VMRay Analyzer Report
| Information | Value |
|---|---|
| ID / OS PID | #1 / 0xc8c |
| OS Parent PID | 0x7fc (c:\windows\explorer.exe) |
| Initial Working Directory | C:\Users\WI2yhmtI onvScY7Pe\Desktop |
| File Name | c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe |
| Command Line | "C:\Users\WI2yhmtI onvScY7Pe\Desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe" |
| Monitor | Start Time: 00:00:37, Reason: Analysis Target |
| Unmonitor | End Time: 00:02:42, Reason: Terminated by Timeout |
| Monitor Duration | 00:02:05 |
| OS Thread IDs | #1 0xC90 #2 0xD08 #120 0xE84 |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| MOD | LOAD | module_name = advapi32.dll, base_address = 0x74fb0000 |  | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\jflcfzpjeknoja, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL |  | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\edyqopp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vije, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vije, size = 9 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\skqngilsj, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\rorln, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ikbh, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ikbh, size = 6 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\evywvrrs, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\evywvrrs, size = 29 | | 1 | |
| MOD | LOAD | module_name = NTDLL, base_address = 0x77dc0000 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\rtobnpdljgwwngd, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\rtobnpdljgwwngd, size = 14 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\wqrqtgk, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| MOD | LOAD | module_name = ws2_32.dll, base_address = 0x75b90000 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\agdb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\igvsjvpdqbzchuq, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\igvsjvpdqbzchuq, size = 13 | | 1 | |
| MUTEX | CREATE | mutex_name = AsEwIwsA, initial_owner = 0 | | 1 | |
| MUTEX | CREATE | mutex_name = TYAckMgs, initial_owner = 0 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\kgefqqjfdydaway, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\kgefqqjfdydaway, size = 15 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vvjmrgfdiuwazeb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\lhmk, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\lhmk, size = 19 | | 1 | |
| FILE | CREATE_DIR | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee | | 1 | |
| FILE | CREATE_DIR | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\exfda, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dxfpcywdygfese, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dxfpcywdygfese, size = 8 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\bolwkhjyxgq, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\bolwkhjyxgq, size = 18 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gfysb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gfysb, size = 4 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\uhnm, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\uhnm, size = 7 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\rpevkxqtrvzngt, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\qmufpu, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\qmufpu, size = 15 | | 1 | |
| MOD | CREATE_MAPPING | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww, module_name = Nameless FileMapping, maximum_size = 2062, protection = PAGE_READWRITE | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\sukproak, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| MOD | MAP | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww, process_name = c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe, os_pid = 0xc8c, module_name = Nameless FileMapping, desired_access = FILE_MAP_ALL_ACCESS, file_offset = 0, address = 0x3940000 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gziysukvx, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gziysukvx, size = 16 | | 1 | |
| MUTEX | RELEASE | mutex_name = AsEwIwsA | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\qraq, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\bqnm, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gzwkvrzheieagd, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE_DIR | file_name = c:\programdata\vmymsigm | | 1 | |
| FILE | CREATE_DIR | file_name = c:\programdata\vmymsigm | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vyqoon, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vyqoon, size = 27 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\okjjjhibzy, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\okjjjhibzy, size = 6 | | 1 | |
| FILE | CREATE | file_name = c:\programdata\vmymsigm\yoummieo, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\jadccbxzcopys, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\jadccbxzcopys, size = 18 | | 1 | |
| FILE | CREATE | file_name = c:\programdata\vmymsigm\yoummieo, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vabnhssjqi, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| MOD | CREATE_MAPPING | file_name = c:\programdata\vmymsigm\yoummieo, module_name = Nameless FileMapping, maximum_size = 2062, protection = PAGE_READWRITE | | 1 | |
| MOD | MAP | file_name = c:\programdata\vmymsigm\yoummieo, process_name = c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe, os_pid = 0xc8c, module_name = Nameless FileMapping, desired_access = FILE_MAP_ALL_ACCESS, file_offset = 0, address = 0x3950000 | | 1 | |
