Analysis Report

Involved Hosts

Host	Resolved to	Country	City	Protocol
www.msn.com	204.79.197.203	US	Redmond	HTTP
go.microsoft.com	104.84.181.107	US	Cambridge	HTTP

Monitored Processes

Behavior Information - Grouped by Category

Process #1: 9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe

(Host: 190, Network: 0)

Information	Value
ID / OS PID	#1 / 0x5f0
OS Parent PID	0x7fc (c:\windows\explorer.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\Desktop
File Name	c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe
Command Line	"C:\Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe"
Monitor	Start Time: 00:00:34, Reason: Analysis Target
Unmonitor	End Time: 00:02:04, Reason: Terminated
Monitor Duration	00:01:30
OS Thread IDs	#1 0x49C #2 0x82C #3 0x500 #4 0x3D8 #5 0x768 #6 0xF0 #7 0xBF4 #8 0x3A0 #9 0x4C4

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000010000	0x00010000	0x0002ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000010000	0x00010000	0x0001ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000020000	0x00020000	0x00023fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00031fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000030000	0x00030000	0x00030fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000040000	0x00040000	0x00053fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000060000	0x00060000	0x0009ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000000a0000	0x000a0000	0x0019ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000001a0000	0x001a0000	0x001a3fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000001b0000	0x001b0000	0x001b0fff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000001c0000	0x001c0000	0x001c1fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x001d0000	0x0028dfff	Memory Mapped File	Readable	Region Actions
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000290000	0x00290000	0x00290fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000290000	0x00290000	0x00290fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000290000	0x00290000	0x002cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x0030ffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000002d0000	0x002d0000	0x002dffff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000002e0000	0x002e0000	0x002edfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000002f0000	0x002f0000	0x0032ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000310000	0x00310000	0x0034ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000330000	0x00330000	0x00330fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000330000	0x00330000	0x00342fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000350000	0x00350000	0x00350fff	Private Memory	Readable, Writable	Region Actions
msvfw32.dll.mui	0x00360000	0x00361fff	Memory Mapped File	Readable	Region Actions
private_0x0000000000370000	0x00370000	0x0037ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000380000	0x00380000	0x00383fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000390000	0x00390000	0x00390fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003a0000	0x003a0000	0x003affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003b0000	0x003b0000	0x003b0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003c0000	0x003c0000	0x003c0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003d0000	0x003d0000	0x003d0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003e0000	0x003e0000	0x003e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000003f0000	0x003f0000	0x003f0fff	Private Memory	Readable, Writable	Region Actions
9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe	0x00400000	0x005d9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions Download
private_0x00000000005e0000	0x005e0000	0x006dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000005e0000	0x005e0000	0x006dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006e0000	0x006e0000	0x006e0fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000006f0000	0x006f0000	0x006f0fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000700000	0x00700000	0x00700fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000710000	0x00710000	0x00710fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000720000	0x00720000	0x00720fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000730000	0x00730000	0x00730fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000740000	0x00740000	0x0077ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000780000	0x00780000	0x0087ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000880000	0x00880000	0x0097ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000880000	0x00880000	0x0097ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000980000	0x00980000	0x00a7ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000980000	0x00980000	0x009bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000a80000	0x00a80000	0x00c07fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000c10000	0x00c10000	0x00c10fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000c20000	0x00c20000	0x00cb7fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000cc0000	0x00cc0000	0x00cfffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000d00000	0x00d00000	0x00d0ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000d10000	0x00d10000	0x00d10fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000d10000	0x00d10000	0x00d10fff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000d20000	0x00d20000	0x00d20fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d30000	0x00d30000	0x00d30fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000000d60000	0x00d60000	0x00d6ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000d70000	0x00d70000	0x00ef0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000f00000	0x00f00000	0x022fffff	Pagefile Backed Memory	Readable	Region Actions
private_0x00000000023f0000	0x023f0000	0x023fffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x02400000	0x02736fff	Memory Mapped File	Readable	Region Actions
private_0x0000000002740000	0x02740000	0x0283ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002840000	0x02840000	0x0293ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000002940000	0x02940000	0x02e31fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000002e40000	0x02e40000	0x02f3ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000002f40000	0x02f40000	0x0313ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003140000	0x03140000	0x0323ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000003240000	0x03240000	0x03616fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000003620000	0x03620000	0x039f6fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
