744073709551612, new_long = 2009844384 True 1
Fn
System (206)
»
Operation Additional Information Success Count Logfile
Sleep duration = 100 milliseconds (0.100 seconds) True 202
Fn
Get Info type = Operating System True 4
Fn
Process #5: vfggggg.exe
475 47
»
Information Value
ID #5
File Name c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe
Command Line "C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:32, Reason: Child Process
Unmonitor End Time: 00:02:22, Reason: Terminated by Timeout
Monitor Duration 00:00:50
OS Process Information
»
Information Value
PID 0xec8
Parent PID 0xe98 (c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x ECC
0x ED0
0x ED4
0x ED8
0x EDC
0x EE0
0x EE4
0x EE8
0x EEC
0x F34
0x F38
0x F4C
0x FA4
0x FA8
0x FDC
0x FE0
0x FE4
0x FE8
0x FEC
0x FF0
0x FF4
0x FF8
0x 82C
0x 438
0x 428
0x 2DC
0x 788
0x 1B4
0x A14
0x 8D4
0x BC0
0x 594
0x BCC
0x 778
0x C0C
0x 310
0x C04
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000400000 0x00400000 0x00455fff Private Memory Readable, Writable, Executable True False False -
vfggggg.exe 0x00f00000 0x00ff1fff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000001000000 0x01000000 0x0101ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000001000000 0x01000000 0x0100ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001010000 0x01010000 0x01013fff Private Memory Readable, Writable True False False -
private_0x0000000001020000 0x01020000 0x01021fff Private Memory Readable, Writable True False False -
private_0x0000000001020000 0x01020000 0x01020fff Private Memory Readable, Writable True False False -
pagefile_0x0000000001030000 0x01030000 0x01043fff Pagefile Backed Memory Readable True False False -
private_0x0000000001050000 0x01050000 0x0108ffff Private Memory Readable, Writable True False False -
private_0x0000000001090000 0x01090000 0x0118ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000001190000 0x01190000 0x01193fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000011a0000 0x011a0000 0x011a0fff Pagefile Backed Memory Readable True False False -
private_0x00000000011b0000 0x011b0000 0x011b1fff Private Memory Readable, Writable True False False -
private_0x00000000011c0000 0x011c0000 0x011fffff Private Memory Readable, Writable True False False -
private_0x0000000001200000 0x01200000 0x01200fff Private Memory Readable, Writable True False False -
pagefile_0x0000000001210000 0x01210000 0x01210fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001220000 0x01220000 0x01220fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001230000 0x01230000 0x0123ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000001240000 0x01240000 0x01240fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001250000 0x01250000 0x0125ffff Private Memory - True False False -
private_0x0000000001260000 0x01260000 0x0126ffff Private Memory Readable, Writable True False False -
private_0x0000000001270000 0x01270000 0x0127ffff Private Memory - True False False -
private_0x0000000001280000 0x01280000 0x0128ffff Private Memory - True False False -
private_0x0000000001290000 0x01290000 0x0129ffff Private Memory - True False False -
private_0x00000000012a0000 0x012a0000 0x012affff Private Memory - True False False -
private_0x00000000012b0000 0x012b0000 0x012bffff Private Memory - True False False -
private_0x00000000012c0000 0x012c0000 0x012fffff Private Memory Readable, Writable True False False -
private_0x0000000001300000 0x01300000 0x013fffff Private Memory Readable, Writable True False False -
locale.nls 0x01400000 0x014bdfff Memory Mapped File Readable False False False -
private_0x00000000014c0000 0x014c0000 0x015bffff Private Memory Readable, Writable True False False -
pagefile_0x00000000015c0000 0x015c0000 0x015c0fff Pagefile Backed Memory Readable, Writable True False False -
private_0x00000000015d0000 0x015d0000 0x0160ffff Private Memory Readable, Writable True False False -
l_intl.nls 0x01610000 0x01612fff Memory Mapped File Readable False False False -
pagefile_0x0000000001620000 0x01620000 0x01620fff Pagefile Backed Memory Readable True False False -
