VMRay Analyzer Report
Try VMRay Analyzer
Monitored Processes
Process Graph
Behavior Information - Grouped by Category
Process #1: ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe
(Host: 1315, Network: 0)
+
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:19, Reason: Analysis Target
Unmonitor End Time: 00:01:07, Reason: Terminated by Timeout
Monitor Duration 00:00:48
OS Process Information
+
Information Value
PID 0x9e8
Parent PID 0x564 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9EC
0x A00
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True True False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False
  • Region Actions
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True True False
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000260000 0x00260000 0x00266fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x0000000000270000 0x00270000 0x00271fff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
pagefile_0x0000000000280000 0x00280000 0x00281fff Pagefile Backed Memory Readable True False False
  • Region Actions
msctf.dll.mui 0x00280000 0x00280fff Memory Mapped File Readable, Writable False False False
  • Region Actions
private_0x0000000000290000 0x00290000 0x0030ffff Private Memory Readable, Writable True True False
private_0x0000000000310000 0x00310000 0x0034ffff Private Memory Readable, Writable True True False
private_0x0000000000350000 0x00350000 0x0035ffff Private Memory Readable, Writable True True False
private_0x0000000000360000 0x00360000 0x0039ffff Private Memory Readable, Writable True True False
pagefile_0x00000000003a0000 0x003a0000 0x003a1fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x00000000003a0000 0x003a0000 0x003a8fff Private Memory Readable, Writable, Executable True True False
private_0x00000000003b0000 0x003b0000 0x003b0fff Private Memory Readable, Writable True True False
ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe 0x00400000 0x00447fff Memory Mapped File Readable, Writable, Executable True True False
pagefile_0x0000000000450000 0x00450000 0x0052efff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000540000 0x00540000 0x0063ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000640000 0x00640000 0x007c7fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000000800000 0x00800000 0x0080ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000810000 0x00810000 0x00990fff Pagefile Backed Memory Readable True False False
  • Region Actions
pagefile_0x00000000009a0000 0x009a0000 0x01d9ffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x0000000001da0000 0x01da0000 0x01f3ffff Private Memory Readable, Writable True True False
private_0x0000000001da0000 0x01da0000 0x01e2ffff Private Memory Readable, Writable True True False
private_0x0000000001da0000 0x01da0000 0x01e1ffff Private Memory Readable, Writable True True False
private_0x0000000001e20000 0x01e20000 0x01e2ffff Private Memory Readable, Writable True True False
private_0x0000000001f00000 0x01f00000 0x01f3ffff Private Memory Readable, Writable True True False
private_0x0000000001f60000 0x01f60000 0x01f6ffff Private Memory Readable, Writable True True False
private_0x0000000001f70000 0x01f70000 0x0236ffff Private Memory Readable, Writable True True False
sortdefault.nls 0x02370000 0x0263efff Memory Mapped File Readable False False False
  • Region Actions
pagefile_0x0000000002640000 0x02640000 0x02a32fff Pagefile Backed Memory Readable True False False
  • Region Actions
staticcache.dat 0x02a40000 0x0336ffff Memory Mapped File Readable False False False
  • Region Actions
private_0x0000000003370000 0x03370000 0x0346ffff Private Memory Readable, Writable True True False
private_0x0000000003470000 0x03470000 0x0746ffff Private Memory Readable, Writable, Executable True False False
  • Region Actions
msvbvm60.dll 0x72940000 0x72a92fff Memory Mapped File Readable, Writable, Executable True False False
  • Region Actions
dwmapi.dll 0x73430000 0x73442fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
uxtheme.dll 0x738b0000 0x7392ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64win.dll 0x73a70000 0x73acbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x73ad0000 0x73b0efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73b40000 0x73b47fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
winspool.drv 0x74e60000 0x74eb0fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sxs.dll 0x74ec0000 0x74f1efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
cryptbase.dll 0x750b0000 0x750bbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sspicli.dll 0x750c0000 0x7511ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
user32.dll 0x75120000 0x7521ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
sechost.dll 0x75240000 0x75258fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msvcrt.dll 0x75260000 0x7530bfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x75320000 0x75365fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
rpcrt4.dll 0x753c0000 0x754affff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
gdi32.dll 0x754e0000 0x7556ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ole32.dll 0x75570000 0x756cbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shell32.dll 0x75790000 0x763d9fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
oleaut32.dll 0x763e0000 0x7646efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x765b0000 0x766bffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
lpk.dll 0x76750000 0x76759fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
advapi32.dll 0x76760000 0x767fffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
imm32.dll 0x76ad0000 0x76b2ffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
usp10.dll 0x76b30000 0x76bccfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
shlwapi.dll 0x77100000 0x77156fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000077160000 0x77160000 0x77259fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077260000 0x77260000 0x7737efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
  • Region Actions
Host Behavior
File (6)
+
Operation Filename Additional Information Success Count Logfile
Get Info STD_INPUT_HANDLE type = file_type False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type False 1
Fn
Get Info STD_ERROR_HANDLE type = file_type False 1
Fn
Open STD_INPUT_HANDLE True 1
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Open STD_ERROR_HANDLE True 1
Fn
Registry (2)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors False 2
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe os_pid = 0xa20, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (3)
+
Operation Process Additional Information Success Count Logfile
Get Context c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe os_tid = 0x9ec True 1
Fn
Set Context c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe os_tid = 0x9ec True 1
Fn
Resume c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe os_tid = 0x9ec True 1
Fn
Memory (5)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe address = 0x3470004, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 55009560 True 1
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe address = 0x400000, size = 512 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe address = 0x400000, size = 1 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe address = 0x401000, size = 141824 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe address = 0x7efde008, size = 4 True 1