wow64.dll	0x53cc0000	0x53d0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x53d10000	0x53d17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x53d20000	0x53d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x74210000	0x742b6fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x742c0000	0x742eefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x742f0000	0x7430afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x74310000	0x74322fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
asycfilt.dll	0x74330000	0x74346fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x74350000	0x74610fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x74620000	0x7477ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x74780000	0x748c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x748d0000	0x74944fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dciman32.dll	0x74950000	0x74956fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ddraw.dll	0x74960000	0x74a4afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
devobj.dll	0x74a50000	0x74a70fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmmbase.dll	0x74a80000	0x74aa2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74ab0000	0x74ab7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvfw32.dll	0x74ac0000	0x74ae2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winmm.dll	0x74af0000	0x74b13fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msacm32.dll	0x74b20000	0x74b37fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wlanapi.dll	0x74b40000	0x74b8afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
glu32.dll	0x74b90000	0x74bb4fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x74bc0000	0x74beffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
WinSCard.dll	0x74bf0000	0x74c1cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
opengl32.dll	0x74c20000	0x74cfffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
avifil32.dll	0x74d00000	0x74d1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comctl32.dll	0x74d20000	0x74db1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
apphelp.dll	0x74dc0000	0x74e50fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74e60000	0x74eb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ec0000	0x74ec9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ed0000	0x74eedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74ef0000	0x74fadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74fb0000	0x7502afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75030000	0x750c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
setupapi.dll	0x750d0000	0x75274fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75280000	0x752c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x752e0000	0x75455fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75460000	0x7548afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x75490000	0x75649fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75650000	0x7573ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wintrust.dll	0x75740000	0x75781fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75790000	0x758dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cfgmgr32.dll	0x75a60000	0x75a95fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SHCore.dll	0x75aa0000	0x75b2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75b90000	0x75bebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75bf0000	0x75d64fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75d70000	0x75d7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75d80000	0x75d8dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75d90000	0x75eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x75eb0000	0x75ef2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75f10000	0x7604ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76050000	0x76056fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
comdlg32.dll	0x761d0000	0x7628dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76290000	0x7629bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x762a0000	0x762e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
clbcatq.dll	0x762f0000	0x76371fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x76380000	0x7685cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76860000	0x7690bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76910000	0x77ccefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77cd0000	0x77db9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77dc0000	0x77f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007fe40000	0x7fe40000	0x7fe9ffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007fea7000	0x7fea7000	0x7fea9fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007feaa000	0x7feaa000	0x7feacfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007fead000	0x7fead000	0x7feaffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007fead000	0x7fead000	0x7feaffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007feb0000	0x7feb0000	0x7ffaffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ffb0000	0x7ffb0000	0x7ffd2fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd5000	0x7ffd5000	0x7ffd7fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffd8000	0x7ffd8000	0x7ffdafff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdb000	0x7ffdb000	0x7ffddfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffde000	0x7ffde000	0x7ffdefff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffdf000	0x7ffdf000	0x7ffdffff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7ffb1ddcffff	Private Memory	Readable	Region Actions
ntdll.dll	0x7ffb1ddd0000	0x7ffb1df91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb1df92000	0x7ffb1df92000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Host Behavior

File (17)

Operation	Filename	Additional Information	Count	Logfile
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\	share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE, create_disposition = OPEN_EXISTING	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\desktop\.jpg	desired_access = GENERIC_READ, create_disposition = OPEN_EXISTING	12	Fn
OPEN	STD_INPUT_HANDLE		1	Fn
OPEN	STD_OUTPUT_HANDLE		2	Fn
OPEN	STD_ERROR_HANDLE		1	Fn

Process (4)

Operation	Process Name	Additional Information	Count	Logfile
CREATE	explorer.exe	os_tid = 0x358, os_pid = 0x208, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE	1	Fn
OPEN	c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe	os_pid = 0x5f0, desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE	1	Fn
OPEN_TOKEN	c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe	os_pid = 0x5f0, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION	1	Fn
GET_INFO	explorer.exe	os_pid = 0x208	1	Fn