private_0x0000000001630000 0x01630000 0x0163ffff Private Memory Readable, Writable True False False -
sorttbls.nlp 0x01640000 0x01644fff Memory Mapped File Readable False False False -
private_0x0000000001650000 0x01650000 0x0165ffff Private Memory Readable, Writable, Executable True False False -
private_0x0000000001660000 0x01660000 0x0166ffff Private Memory - True False False -
pagefile_0x0000000001670000 0x01670000 0x01670fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001670000 0x01670000 0x0167afff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000001680000 0x01680000 0x0168ffff Private Memory - True False False -
private_0x0000000001690000 0x01690000 0x0169ffff Private Memory - True False False -
private_0x00000000016a0000 0x016a0000 0x016affff Private Memory Readable, Writable True False False -
pagefile_0x00000000016b0000 0x016b0000 0x01837fff Pagefile Backed Memory Readable True False False -
pagefile_0x0000000001840000 0x01840000 0x019c0fff Pagefile Backed Memory Readable True False False -
pagefile_0x00000000019d0000 0x019d0000 0x02dcffff Pagefile Backed Memory Readable True False False -
private_0x0000000002dd0000 0x02dd0000 0x02ecffff Private Memory Readable, Writable True False False -
private_0x0000000002ed0000 0x02ed0000 0x02f6ffff Private Memory Readable, Writable True False False -
pagefile_0x0000000002ed0000 0x02ed0000 0x02ef3fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002f00000 0x02f00000 0x02f0ffff Private Memory - True False False -
private_0x0000000002f10000 0x02f10000 0x02f4ffff Private Memory Readable, Writable True False False -
private_0x0000000002f50000 0x02f50000 0x02f5ffff Private Memory - True False False -
private_0x0000000002f60000 0x02f60000 0x02f6ffff Private Memory - True False False -
pagefile_0x0000000002f70000 0x02f70000 0x02f8ffff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000002f90000 0x02f90000 0x02f9ffff Private Memory Readable, Writable True False False -
sortdefault.nls 0x02fa0000 0x032d6fff Memory Mapped File Readable False False False -
private_0x00000000032e0000 0x032e0000 0x052dffff Private Memory Readable, Writable True False False -
private_0x00000000052e0000 0x052e0000 0x053dffff Private Memory Readable, Writable True False False -
private_0x00000000053e0000 0x053e0000 0x0543ffff Private Memory Readable, Writable True False False -
sortkey.nlp 0x053e0000 0x05420fff Memory Mapped File Readable False False False -
private_0x0000000005430000 0x05430000 0x0543ffff Private Memory Readable, Writable True False False -
mscorrc.dll 0x05440000 0x05493fff Memory Mapped File Readable True False False -
pagefile_0x00000000054a0000 0x054a0000 0x05547fff Pagefile Backed Memory Readable, Writable True False False -
private_0x0000000005550000 0x05550000 0x0654ffff Private Memory Readable, Writable True False False -
private_0x0000000006550000 0x06550000 0x0667ffff Private Memory Readable, Writable True False False -
private_0x0000000006680000 0x06680000 0x0767ffff Private Memory Readable, Writable True False False -
private_0x0000000007680000 0x07680000 0x078cffff Private Memory Readable, Writable True False False -
private_0x00000000078d0000 0x078d0000 0x079cffff Private Memory Readable, Writable True False False -
private_0x00000000079d0000 0x079d0000 0x07a0ffff Private Memory Readable, Writable True False False -
private_0x0000000007a10000 0x07a10000 0x07b0ffff Private Memory Readable, Writable True False False -
kernelbase.dll.mui 0x07b10000 0x07beefff Memory Mapped File Readable False False False -
private_0x0000000007bf0000 0x07bf0000 0x07c2ffff Private Memory Readable, Writable True False False -
private_0x0000000007c30000 0x07c30000 0x07d2ffff Private Memory Readable, Writable True False False -
private_0x0000000007d30000 0x07d30000 0x07d6ffff Private Memory Readable, Writable True False False -
private_0x0000000007d70000 0x07d70000 0x07e6ffff Private Memory Readable, Writable True False False -
private_0x0000000007e70000 0x07e70000 0x07eaffff Private Memory Readable, Writable True False False -
private_0x0000000007eb0000 0x07eb0000 0x07faffff Private Memory Readable, Writable True False False -