| MUTEX | RELEASE | mutex_name = AsEwIwsA | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\sfxs, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dvrkttxonuvxxo, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\zbchwzxtu, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\fgvyusstvvsmett, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\fgvyusstvvsmett, size = 8 | | 1 | |
| USER | GET_CURRENT | user_name = WI2yhmtI onvScY7Pe | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\eygoj, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| USER | GET_CURRENT | user_name = WI2yhmtI onvScY7Pe | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\fyqyrfypw, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| SYS | SLEEP | duration = 159 milliseconds (0.159 seconds) | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\kdfsxqp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ifdaysdzm, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ifdaysdzm, size = 11 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\bwxt, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\bwxt, size = 5 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\mbpi, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\mbpi, size = 12 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\qfpfeev, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\qfpfeev, size = 30 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\sjnrb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\sjnrb, size = 9 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\zfcdvoztqqsqssn, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\adrlcrwowsouok, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\adrlcrwowsouok, size = 23 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\sjfffxwsv, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\eutwzrkvmoo, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\fazehwvdxqq, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\pllm, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\pllm, size = 25 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ajazmxx, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ajazmxx, size = 30 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\tynjyraljh, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\tynjyraljh, size = 10 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\nocgllgflajyn, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\nocgllgflajyn, size = 20 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\udlg, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\psejm, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE_DIR | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gsxqdtmlmrr, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\deaczjoevu, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\nsjgfcryrfzr, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\nsjgfcryrfzr, size = 27 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\wsjaxpyhq, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\wsjaxpyhq, size = 4 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ijzo, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ijzo, size = 16 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\rzwdstazova, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| MOD | LOAD | module_name = kernel32.dll, base_address = 0x75650000 | | 1 | |
| MOD | LOAD | module_name = ntdll.dll, base_address = 0x77dc0000 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\tcqrwftqbypivum, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| MOD | LOAD | module_name = advapi32.dll, base_address = 0x74fb0000 | | 1 | |
| MOD | LOAD | module_name = user32.dll, base_address = 0x75f10000 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vcbnbq, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\rxnvrdscfofjr, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\yawlipagrm, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\yawlipagrm, size = 25 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ucsfzlbaezn, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\zcgwzmuzzmzip, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\zcgwzmuzzmzip, size = 5 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ciotal, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ciotal, size = 13 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dodoqeqrbwahtjq, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dodoqeqrbwahtjq, size = 13 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\swudqd, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\swudqd, size = 6 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\jrtgquwkyvanvbi, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\jrtgquwkyvanvbi, size = 5 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\hhqjokypw, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\bnvwlppbnnua, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe, desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | WRITE | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe, size = 1024 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\cfkdoo, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\cfkdoo, size = 8 | | 1 | |
| FILE | WRITE | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe, size = 684032 | | 1 | |
| FILE | WRITE | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe, size = 10240 | | 1 | |