Memory (3)

Operation	Address	Additional Information	Count	Logfile
READ	0x7ef7a008	process_name = explorer.exe, os_pid = 0x208, size = 4	1	Fn Data
READ	0xcb0000	process_name = explorer.exe, os_pid = 0x208, size = 400	1	Fn Data
READ	0xcb0000	process_name = explorer.exe, os_pid = 0x208, size = 4026368	1	Fn

Thread (1)

Operation	Process Name	Additional Information	Success	Count	Logfile
RESUME	c:\windows\syswow64\explorer.exe	os_tid = 0x358, os_pid = 0x208		1	Fn

Module (53)

Operation	Module	Additional Information	Count	Logfile
LOAD	kernel32	base_address = 0x75650000	1	Fn
LOAD	user32.dll	base_address = 0x75f10000	1	Fn
LOAD	user32	base_address = 0x75f10000	1	Fn
LOAD	shell32	base_address = 0x76910000	1	Fn
LOAD	advapi32	base_address = 0x74fb0000	1	Fn
LOAD	urlmon	base_address = 0x74620000	1	Fn
LOAD	ole32	base_address = 0x77cd0000	1	Fn
LOAD	winhttp	base_address = 0x74210000	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x75650000	13	Fn
GET_HANDLE	c:\windows\syswow64\ntdll.dll	base_address = 0x77dc0000	2	Fn
GET_HANDLE	c:\windows\syswow64\advapi32.dll	base_address = 0x74fb0000	2	Fn
GET_HANDLE	c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe	base_address = 0x400000	1	Fn
GET_HANDLE	sbiedll	base_address = 0x0	1	Fn
GET_HANDLE	dbghelp	base_address = 0x0	1	Fn
CREATE_MAPPING		module_name = Nameless FileMapping, maximum_size = 7208732, protection = PAGE_EXECUTE_READWRITE	1	Fn
MAP	c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe	os_pid = 0x5f0, address = 0x3620000	1	Fn
MAP	explorer.exe	os_pid = 0x208, address = 0xcb0000	1	Fn
UNMAP	explorer.exe	os_pid = 0x208, base_address = 0xcb0000	1	Fn
GET_FILENAME	C:\Users\WI2yhmtI onvScY7Pe\Desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe		3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FlsAlloc, address = 0x7566a330	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FlsGetValue, address = 0x75667580	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FlsSetValue, address = 0x75669910	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = FlsFree, address = 0x7566f400	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = EncodePointer, address = 0x77e1f190	8	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = DecodePointer, address = 0x77e1a200	3	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = IsProcessorFeaturePresent, address = 0x75669680	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\kernel32.dll	function = HeapCreate, address = 0x75669950	1	Fn
GET_PROC_ADDRESS	c:\windows\syswow64\user32.dll	function = SetLayeredWindowAttributes, address = 0x75f48fc0	1	Fn

Com (2)

Operation	Class	Interface	Additional Information	Success	Count	Logfile
METHOD		IMalloc	method = Free		1	Fn
METHOD		IMalloc	method = AddRef		1	Fn

Registry (7)

Operation	Key	Additional Information	Count	Logfile
OPEN_KEY	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters		1	Fn
OPEN_KEY	HKEY_CURRENT_USER		1	Fn
OPEN_KEY	HKEY_CURRENT_USER\4194304		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall		1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters	value_name = HostName, data_ident_out = 1702260	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum	value_name = 0, data_ident_out = 83	1	Fn

Window (2)

Operation	Window Name	Additional Information	Success	Count	Logfile
CREATE	mess	class_name = , x_coordinate = 18446744071562067968, y_coordinate = 18446744071562067968, width = 18446744071562067968, height = 18446744071562067968, class_name = Notepad, window_parameter = 0		1	Fn
FIND		class_name = Notepad		1	Fn

System (101)