private_0x0000000007fb0000 0x07fb0000 0x07feffff Private Memory Readable, Writable True False False -
private_0x0000000007ff0000 0x07ff0000 0x080effff Private Memory Readable, Writable True False False -
wow64.dll 0x59300000 0x5934efff Memory Mapped File Readable, Writable, Executable False False False -
wow64cpu.dll 0x59350000 0x59357fff Memory Mapped File Readable, Writable, Executable False False False -
wow64win.dll 0x59360000 0x593d2fff Memory Mapped File Readable, Writable, Executable False False False -
system.management.ni.dll 0x718d0000 0x719d3fff Memory Mapped File Readable, Writable, Executable True False False -
system.xml.ni.dll 0x719e0000 0x71f1afff Memory Mapped File Readable, Writable, Executable True False False -
system.configuration.ni.dll 0x71f20000 0x72012fff Memory Mapped File Readable, Writable, Executable True False False -
microsoft.visualbasic.ni.dll 0x72020000 0x721c4fff Memory Mapped File Readable, Writable, Executable True False False -
system.windows.forms.ni.dll 0x721d0000 0x72daffff Memory Mapped File Readable, Writable, Executable True False False -
mscorlib.ni.dll 0x72db0000 0x738a9fff Memory Mapped File Readable, Writable, Executable True False False -
msvcr80.dll 0x738b0000 0x7394afff Memory Mapped File Readable, Writable, Executable False False False -
mscorwks.dll 0x73950000 0x73efffff Memory Mapped File Readable, Writable, Executable True False False -
version.dll 0x73f00000 0x73f07fff Memory Mapped File Readable, Writable, Executable False False False -
mscoreei.dll 0x73f10000 0x73f87fff Memory Mapped File Readable, Writable, Executable True False False -
mscoree.dll 0x73f90000 0x73fe8fff Memory Mapped File Readable, Writable, Executable True False False -
mswsock.dll 0x74010000 0x7405dfff Memory Mapped File Readable, Writable, Executable False False False -
system.ni.dll 0x74060000 0x74802fff Memory Mapped File Readable, Writable, Executable True False False -
dhcpcsvc.dll 0x74820000 0x74833fff Memory Mapped File Readable, Writable, Executable False False False -
dhcpcsvc6.dll 0x74840000 0x74852fff Memory Mapped File Readable, Writable, Executable False False False -
dnsapi.dll 0x74860000 0x748e3fff Memory Mapped File Readable, Writable, Executable False False False -
iphlpapi.dll 0x748f0000 0x7491ffff Memory Mapped File Readable, Writable, Executable False False False -
system.drawing.ni.dll 0x74920000 0x74aa8fff Memory Mapped File Readable, Writable, Executable True False False -
mscorjit.dll 0x74ab0000 0x74b0afff Memory Mapped File Readable, Writable, Executable True False False -
culture.dll 0x74b10000 0x74b17fff Memory Mapped File Readable, Writable, Executable True False False -
winnsi.dll 0x74b20000 0x74b27fff Memory Mapped File Readable, Writable, Executable False False False -
rsaenh.dll 0x74b30000 0x74b5efff Memory Mapped File Readable, Writable, Executable False False False -
bcrypt.dll 0x74b60000 0x74b7afff Memory Mapped File Readable, Writable, Executable False False False -
cryptsp.dll 0x74b80000 0x74b92fff Memory Mapped File Readable, Writable, Executable False False False -
uxtheme.dll 0x74bc0000 0x74c34fff Memory Mapped File Readable, Writable, Executable False False False -
bcryptprimitives.dll 0x74ce0000 0x74d38fff Memory Mapped File Readable, Writable, Executable False False False -
cryptbase.dll 0x74d40000 0x74d49fff Memory Mapped File Readable, Writable, Executable False False False -
sspicli.dll 0x74d50000 0x74d6dfff Memory Mapped File Readable, Writable, Executable False False False -
user32.dll 0x74d70000 0x74eaffff Memory Mapped File Readable, Writable, Executable False False False -
profapi.dll 0x75070000 0x7507efff Memory Mapped File Readable, Writable, Executable False False False -
shlwapi.dll 0x75080000 0x750c3fff Memory Mapped File Readable, Writable, Executable False False False -
windows.storage.dll 0x750d0000 0x755acfff Memory Mapped File Readable, Writable, Executable False False False -
shell32.dll 0x755b0000 0x7696efff Memory Mapped File Readable, Writable, Executable False False False -
kernelbase.dll 0x76970000 0x76ae5fff Memory Mapped File Readable, Writable, Executable False False False -