| FILE | WRITE | file_name = c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe, size = 1404928 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ivio, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| PROC | CREATE | process_name = C:\Users\WI2yhmtI onvScY7Pe\ayooEMEE\XuMIAsww.exe, os_tid = 0xd7c, os_pid = 0xd78, show_window = SW_HIDE | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run, value_name = XuMIAsww.exe, data = C:\Users\WI2yhmtI onvScY7Pe\ayooEMEE\XuMIAsww.exe | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\okroak, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\woghlxmtdopva, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\woghlxmtdopva, size = 27 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\okooeoueted, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\okooeoueted, size = 24 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\eqdzfvvf, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dyfwoqbh, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dyfwoqbh, size = 26 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ipplbhxcuc, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\pkkpenkyse, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ucpgdjptbnw, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ckuhxlydmvbcgt, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ckuhxlydmvbcgt, size = 21 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\lzzjxhcku, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\rocpuxh, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\pjrrdbkpxxp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\pjrrdbkpxxp, size = 22 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ddahqzxmaggrzgk, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\zgspcrdzmbdlll, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\zgspcrdzmbdlll, size = 9 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\tqfrvevei, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\fcjudzpy, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE_DIR | file_name = c:\programdata\vmymsigm | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\efrhdichi, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\efrhdichi, size = 29 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\okpzlttkzghsb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\okpzlttkzghsb, size = 30 | | 1 | |
| MOD | LOAD | module_name = shell32.dll, base_address = 0x76910000 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\qsltlfjc, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dvdlznyxdqejop, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\wnnum, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\wnnum, size = 8 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\faqybxahlcc, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\faqybxahlcc, size = 31 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gqazpanrzp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gqazpanrzp, size = 13 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gnzdojblzdltdv, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gnzdojblzdltdv, size = 14 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\bdvmlsjpvlusc, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\shxkod, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\eqnahklzvzrkra, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\eqnahklzvzrkra, size = 9 | | 1 | |
| FILE | CREATE | file_name = c:\programdata\vmymsigm\yoummieo.exe, desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | WRITE | file_name = c:\programdata\vmymsigm\yoummieo.exe, size = 1024 | | 1 | |
| FILE | WRITE | file_name = c:\programdata\vmymsigm\yoummieo.exe, size = 684032 | | 1 | |
| FILE | WRITE | file_name = c:\programdata\vmymsigm\yoummieo.exe, size = 10240 | | 1 | |
| FILE | WRITE | file_name = c:\programdata\vmymsigm\yoummieo.exe, size = 1347584 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\rdotrvcpth, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\rdotrvcpth, size = 6 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\olxnxq, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\olxnxq, size = 31 | | 1 | |
| PROC | CREATE | process_name = C:\ProgramData\VmYMsIgM\YOUMMIEo.exe, os_tid = 0xdbc, os_pid = 0xdb8, show_window = SW_HIDE | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\awwilildhk, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run, value_name = YOUMMIEo.exe, data = C:\ProgramData\VmYMsIgM\YOUMMIEo.exe | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dlpdjbpebpqqrvh, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | | 1 | |
| REG | READ_VALUE | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, value_name = Userinit, data_ident_out = C:\Windows\system32\userinit.exe, | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\nyfha, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\nyfha, size = 22 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, value_name = Userinit, data = C:\Windows\system32\userinit.exe,C:\ProgramData\VmYMsIgM\YOUMMIEo.exe, | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ibkfdojf, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | | 1 | |
| REG | READ_VALUE | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, value_name = Userinit, data_ident_out = 0 | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, value_name = Userinit, data = C:\ProgramData\VmYMsIgM\YOUMMIEo.exe, | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\mocdpjij, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE_DIR | file_name = c:\programdata\baieaacu | | 1 | |