Operation	Information	Success	Count	Logfile
SLEEP	duration = -1 (infinite)		1	Fn
SLEEP	duration = 100 milliseconds (0.100 seconds)		100	Fn

Process #2: explorer.exe

(Host: 221, Network: 12)

Information	Value
ID / OS PID	#2 / 0x208
OS Parent PID	0x5f0 (c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe)
Initial Working Directory	C:\Users\WI2yhmtI onvScY7Pe\Desktop
File Name	c:\windows\syswow64\explorer.exe
Command Line	explorer.exe
Monitor	Start Time: 00:02:02, Reason: Child Process
Unmonitor	End Time: 00:02:34, Reason: Terminated by Timeout
Monitor Duration	00:00:32
OS Thread IDs	#10 0x358 #11 0x86C #12 0x540 #13 0x658 #14 0x630 #15 0xA70 #16 0x5CC #17 0x9F0

Region

Name	Start VA	End VA	Type	Permissions	Actions
private_0x0000000000c50000	0x00c50000	0x00c6ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000000c50000	0x00c50000	0x00c5ffff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x0000000000c60000	0x00c60000	0x00c63fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000000c70000	0x00c70000	0x00c70fff	Private Memory	Readable, Writable	Region Actions
explorer.exe.mui	0x00c70000	0x00c77fff	Memory Mapped File	Readable	Region Actions
pagefile_0x0000000000c80000	0x00c80000	0x00c93fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000000ca0000	0x00ca0000	0x00ca3fff	Pagefile Backed Memory	Readable	Region Actions
explorer.exe	0x00cb0000	0x01086fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
pagefile_0x0000000000cb0000	0x00cb0000	0x01086fff	Pagefile Backed Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000001090000	0x01090000	0x0508ffff	Pagefile Backed Memory	-	Region Actions
private_0x0000000005090000	0x05090000	0x050cffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000050d0000	0x050d0000	0x0510ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x0000000005110000	0x05110000	0x05112fff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000005120000	0x05120000	0x05121fff	Private Memory	Readable, Writable	Region Actions
locale.nls	0x05130000	0x051edfff	Memory Mapped File	Readable	Region Actions
private_0x00000000051f0000	0x051f0000	0x0522ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005230000	0x05230000	0x05230fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005240000	0x05240000	0x05240fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005250000	0x05250000	0x05253fff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005260000	0x05260000	0x0526ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005270000	0x05270000	0x052affff	Private Memory	Readable, Writable	Region Actions
private_0x00000000052b0000	0x052b0000	0x052bdfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000052c0000	0x052c0000	0x052c6fff	Private Memory	Readable, Writable	Region Actions
private_0x00000000052d0000	0x052d0000	0x052d0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000052e0000	0x052e0000	0x053dffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000053e0000	0x053e0000	0x0541ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005420000	0x05420000	0x0545ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000005460000	0x05460000	0x0549ffff	Private Memory	Readable, Writable	Region Actions
winnlsres.dll	0x054a0000	0x054a4fff	Memory Mapped File	Readable	Region Actions
private_0x00000000054b0000	0x054b0000	0x054bffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x00000000054c0000	0x054c0000	0x05647fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x0000000005650000	0x05650000	0x057d0fff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x00000000057e0000	0x057e0000	0x06bdffff	Pagefile Backed Memory	Readable	Region Actions
private_0x0000000006be0000	0x06be0000	0x06c1ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006c20000	0x06c20000	0x06c5ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006c60000	0x06c60000	0x06c9ffff	Private Memory	Readable, Writable	Region Actions
winnlsres.dll.mui	0x06ca0000	0x06caffff	Memory Mapped File	Readable	Region Actions
private_0x0000000006cb0000	0x06cb0000	0x06ceffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000006cf0000	0x06cf0000	0x06d2ffff	Private Memory	Readable, Writable	Region Actions
mswsock.dll.mui	0x06d30000	0x06d32fff	Memory Mapped File	Readable	Region Actions
private_0x0000000006d40000	0x06d40000	0x06d4ffff	Private Memory	Readable, Writable	Region Actions
SortDefault.nls	0x06d50000	0x07086fff	Memory Mapped File	Readable	Region Actions
private_0x0000000007090000	0x07090000	0x0757bfff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x0000000007580000	0x07580000	0x07580fff	Private Memory	Readable, Writable, Executable	Region Actions
pagefile_0x0000000007590000	0x07590000	0x07590fff	Pagefile Backed Memory	Readable, Writable	Region Actions
private_0x00000000075a0000	0x075a0000	0x075a0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000075b0000	0x075b0000	0x075b0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000075c0000	0x075c0000	0x075c0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000075d0000	0x075d0000	0x075d0fff	Private Memory	Readable, Writable, Executable	Region Actions
private_0x00000000075e0000	0x075e0000	0x0761ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007620000	0x07620000	0x0765ffff	Private Memory	Readable, Writable	Region Actions
private_0x0000000007660000	0x07660000	0x07660fff	Private Memory	Readable, Writable, Executable	Region Actions
crypt32.dll.mui	0x07670000	0x07679fff	Memory Mapped File	Readable	Region Actions
private_0x0000000007680000	0x07680000	0x076bffff	Private Memory	Readable, Writable	Region Actions
private_0x00000000076c0000	0x076c0000	0x076fffff	Private Memory	Readable, Writable	Region Actions
wow64.dll	0x53cc0000	0x53d0efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64cpu.dll	0x53d10000	0x53d17fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
wow64win.dll	0x53d20000	0x53d92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dpapi.dll	0x73f40000	0x73f47fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gpapi.dll	0x73f50000	0x73f6efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncryptsslp.dll	0x73f70000	0x73f89fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntasn1.dll	0x73f90000	0x73fb7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ncrypt.dll	0x73fc0000	0x73fdffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