gdi32.dll 0x76ca0000 0x76decfff Memory Mapped File Readable, Writable, Executable False False False -
kernel.appcore.dll 0x76f60000 0x76f6bfff Memory Mapped File Readable, Writable, Executable False False False -
msctf.dll 0x76f70000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False -
combase.dll 0x77090000 0x77249fff Memory Mapped File Readable, Writable, Executable False False False -
sechost.dll 0x77250000 0x77292fff Memory Mapped File Readable, Writable, Executable False False False -
ole32.dll 0x77430000 0x77519fff Memory Mapped File Readable, Writable, Executable False False False -
imm32.dll 0x775e0000 0x7760afff Memory Mapped File Readable, Writable, Executable False False False -
kernel32.dll 0x77670000 0x7775ffff Memory Mapped File Readable, Writable, Executable False False False -
powrprof.dll 0x777f0000 0x77833fff Memory Mapped File Readable, Writable, Executable False False False -
shcore.dll 0x778a0000 0x7792cfff Memory Mapped File Readable, Writable, Executable False False False -
ws2_32.dll 0x77930000 0x7798bfff Memory Mapped File Readable, Writable, Executable False False False -
advapi32.dll 0x77990000 0x77a0afff Memory Mapped File Readable, Writable, Executable False False False -
msvcrt.dll 0x77a10000 0x77acdfff Memory Mapped File Readable, Writable, Executable False False False -
nsi.dll 0x77ad0000 0x77ad6fff Memory Mapped File Readable, Writable, Executable False False False -
rpcrt4.dll 0x77af0000 0x77b9bfff Memory Mapped File Readable, Writable, Executable False False False -
ntdll.dll 0x77c40000 0x77db8fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x000000007fb4b000 0x7fb4b000 0x7fb4dfff Private Memory Readable, Writable True False False -
private_0x000000007fb4e000 0x7fb4e000 0x7fb50fff Private Memory Readable, Writable True False False -
private_0x000000007fb51000 0x7fb51000 0x7fb53fff Private Memory Readable, Writable True False False -
private_0x000000007fb54000 0x7fb54000 0x7fb56fff Private Memory Readable, Writable True False False -
private_0x000000007fb57000 0x7fb57000 0x7fb59fff Private Memory Readable, Writable True False False -
private_0x000000007fb5a000 0x7fb5a000 0x7fb5cfff Private Memory Readable, Writable True False False -
private_0x000000007fb5d000 0x7fb5d000 0x7fb5ffff Private Memory Readable, Writable True False False -
pagefile_0x000000007fb60000 0x7fb60000 0x7fc5ffff Pagefile Backed Memory Readable True False False -
pagefile_0x000000007fc60000 0x7fc60000 0x7fc82fff Pagefile Backed Memory Readable True False False -
private_0x000000007fc83000 0x7fc83000 0x7fc83fff Private Memory Readable, Writable True False False -
private_0x000000007fc86000 0x7fc86000 0x7fc88fff Private Memory Readable, Writable True False False -
private_0x000000007fc89000 0x7fc89000 0x7fc89fff Private Memory Readable, Writable True False False -
private_0x000000007fc8a000 0x7fc8a000 0x7fc8cfff Private Memory Readable, Writable True False False -
private_0x000000007fc8d000 0x7fc8d000 0x7fc8ffff Private Memory Readable, Writable True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False -
private_0x000000007fff0000 0x7fff0000 0x7ffc03e6ffff Private Memory Readable True False False -
ntdll.dll 0x7ffc03e70000 0x7ffc04031fff Memory Mapped File Readable, Writable, Executable False False False -
private_0x00007ffc04032000 0x7ffc04032000 0x7ffffffeffff Private Memory Readable True False False -
For performance reasons, the remaining 166 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Control Flow #4: c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe 0xe9c os_tid = 0xecc True 1
Fn
Created Files
»
Filename File Size Hash Values YARA Match Actions
c:\temp\tempgh.exe 930.50 KB MD5: b4f28747a0a9317123f0ef109c580844
SHA1: 295fee553b1e703722cd1923697284bac3061190
SHA256: 1dd788c038b4d8d2d3302d7a33162322d0896c7d17888e2fa34204b66c9aee50
False
c:\users\ciihmnxmn6ps\appdata\roaming\temp\tempgh.exe 930.50 KB MD5: b4f28747a0a9317123f0ef109c580844
SHA1: 295fee553b1e703722cd1923697284bac3061190
SHA256: 1dd788c038b4d8d2d3302d7a33162322d0896c7d17888e2fa34204b66c9aee50
False
c:\users\ciihmnxmn6ps\appdata\roaming\imminent\logs\04-04-2018 0.00 KB MD5: 33be604f8044d5984e8e3e3b694d710a