| FILE | CREATE_DIR | file_name = c:\programdata\baieaacu | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\fziqk, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\fziqk, size = 26 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\uqktfecidxwd, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\svgrat, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\svgrat, size = 28 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\jtylyxjwqnhb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\jtylyxjwqnhb, size = 11 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\sfqevzfusjwkcq, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\sfqevzfusjwkcq, size = 30 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ckdfgwhy, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\nctequiorzziw, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\aibxxn, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\aibxxn, size = 28 | | 1 | |
| FILE | CREATE | file_name = c:\programdata\baieaacu\xuaecwog.exe, desired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\wmsxkoocwjp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gdrfmasuc, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\gdrfmasuc, size = 8 | | 1 | |
| FILE | WRITE | file_name = c:\programdata\baieaacu\xuaecwog.exe, size = 1024 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\kdynuec, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | WRITE | file_name = c:\programdata\baieaacu\xuaecwog.exe, size = 684032 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\hzcmrmznnnvhv, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\hzcmrmznnnvhv, size = 13 | | 1 | |
| FILE | WRITE | file_name = c:\programdata\baieaacu\xuaecwog.exe, size = 10240 | | 1 | |
| FILE | WRITE | file_name = c:\programdata\baieaacu\xuaecwog.exe, size = 1384448 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\kmzszjjabixrvi, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\mukdnyiwku, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| SVC | OPEN_MGR | database_name = SERVICES_ACTIVE_DATABASE, host = Localhost, desired_access = SC_MANAGER_CONNECT, SC_MANAGER_CREATE_SERVICE, SC_MANAGER_ENUMERATE_SERVICE, SC_MANAGER_LOCK, SC_MANAGER_QUERY_LOCK_STATUS, SC_MANAGER_MODIFY_BOOT_CONFIG, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\xggwdb, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| SVC | OPEN | service_name = cEMAEwpb, database_name = SERVICES_ACTIVE_DATABASE, desired_access = SERVICE_QUERY_CONFIG, SERVICE_CHANGE_CONFIG, SERVICE_QUERY_STATUS, SERVICE_ENUMERATE_DEPENDENTS, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_INTERROGATE, SERVICE_USER_DEFINED_CONTROL, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER | | 1 | |
| SVC | CREATE | service_name = cEMAEwpb, file_name = C:\ProgramData\BAIEAAcU\xUAEcwog.exe, database_name = SERVICES_ACTIVE_DATABASE, display_name = cEMAEwpb, desired_access = SERVICE_QUERY_CONFIG, SERVICE_CHANGE_CONFIG, SERVICE_QUERY_STATUS, SERVICE_ENUMERATE_DEPENDENTS, SERVICE_START, SERVICE_STOP, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, service_type = SERVICE_WIN32_OWN_PROCESS, start_type = SERVICE_AUTO_START | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\zzge, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| SVC | OPEN | service_name = cEMAEwpb, database_name = SERVICES_ACTIVE_DATABASE, desired_access = SERVICE_QUERY_CONFIG, SERVICE_CHANGE_CONFIG, SERVICE_QUERY_STATUS, SERVICE_ENUMERATE_DEPENDENTS, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_INTERROGATE, SERVICE_USER_DEFINED_CONTROL, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER | | 1 | |
| SVC | GET_INFO | service_name = cEMAEwpb, type = Status | | 1 | |
| SVC | START | service_name = cEMAEwpb, parameters = 0 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vkiqloxayyohc, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vkiqloxayyohc, size = 28 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dddpavcirmvvqqk, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dddpavcirmvvqqk, size = 25 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\auiwcdd, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\auiwcdd, size = 30 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\sudgniklyefz, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\sudgniklyefz, size = 20 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vvxuzzh, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vvxuzzh, size = 31 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\pkqljphz, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\pkqljphz, size = 31 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\quxgkeota, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\quxgkeota, size = 31 | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\pagooqzsdxipqlp, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\cptlucmcnk, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\cptlucmcnk, size = 17 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\mpio, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\mpio, size = 29 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\syndenps, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\syndenps, size = 24 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\iiroxzogklx, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\iiroxzogklx, size = 6 | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\mdmogm, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| MUTEX | RELEASE | mutex_name = AsEwIwsA | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\rllub, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ugpf, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ugpf, size = 4 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\fzoyzhgob, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\fzoyzhgob, size = 15 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ddjphthbrquss, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ubupjnawu, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ubupjnawu, size = 24 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\jujdff, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\aavbijipezbv, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| MUTEX | RELEASE | | 1 | ||