schannel.dll	0x73fe0000	0x7403ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntmarta.dll	0x74040000	0x74067fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rsaenh.dll	0x74070000	0x7409efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptsp.dll	0x740a0000	0x740b2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcrypt.dll	0x740c0000	0x740dafff	Memory Mapped File	Readable, Writable, Executable	Region Actions
FWPUCLNT.DLL	0x740e0000	0x74125fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dnsapi.dll	0x74130000	0x741b3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mswsock.dll	0x741c0000	0x7420dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
webio.dll	0x74210000	0x74277fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
OnDemandConnRouteHelper.dll	0x74280000	0x74290fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winhttp.dll	0x742a0000	0x74346fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
iertutil.dll	0x74350000	0x74610fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
urlmon.dll	0x74620000	0x7477ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
propsys.dll	0x74780000	0x748c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
uxtheme.dll	0x748d0000	0x74944fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
mskeyprotect.dll	0x74950000	0x7495ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc.dll	0x74960000	0x74973fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
d3d11.dll	0x74980000	0x74b92fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dwmapi.dll	0x74ba0000	0x74bbcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rasadhlp.dll	0x74bc0000	0x74bc7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dhcpcsvc6.dll	0x74bd0000	0x74be2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
winnsi.dll	0x74bf0000	0x74bf7fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dxgi.dll	0x74c00000	0x74c7dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
dcomp.dll	0x74c80000	0x74d1bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
twinapi.dll	0x74d20000	0x74db8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
IPHLPAPI.DLL	0x74dc0000	0x74deffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sppc.dll	0x74df0000	0x74e0cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
slc.dll	0x74e10000	0x74e30fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
userenv.dll	0x74e40000	0x74e58fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
bcryptprimitives.dll	0x74e60000	0x74eb8fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
cryptbase.dll	0x74ec0000	0x74ec9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sspicli.dll	0x74ed0000	0x74eedfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msvcrt.dll	0x74ef0000	0x74fadfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
advapi32.dll	0x74fb0000	0x7502afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
oleaut32.dll	0x75030000	0x750c1fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
powrprof.dll	0x75280000	0x752c3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
KernelBase.dll	0x752e0000	0x75455fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
imm32.dll	0x75460000	0x7548afff	Memory Mapped File	Readable, Writable, Executable	Region Actions
combase.dll	0x75490000	0x75649fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel32.dll	0x75650000	0x7573ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
gdi32.dll	0x75790000	0x758dcfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
SHCore.dll	0x75aa0000	0x75b2cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ws2_32.dll	0x75b90000	0x75bebfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
crypt32.dll	0x75bf0000	0x75d64fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
profapi.dll	0x75d70000	0x75d7efff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msasn1.dll	0x75d80000	0x75d8dfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
msctf.dll	0x75d90000	0x75eaffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
sechost.dll	0x75eb0000	0x75ef2fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
user32.dll	0x75f10000	0x7604ffff	Memory Mapped File	Readable, Writable, Executable	Region Actions
nsi.dll	0x76050000	0x76056fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
kernel.appcore.dll	0x76290000	0x7629bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shlwapi.dll	0x762a0000	0x762e3fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
windows.storage.dll	0x76380000	0x7685cfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
rpcrt4.dll	0x76860000	0x7690bfff	Memory Mapped File	Readable, Writable, Executable	Region Actions
shell32.dll	0x76910000	0x77ccefff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ole32.dll	0x77cd0000	0x77db9fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
ntdll.dll	0x77dc0000	0x77f38fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x000000007ee41000	0x7ee41000	0x7ee43fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ee44000	0x7ee44000	0x7ee46fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ee47000	0x7ee47000	0x7ee49fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ee4a000	0x7ee4a000	0x7ee4cfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ee4d000	0x7ee4d000	0x7ee4ffff	Private Memory	Readable, Writable	Region Actions
pagefile_0x000000007ee50000	0x7ee50000	0x7ef4ffff	Pagefile Backed Memory	Readable	Region Actions
pagefile_0x000000007ef50000	0x7ef50000	0x7ef72fff	Pagefile Backed Memory	Readable	Region Actions
private_0x000000007ef74000	0x7ef74000	0x7ef76fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef77000	0x7ef77000	0x7ef79fff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef7a000	0x7ef7a000	0x7ef7afff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef7b000	0x7ef7b000	0x7ef7dfff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ef7e000	0x7ef7e000	0x7ef7efff	Private Memory	Readable, Writable	Region Actions
private_0x000000007ffe0000	0x7ffe0000	0x7ffeffff	Private Memory	Readable	Region Actions
private_0x000000007fff0000	0x7fff0000	0x7dfb1ddcffff	Private Memory	Readable	Region Actions
pagefile_0x00007dfb1ddd0000	0x7dfb1ddd0000	0x7ffb1ddcffff	Pagefile Backed Memory	-	Region Actions
ntdll.dll	0x7ffb1ddd0000	0x7ffb1df91fff	Memory Mapped File	Readable, Writable, Executable	Region Actions
private_0x00007ffb1df92000	0x7ffb1df92000	0x7ffffffeffff	Private Memory	Readable	Region Actions