SHA1: 512c5f801e9fbd73aeefd8e7eaa5ad86bfe2df09
SHA256: 3f785f1cc535b0987139623200c7910b2b28f92dfe3309e8e071c091d0ce7313
False
c:\users\ciihmnxmn6ps\appdata\roaming\imminent\path.dat 0.05 KB MD5: dec2ea43741c17cdc573e1b22def8a03
SHA1: 5503298bf3e0482687610416190c400d100d73de
SHA256: 9e901ac2a4eda4d90bb3b81407d28bff737d92d0fb16e685940021e6a4cd2fd0
False
c:\users\ciihmnxmn6ps\appdata\roaming\imminent\monitoring\network.dat 0.03 KB MD5: 7e6fcf7a603fc7483139540b7aae5c4d
SHA1: a89d3174f2757e2effafc3333d6e6fbeccfeb7e5
SHA256: 8975b8f79e75bf1e0518e5eee7089a74db3a412899916e42513ddea655d56c09
False
c:\users\ciihmnxmn6ps\appdata\roaming\imminent\monitoring\system.dat 0.02 KB MD5: 4bbe01de8b5c05457fe0e2d00b92a4f5
SHA1: 57fadd9d52fafafac33e12cfac0a940ebda920ac
SHA256: a1093478b098fcf27c8f1a43c3a33128120bc4d878a7516e7a081138f2907bef
False
c:\users\ciihmnxmn6ps\appdata\roaming\imminent\logs\04-04-2018 0.13 KB MD5: 284ee57c2994704edb0ec56ecea439b7
SHA1: 0ba7e259935e64bb2a2ea49336c8d7a6778bb2c3
SHA256: 6309cc26e2acd3de2cc53b94dc07634b2c43f4ece3d7133334b5f920416931c2
False
c:\users\ciihmnxmn6ps\appdata\roaming\imminent\logs\04-04-2018 0.22 KB MD5: 783eba03e3a9eabf6a07770e4ac34a31
SHA1: a04dc6586ef6222f35c52a2d5d58ebbc3ed17c4a
SHA256: 135a5990df4c51cfc8f57ead26fc118968b92b539cd5d49a63cdec332fe01e6e
False
c:\users\ciihmnxmn6ps\appdata\roaming\imminent\geo.dat 0.03 KB MD5: 578cfdf82faec2371534ddb644d01e8f
SHA1: 87f61df7bb172cff6ea6ab62015b529cbfd17351
SHA256: 5962c24909ba9bc4c23fe69431b361a81e56cf1771186d9d8705f912b73b88fe
False
c:\users\ciihmnxmn6ps\appdata\roaming\imminent\logs\04-04-2018 0.32 KB MD5: 261661546b48e7e98ad0d46c890fbea2
SHA1: 18ce301664e9ecb8a17cf3d095fdfa89a7bc6fee
SHA256: 553087e058189f40e333e820016c7c03bb11efcfbb832f879a4ca9241b8302a0
False
Host Behavior
COM (35)
»
Operation Class Interface Additional Information Success Count Logfile
Create WbemDefaultPathParser IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 6
Fn
Create WBEMLocator IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 3
Fn
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER True 6
Fn
Create WbemDefaultPathParser IWbemPath cls_context = CLSCTX_INPROC_SERVER True 13
Fn
Create 62BE5D10-60EB-11D0-BD3B-00A0C911CE86 00000001-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\SecurityCenter2 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\SecurityCenter True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
File (223)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\temp\tempgh.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ False 4
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring\network.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring\system.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Geo.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Geo.dat desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create Directory C:\temp - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs - True 1
Fn
Create Directory C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring - True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.config type = file_attributes False 3
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = size, size_out = 0 True 1
Fn
Get Info C:\temp type = file_attributes False 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp type = file_attributes False 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps type = file_attributes True 3
Fn
Get Info C:\Users type = file_attributes True 3
Fn
Get Info C:\temp\tempgh.exe type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe type = size, size_out = 0 True 1
Fn
Get Info C:\temp\tempgh.exe type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp type = file_attributes True 17
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe type = file_attributes True 17