Fn
Data
Module (158)
+
Operation Module Additional Information Success Count Logfile
Load OLEAUT32.DLL base_address = 0x763e0000 True 1
Fn
Load SXS.DLL base_address = 0x74ec0000 True 1
Fn
Load ADVAPI32.DLL base_address = 0x76760000 True 2
Fn
Load user32 base_address = 0x75120000 True 5
Fn
Load winspool.drv base_address = 0x74e60000 True 1
Fn
Load Msvbvm60.dll base_address = 0x72940000 True 1
Fn
Load kernel32 base_address = 0x765b0000 True 18
Fn
Load advapi32 base_address = 0x76760000 True 1
Fn
Load shell32 base_address = 0x75790000 True 1
Fn
Load ntdll base_address = 0x77560000 True 8
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x765b0000 True 2
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x763e0000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x75570000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x75120000 True 1
Fn
Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe, size = 260 True 3
Fn
Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 3
Fn
Get Filename c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe, size = 260 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsTNT, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x765c5235 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = OleLoadPictureEx, address_out = 0x764470a1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = DispCallFunc, address_out = 0x763f3dcf True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = LoadTypeLibEx, address_out = 0x763f07b7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = UnRegisterTypeLib, address_out = 0x76411ca9 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = CreateTypeLib2, address_out = 0x763f8e70 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDateFromUdate, address_out = 0x763f7684 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarUdateFromDate, address_out = 0x763fcc98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetAltMonthNames, address_out = 0x7642903a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNumFromParseNum, address_out = 0x763f6231 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarParseNumFromStr, address_out = 0x763f5fea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR4, address_out = 0x76403f94 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR8, address_out = 0x76404e9e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromDate, address_out = 0x7642db72 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromI4, address_out = 0x76412a8c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromCy, address_out = 0x7642d737 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarR4FromDec, address_out = 0x7642e015 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromTypeInfo, address_out = 0x7642cc3d True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromGuids, address_out = 0x7642d1c4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetRecordInfo, address_out = 0x7642d48c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetRecordInfo, address_out = 0x7642d4c6 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetIID, address_out = 0x7642d509 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetIID, address_out = 0x763fe7bb True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCopyData, address_out = 0x763fe496 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayAllocDescriptorEx, address_out = 0x763fddf1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCreateEx, address_out = 0x7642d53f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormat, address_out = 0x76432055 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatDateTime, address_out = 0x764320ea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatNumber, address_out = 0x76432151 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatPercent, address_out = 0x764321f5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatCurrency, address_out = 0x76432288 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarWeekdayName, address_out = 0x76432335 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMonthName, address_out = 0x764323d5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAdd, address_out = 0x76405934 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAnd, address_out = 0x76405a98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCat, address_out = 0x764059b4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDiv, address_out = 0x7645e405 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarEqv, address_out = 0x7645ef07 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarIdiv, address_out = 0x7645f00a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarImp, address_out = 0x7645ef47 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMod, address_out = 0x7645f15e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMul, address_out = 0x7645dbd4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarOr, address_out = 0x7645ecfa True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarPow, address_out = 0x7645ea66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarSub, address_out = 0x7645d332 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarXor, address_out = 0x7645ee2e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAbs, address_out = 0x7645ca11 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFix, address_out = 0x7645cc5f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarInt, address_out = 0x7645cde7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNeg, address_out = 0x7645c802 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNot, address_out = 0x7645ec66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarRound, address_out = 0x7645d155 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCmp, address_out = 0x763fb0dc True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecAdd, address_out = 0x76415f3e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecCmp, address_out = 0x76404fd0 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCat, address_out = 0x76400d2c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCyMulI4, address_out = 0x764159ed True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCmp, address_out = 0x763ef8b8 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstanceEx, address_out = 0x755b9d4e True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x75580782 True 1
Fn
Get Address c:\windows\syswow64\sxs.dll function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x74f07685 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x75137d2f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromWindow, address_out = 0x75143150 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromRect, address_out = 0x7515e7a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromPoint, address_out = 0x75145281 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumDisplayMonitors, address_out = 0x7514451a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMonitorInfoA, address_out = 0x75144413 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseEventLog, address_out = 0x767677c3 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetAclInformation, address_out = 0x767a34e3 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateDialogIndirectParamA, address_out = 0x7514b029 True 1
Fn