Injection Information

Injection Type	Source Process	Source Os Thread ID	Injection Info	Success	Count	Logfile
Modify Memory	c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe	0xbf4	address = 0xcb0000, size = 4026368		1	Fn Data

Created Files

Filename	File Size	Hash Values	YARA Match	Actions
c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe	0.00 KB (0 bytes)	MD5: d41d8cd98f00b204e9800998ecf8427e SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		File Actions Show Properties
c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe	211.00 KB (216064 bytes)	MD5: 5babf25f698870abea3f10393a1abf31 SHA1: 9c0ce809c87b54cbd8aa589a2644a74f7f656462 SHA256: e6d5efed898e2e51a2782bb959b23e2ab3d9dd53bd4ff7f56019901f6fa93a76		File Actions Show Properties Download

Host Behavior

File (9)

Operation	Filename	Additional Information	Count	Logfile
CREATE	c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_FLAG_BACKUP_SEMANTICS	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf	desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_FLAG_BACKUP_SEMANTICS	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe	desired_access = GENERIC_READ, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE	c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\wtrrifwf	desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL	1	Fn
CREATE_DIR	c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf		1	Fn
COPY	c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe	source_file_name = c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe, fail_if_exists = 0	1	Fn
DELETE	c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe		1	Fn
DELETE	c:\users\wi2yhmti onvscy7pe\appdata\roaming\wtrrifwf\dafgfvjv.exe:zone.identifier		1	Fn
DELETE	c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe		1	Fn