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\ type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring\network.dat type = file_attributes False 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring\system.dat type = file_attributes False 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring\ type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring type = file_attributes False 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring\ type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring\network.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring\system.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 type = file_type True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 type = file_attributes True 3
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Geo.dat type = file_attributes False 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 type = file_type True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Geo.dat type = file_type True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Geo.dat type = file_attributes True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Geo.dat type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 type = file_type True 4
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 type = size, size_out = 0 True 1
Fn
Get Info C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat type = file_type True 2
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 1459 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe size = 952832, size_out = 952832 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe size = 952832, size_out = 952832 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 size = 4096, size_out = 5 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 size = 4096, size_out = 133 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Geo.dat size = 4096, size_out = 33 True 1
Fn
Data
Read C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 size = 4096, size_out = 229 True 1
Fn
Data
Write C:\temp\tempgh.exe size = 952832 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe size = 952832 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 size = 5 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring\network.dat size = 27 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Monitoring\system.dat size = 18 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 size = 133 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 size = 229 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Geo.dat size = 33 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Logs\04-04-2018 size = 325 True 1
Fn
Data
Write C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Imminent\Path.dat size = 53 True 1
Fn
Data
Delete C:\Users\CIiHmnxMn6Ps\AppData\Roaming\vfggggg.exe:Zone.Identifier - False 1
Fn
Registry (88)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting - True 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe - False 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = 0, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = %systemroot%\system32\netfxperf.dll, type = REG_EXPAND_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, data = 5840, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Impersonation Level, data = 3 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Namespace True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Namespace, data = 114 True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework value_name = LegacyWPADSupport, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 value_name = SchUseStrongCrypto, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = 0, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = \temp\tempgh.exe, size = 34, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = ghh, data = C:\Users\CIiHmnxMn6Ps\AppData\Roaming\temp\tempgh.exe, size = 108, type = REG_SZ True 1
Fn
Module (61)
»
Operation Module Additional Information Success Count Logfile
Load C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll base_address = 0x74810000 True 1
Fn
Load C:\Windows\system32\advapi32.dll base_address = 0x77990000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 4
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x74d70000 True 1
Fn
Get Handle 0 base_address = 0x0 False 1
Fn
Get Address Unknown module name function = ResetSecurity, address_out = 0x74811944 True 1
Fn
Get Address Unknown module name function = SetSecurity, address_out = 0x74811986 True 1