Get Address c:\windows\syswow64\winspool.drv function = DeletePrintProcessorA, address_out = 0x74e68aff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExA, address_out = 0x7513d22e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x75140dfb True 1
Fn
Get Address c:\windows\syswow64\msvbvm60.dll function = rtcDoEvents, address_out = 0x72a0e0f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumWindows, address_out = 0x7513d1cf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x765c1856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x765c110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x765c10ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x765c1b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x765c11a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x765dd9b0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetCursorPos, address_out = 0x75141218 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x76774907 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x765c1410 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x757a3c71 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x765c1282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x765c3f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x765dd802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtectEx, address_out = 0x766445bf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x765c103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathW, address_out = 0x765dd4dc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLongPathNameW, address_out = 0x765ca315 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x765c196e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x765c3ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x765c5223 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtAllocateVirtualMemory, address_out = 0x7757fab0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteVirtualMemory, address_out = 0x7757fe04 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtTerminateThread, address_out = 0x77580074 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenEvent, address_out = 0x7757fe98 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x7757fc70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtGetContextThread, address_out = 0x77580c20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtSetContextThread, address_out = 0x77581910 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtResumeThread, address_out = 0x77580058 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x765d174d True 1
Fn
Window (9)
+
Operation Window Name Additional Information Success Count Logfile
Create class_name = ThunderRT6Main, wndproc_parameter = 0 True 1
Fn
Create class_name = VBMsoStdCompMgr, wndproc_parameter = 0 True 1
Fn
Create class_name = VBFocusRT6, wndproc_parameter = 0 True 1
Fn
Create Southlander wndproc_parameter = 0 True 1
Fn
Create Southlander wndproc_parameter = 0 True 1
Fn
Create çSÌ¥’ËhєÃ7¯¸X ²B class_name = STATIC, wndproc_parameter = 0 True 1
Fn
Set Attribute class_name = VBMsoStdCompMgr, index = 0, new_long = 3547292 False 1
Fn
Set Attribute Southlander index = 18446744073709551600, new_long = 114229248 True 1
Fn
Set Attribute Southlander index = 18446744073709551596, new_long = 256 True 1
Fn
Keyboard (1)
+
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
System (1001)
+
Operation Additional Information Success Count Logfile
Get Cursor x_out = 440, y_out = 844 True 489
Fn
Get Cursor x_out = 121, y_out = 798 True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 3
Fn
Sleep duration = 2000 milliseconds (2.000 seconds) True 1
Fn
Sleep duration = 1 milliseconds (0.001 seconds) True 489
Fn
Get Time type = Ticks, time = 59467 True 1
Fn
Get Time type = Ticks, time = 59483 True 2
Fn
Get Time type = Ticks, time = 59639 True 2
Fn
Get Time type = Ticks, time = 59670 True 4
Fn
Get Time type = Ticks, time = 66050 True 1
Fn
Get Time type = Ticks, time = 75317 True 1
Fn
Get Time type = Ticks, time = 77329 True 1
Fn
Get Info type = Operating System True 3
Fn
Get Info type = Operating System False 2
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create True 1
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String True 1
Fn
Data
Process #2: ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe
(Host: 8, Network: 0)
+
Information Value
ID #2
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:50, Reason: Child Process
Unmonitor End Time: 00:01:07, Reason: Terminated by Timeout
Monitor Duration 00:00:17
OS Process Information
+
Information Value
PID 0xa20
Parent PID 0x9e8 (c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A24
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
  • Region Actions
private_0x0000000000020000 0x00020000 0x0002ffff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True True False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False
  • Region Actions
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False
  • Region Actions
private_0x00000000002b0000 0x002b0000 0x0032ffff Private Memory Readable, Writable True True False
private_0x0000000000400000 0x00400000 0x00423fff Private Memory Readable, Writable, Executable True True False
private_0x0000000000540000 0x00540000 0x0063ffff Private Memory Readable, Writable True True False
private_0x0000000000780000 0x00780000 0x00900fff Private Memory Readable, Writable True True False
private_0x0000000000910000 0x00910000 0x00c12fff Private Memory Readable, Writable, Executable True True False
wow64win.dll 0x73a70000 0x73acbfff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64.dll 0x73ad0000 0x73b0efff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
wow64cpu.dll 0x73b40000 0x73b47fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernelbase.dll 0x75320000 0x75365fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
kernel32.dll 0x765b0000 0x766bffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
private_0x0000000077160000 0x77160000 0x77259fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077260000 0x77260000 0x7737efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
  • Region Actions
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
  • Region Actions
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
  • Region Actions
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
  • Region Actions
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe 0x9ec address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe 0x9ec address = 0x400000, size = 1 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe 0x9ec address = 0x401000, size = 141824 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe 0x9ec address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Control Flow #1: c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe 0x9ec os_tid = 0xa24, address = 0x775701c4 True 1
Fn
Host Behavior
File (5)
+
Operation Filename Additional Information Success Count Logfile
Create \??\C:\Windows\SysWOW64\ntdll.dll desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Get Info \??\C:\Windows\SysWOW64\ntdll.dll type = extended True 2
Fn
Read \??\C:\Windows\SysWOW64\ntdll.dll offset = 0, size = 1292096 True 1
Fn
System (1)
+
Operation Additional Information Success Count Logfile
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Debug (1)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\5p5nrgjn0js halpmcxz\desktop\ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d.exe True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image