Process (2)

Operation	Process Name	Additional Information	Success	Count	Logfile
OPEN	c:\windows\syswow64\explorer.exe	os_pid = 0x208, desired_access = PROCESS_TERMINATE, PROCESS_CREATE_THREAD, PROCESS_SET_SESSIONID, PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_DUP_HANDLE, PROCESS_CREATE_PROCESS, PROCESS_SET_QUOTA, PROCESS_SET_INFORMATION, PROCESS_QUERY_INFORMATION, PROCESS_SUSPEND_RESUME, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE		1	Fn
OPEN_TOKEN	c:\users\wi2yhmti onvscy7pe\desktop\9c0ce809c87b54cbd8aa589a2644a74f7f656462.malware.exe	os_pid = 0x5f0, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATION		1	Fn

Module (9)

Operation	Module	Additional Information	Count	Logfile
LOAD	user32	base_address = 0x75f10000	1	Fn
LOAD	shell32	base_address = 0x76910000	1	Fn
LOAD	advapi32	base_address = 0x74fb0000	1	Fn
LOAD	urlmon	base_address = 0x74620000	1	Fn
LOAD	ole32	base_address = 0x77cd0000	1	Fn
LOAD	winhttp	base_address = 0x742a0000	1	Fn
GET_HANDLE	c:\windows\syswow64\kernel32.dll	base_address = 0x75650000	1	Fn
CREATE_MAPPING		module_name = FCAA85F5B5437C4D7919D716988890AF30565E9EFF, maximum_size = 1024000, protection = PAGE_READWRITE, SEC_COMMIT	1	Fn
GET_FILENAME	C:\Windows\SysWOW64\explorer.exe		1	Fn

Registry (76)

Operation	Key	Additional Information	Count	Logfile
CREATE_KEY	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0D3E9E15-DE7A-300B-96F1-B4AF12B96488}		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{BC958BD2-5DAC-3862-BB1A-C1BE0790438D}		1	Fn
OPEN_KEY	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}		1	Fn
OPEN_KEY	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run		1	Fn
OPEN_KEY	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run		2	Fn
OPEN_KEY	HKEY_CURRENT_USER\Software		1	Fn
OPEN_KEY	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run		1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer	value_name = svcVersion, data_ident_out = 49	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	value_name = HelpLink, data_ident_out = 65	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook	value_name = URLInfoAbout, data_ident_out = 65	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	value_name = HelpLink, data_ident_out = 67	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager	value_name = URLInfoAbout, data_ident_out = 67	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	value_name = HelpLink, data_ident_out = 68	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx	value_name = URLInfoAbout, data_ident_out = 68	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime	value_name = HelpLink, data_ident_out = 68	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime	value_name = URLInfoAbout, data_ident_out = 68	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	value_name = HelpLink, data_ident_out = 70	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore	value_name = URLInfoAbout, data_ident_out = 70	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40	value_name = HelpLink, data_ident_out = 73	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40	value_name = URLInfoAbout, data_ident_out = 73	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	value_name = HelpLink, data_ident_out = 73	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data	value_name = URLInfoAbout, data_ident_out = 73	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	value_name = HelpLink, data_ident_out = 73	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX	value_name = URLInfoAbout, data_ident_out = 73	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData	value_name = HelpLink, data_ident_out = 73	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData	value_name = URLInfoAbout, data_ident_out = 73	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	value_name = HelpLink, data_ident_out = 77	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack	value_name = URLInfoAbout, data_ident_out = 77	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2	value_name = HelpLink, data_ident_out = 77	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2	value_name = URLInfoAbout, data_ident_out = 77	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	value_name = HelpLink, data_ident_out = 83	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent	value_name = URLInfoAbout, data_ident_out = 83	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC	value_name = HelpLink, data_ident_out = 87	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC	value_name = URLInfoAbout, data_ident_out = 87	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0D3E9E15-DE7A-300B-96F1-B4AF12B96488}	value_name = HelpLink, data_ident_out = 104	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0D3E9E15-DE7A-300B-96F1-B4AF12B96488}	value_name = URLInfoAbout, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	value_name = HelpLink, data_ident_out = 104	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}	value_name = URLInfoAbout, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}	value_name = HelpLink, data_ident_out = 104	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}	value_name = URLInfoAbout, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}	value_name = HelpLink, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}	value_name = URLInfoAbout, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}	value_name = HelpLink, data_ident_out = 104	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{929FBD26-9020-399B-9A7A-751D61F0B942}	value_name = URLInfoAbout, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}	value_name = HelpLink, data_ident_out = 104	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}	value_name = URLInfoAbout, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}	value_name = HelpLink, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}	value_name = URLInfoAbout, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{BC958BD2-5DAC-3862-BB1A-C1BE0790438D}	value_name = HelpLink, data_ident_out = 104	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{BC958BD2-5DAC-3862-BB1A-C1BE0790438D}	value_name = URLInfoAbout, data_ident_out = 0	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}	value_name = HelpLink, data_ident_out = 104	1	Fn
READ_VALUE	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}	value_name = URLInfoAbout, data_ident_out = 0	1	Fn
WRITE_VALUE	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	value_name = AppDataLow, data = C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\wtrrifwf\dafgfvjv.exe	1	Fn