Fn
Get Address Unknown module name function = BlessIWbemServices, address_out = 0x748119cc True 1
Fn
Get Address Unknown module name function = BlessIWbemServicesObject, address_out = 0x74811a1e True 1
Fn
Get Address Unknown module name function = GetPropertyHandle, address_out = 0x74811a70 True 1
Fn
Get Address Unknown module name function = WritePropertyValue, address_out = 0x74811a89 True 1
Fn
Get Address Unknown module name function = Clone, address_out = 0x74811aa2 True 2
Fn
Get Address Unknown module name function = VerifyClientKey, address_out = 0x74812270 True 1
Fn
Get Address Unknown module name function = GetQualifierSet, address_out = 0x74811d73 True 1
Fn
Get Address Unknown module name function = Get, address_out = 0x74811b96 True 1
Fn
Get Address Unknown module name function = Put, address_out = 0x74811b7a True 1
Fn
Get Address Unknown module name function = Delete, address_out = 0x74811bb5 True 1
Fn
Get Address Unknown module name function = GetNames, address_out = 0x74811bc8 True 1
Fn
Get Address Unknown module name function = BeginEnumeration, address_out = 0x74811be4 True 1
Fn
Get Address Unknown module name function = Next, address_out = 0x74811bf7 True 1
Fn
Get Address Unknown module name function = EndEnumeration, address_out = 0x74811c16 True 1
Fn
Get Address Unknown module name function = GetPropertyQualifierSet, address_out = 0x74811c26 True 1
Fn
Get Address Unknown module name function = GetObjectText, address_out = 0x74811c3c True 1
Fn
Get Address Unknown module name function = SpawnDerivedClass, address_out = 0x74811c52 True 1
Fn
Get Address Unknown module name function = SpawnInstance, address_out = 0x74811c68 True 1
Fn
Get Address Unknown module name function = CompareTo, address_out = 0x74811c7e True 1
Fn
Get Address Unknown module name function = GetPropertyOrigin, address_out = 0x74811c94 True 1
Fn
Get Address Unknown module name function = InheritsFrom, address_out = 0x74811caa True 1
Fn
Get Address Unknown module name function = GetMethod, address_out = 0x74811cbd True 1
Fn
Get Address Unknown module name function = PutMethod, address_out = 0x74811cd9 True 1
Fn
Get Address Unknown module name function = DeleteMethod, address_out = 0x74811cf5 True 1
Fn
Get Address Unknown module name function = BeginMethodEnumeration, address_out = 0x74811d08 True 1
Fn
Get Address Unknown module name function = NextMethod, address_out = 0x74811d1b True 1
Fn
Get Address Unknown module name function = EndMethodEnumeration, address_out = 0x74811d37 True 1
Fn
Get Address Unknown module name function = GetMethodQualifierSet, address_out = 0x74811d47 True 1
Fn
Get Address Unknown module name function = GetMethodOrigin, address_out = 0x74811d5d True 1
Fn
Get Address Unknown module name function = QualifierSet_Get, address_out = 0x74811d86 True 1
Fn
Get Address Unknown module name function = QualifierSet_Put, address_out = 0x74811da2 True 1
Fn
Get Address Unknown module name function = QualifierSet_Delete, address_out = 0x74811dbb True 1
Fn
Get Address Unknown module name function = QualifierSet_GetNames, address_out = 0x74811dce True 1
Fn
Get Address Unknown module name function = QualifierSet_BeginEnumeration, address_out = 0x74811de4 True 1
Fn
Get Address Unknown module name function = QualifierSet_Next, address_out = 0x74811df7 True 1
Fn
Get Address Unknown module name function = QualifierSet_EndEnumeration, address_out = 0x74811e13 True 1
Fn
Get Address Unknown module name function = GetCurrentApartmentType, address_out = 0x74811d73 True 1
Fn
Get Address Unknown module name function = GetDemultiplexedStub, address_out = 0x748118fd True 1
Fn
Get Address Unknown module name function = CreateInstanceEnumWmi, address_out = 0x74811580 True 1
Fn
Get Address Unknown module name function = CreateClassEnumWmi, address_out = 0x748115f6 True 1
Fn
Get Address Unknown module name function = ExecQueryWmi, address_out = 0x7481169e True 1
Fn
Get Address Unknown module name function = ExecNotificationQueryWmi, address_out = 0x74811717 True 1
Fn
Get Address Unknown module name function = PutInstanceWmi, address_out = 0x74811790 True 1
Fn