System (124)

Operation	Information	Count	Logfile
SLEEP	duration = 100 milliseconds (0.100 seconds)	100	Fn
SLEEP	duration = 284 milliseconds (0.284 seconds)	1	Fn
SLEEP	duration = 386 milliseconds (0.386 seconds)	1	Fn
SLEEP	duration = 403 milliseconds (0.403 seconds)	1	Fn
SLEEP	duration = 399 milliseconds (0.399 seconds)	1	Fn
SLEEP	duration = 306 milliseconds (0.306 seconds)	1	Fn
SLEEP	duration = 460 milliseconds (0.460 seconds)	1	Fn
SLEEP	duration = 330 milliseconds (0.330 seconds)	1	Fn
SLEEP	duration = 483 milliseconds (0.483 seconds)	1	Fn
SLEEP	duration = 334 milliseconds (0.334 seconds)	1	Fn
SLEEP	duration = 405 milliseconds (0.405 seconds)	1	Fn
SLEEP	duration = 344 milliseconds (0.344 seconds)	1	Fn
SLEEP	duration = 411 milliseconds (0.411 seconds)	1	Fn
SLEEP	duration = 216 milliseconds (0.216 seconds)	1	Fn
SLEEP	duration = 296 milliseconds (0.296 seconds)	1	Fn
SLEEP	duration = 436 milliseconds (0.436 seconds)	1	Fn
SLEEP	duration = 228 milliseconds (0.228 seconds)	1	Fn
SLEEP	duration = 267 milliseconds (0.267 seconds)	1	Fn
SLEEP	duration = 413 milliseconds (0.413 seconds)	1	Fn
SLEEP	duration = 416 milliseconds (0.416 seconds)	1	Fn
SLEEP	duration = 477 milliseconds (0.477 seconds)	1	Fn
SLEEP	duration = 468 milliseconds (0.468 seconds)	1	Fn
SLEEP	duration = 377 milliseconds (0.377 seconds)	1	Fn
SLEEP	duration = 287 milliseconds (0.287 seconds)	1	Fn
SLEEP	duration = 305 milliseconds (0.305 seconds)	1	Fn

Mutex (1)

Operation	Name	Additional Information	Success	Count	Logfile
CREATE	FCAA85F5B5437C4D7919D716988890AF30565E9E	initial_owner = 0		1	Fn

Network Behavior

HTTP Session (4)

Remote Address	Remote Port	Username	Password	Success	Count
www.msn.com	80				4

HTTP Request (4)

Method	URL	Success	Count
GET	http://www.msn.com/		4

TCP Outgoing Connection (4)

Remote Address	Remote Port	L7Protocol	Success	Count
www.msn.com	80	http		4