Get Address Unknown module name function = PutClassWmi, address_out = 0x74811810 True 1
Fn
Get Address Unknown module name function = CloneEnumWbemClassObject, address_out = 0x74811890 True 1
Fn
Get Address Unknown module name function = ConnectServerWmi, address_out = 0x748124b7 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = DuplicateTokenEx, address_out = 0x779b0c20 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x77cbcaa0 True 1
Fn
Create Mapping - filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
Map - process_name = c:\users\ciihmnxmn6ps\appdata\roaming\vfggggg.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Window (4)
»
Operation Window Name Additional Information Success Count Logfile
Create .NET-BroadcastEventWindow.2.0.0.0.33c0d9d.0 class_name = .NET-BroadcastEventWindow.2.0.0.0.33c0d9d.0, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.33c0d9d, wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = 18446744073709551612, new_long = 2009844384 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = 18446744073709551612, new_long = 23400890 True 1
Fn
System (13)
»
Operation Additional Information Success Count Logfile
Open Certificate Store encoding_type = 65537, flags = 8708 True 1
Fn
Get Computer Name result_out = LHNIWSJ True 2
Fn
Register Hook type = WH_KEYBOARD_LL, hookproc_address = 0x16511ea True 1
Fn
Get Info type = Operating System True 7
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (25)
»
Operation Additional Information Success Count Logfile
Create mutex_name = d6255d76-fd1b-49c2-b1bf-bb2df53c6c67 True 1
Fn
Create mutex_name = Global\.net clr networking True 10
Fn
Create mutex_name = Global\.net clr networking False 1
Fn
Create mutex_name = d6255d76-fd1b-49c2-b1bf-bb2df53c6c67 True 1
Fn
Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Release mutex_name = Global\.net clr networking True 1
Fn
Release mutex_name = Global\.net clr networking True 10
Fn
Environment (3)
»
Operation Additional Information Success Count Logfile
Get Environment String name = COR_PROFILER False 1
Fn
Get Environment String name = COR_ENABLE_PROFILING False 1
Fn
Get Environment String name = AppData, result_out = C:\Users\CIiHmnxMn6Ps\AppData\Roaming True 1
Fn
Network Behavior
DNS (4)
»
Operation Additional Information Success Count Logfile
Get Hostname name_out = LHnIwsj True 1
Fn
Resolve Name host = LHnIwsj, address_out = 192.168.0.96 True 1
Fn
Resolve Name host = dankleo01.chickenkiller.com, address_out = 91.192.100.59 True 1
Fn
Resolve Name host = www.iptrackeronline.com, address_out = 45.55.57.244 True 1
Fn
TCP Sessions (1)
»
Information Value
Total Data Sent 498 bytes
Total Data Received 22.07 KB
Contacted Host Count 1
Contacted Hosts 45.55.57.244:443
TCP Session #1
»
Information Value
Handle 0x890
Address Family AF_INET
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 45.55.57.244
Remote Port 443
Local Address 0.0.0.0
Local Port 49422
Data Sent 498 bytes
Data Received 22.07 KB
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 45.55.57.244, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 135, size_out = 135 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65, size_out = 65 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 2529, size_out = 2529 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 331, size_out = 331 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4, size_out = 4 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 134, size_out = 134 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 218, size_out = 218 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 229, size_out = 229 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 400, size_out = 400 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5056, size_out = 5056 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4192, size_out = 4192 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4144, size_out = 4144 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5312, size_out = 5312 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 32, size_out = 32 True 1
Fn
Data
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image