| MUTEX | RELEASE | mutex_name = AsEwIwsA | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\qeqnpyjjjr, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\qspglilvvmd, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\qspglilvvmd, size = 8 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vzsussoabf, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\vzsussoabf, size = 8 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\uwog, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\uwog, size = 8 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\spuonpilxjekiro, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\tzvwiy, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ogrzajo, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\puovwjl, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhm~1\appdata\local\temp\dwaaskwo.bat, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | WRITE | file_name = c:\users\wi2yhm~1\appdata\local\temp\dwaaskwo.bat, size = 4 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ftpjwfw, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | READ | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ftpjwfw, size = 27 | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware, desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\twdznhht, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | WRITE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware, size = 6968 | | 1 | |
| PROC | CREATE | process_name = C:\Users\WI2YHM~1\AppData\Local\Temp\dWAAskwo.bat, os_tid = 0xe3c, os_pid = 0xe38, creation_flags = CREATE_NO_WINDOW, current_directory = C:\Users\WI2yhmtI onvScY7Pe\Desktop, show_window = SW_HIDE | | 1 | |
| SYS | SLEEP | duration = 50 milliseconds (0.050 seconds) | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\dlksr, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| FILE | DELETE | file_name = c:\users\wi2yhm~1\appdata\local\temp\dwaaskwo.bat | | 1 | |
| PROC | CREATE | process_name = reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1, show_window = SW_HIDE | | 1 | |
| FILE | CREATE | file_name = c:\users\wi2yhmti onvscy7pe\desktop\ozbllmpyu, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMAL | | 1 | |
| PROC | CREATE | process_name = reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2, show_window = SW_HIDE | | 1 | |
| PROC | CREATE | process_name = reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f, show_window = SW_HIDE | | 1 | |
| MOD | LOAD | module_name = srclient.dll, base_address = 0x74d70000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = c:\windows\syswow64\srclient.dll, function = SRRemoveRestorePoint, address = 0x74d745c0 | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #2 / 0xd78 |
| OS Parent PID | 0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe) |
| Initial Working Directory | C:\Users\WI2yhmtI onvScY7Pe\Desktop |
| File Name | c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe |
| Command Line | "C:\Users\WI2yhmtI onvScY7Pe\ayooEMEE\XuMIAsww.exe" |
| Monitor | Start Time: 00:01:04, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:38 |
| OS Thread IDs | #3 0xD7C #4 0xD80 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| ID / OS PID | #3 / 0xdb8 |
| OS Parent PID | 0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe) |
| Initial Working Directory | C:\Users\WI2yhmtI onvScY7Pe\Desktop |
| File Name | c:\programdata\vmymsigm\yoummieo.exe |
| Command Line | "C:\ProgramData\VmYMsIgM\YOUMMIEo.exe" |
| Monitor | Start Time: 00:01:25, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Terminated by Timeout |
| Monitor Duration | 00:01:17 |
| OS Thread IDs | #5 0xDBC #6 0xDC0 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| ID / OS PID | #4 / 0x4 |
| OS Parent PID | 0xffffffffffffffff (Unknown) |
| Initial Working Directory | |
| File Name | System |
| Command Line | |
| Monitor | Start Time: 00:01:46, Reason: Created Daemon |
| Unmonitor | End Time: 00:02:42, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:56 |
| OS Thread IDs | #7 0xC94 #8 0xCAC #9 0x14 #10 0x2BC #11 0x540 #12 0x4B8 #13 0x88C #14 0xE8 #15 0x6D0 #16 0x234 #17 0x9F0 #18 0x84C #19 0x7F0 #20 0x80 #21 0x234 #22 0x494 #23 0xAF8 #24 0xD0 #25 0xCC #26 0xC8 #27 0xC4 #28 0x13C #29 0x138 #30 0x30 #31 0x1C #32 0xA60 #33 0xA2C #34 0xA28 #35 0x93C #36 0x6D8 #37 0x5C #38 0xBFC #39 0xBF0 #40 0x3C #41 0xA8C #42 0xA80 #43 0x974 #44 0x968 #45 0x80C #46 0x4D8 #47 0x7DC #48 0x7D4 #49 0xE4 #50 0x628 #51 0x624 #52 0x620 #53 0x610 #54 0xA4 #55 0x5B0 #56 0xB4 #57 0x554 #58 0x48 #59 0x530 #60 0x524 #61 0xB0 #62 0x4B0 #63 0x4A0 #64 0x6C #65 0x464 #66 0x70 #67 0x450 #68 0x170 #69 0x84 #70 0x198 #71 0x74 #72 0x40 #73 0x35C #74 0x8C #75 0x78 #76 0x88 #77 0x2BC #78 0x16C #79 0x144 #80 0x44 #81 0x134 #82 0x124 #83 0x104 #84 0x38 #85 0x1A8 #86 0x7C #87 0x20 #88 0x174 #89 0x168 #90 0x164 #91 0x160 #92 0x140 #93 0x34 #94 0x10 #95 0xA8 #96 0xB8 #97 0xF0 #98 0xC0 #99 0x60 #100 0x110 #101 0xBC #102 0xEC #103 0x64 #104 0x8 #105 0x0 #108 0x18 #109 0x24 #114 0x24C |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| ntdll.dll | 0x77dc0000 | 0x77f38fff | Memory Mapped File | Readable, Writable, Executable | | | |  |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | | | |
| pagefile_0x0000005500000000 | 0x5500000000 | 0x5500000fff | Pagefile Backed Memory | Readable, Writable | | | | |
| pagefile_0x0000005500010000 | 0x5500010000 | 0x5500010fff | Pagefile Backed Memory | Readable, Writable | | | | |
| pagefile_0x0000005500020000 | 0x5500020000 | 0x5500020fff | Pagefile Backed Memory | Readable, Writable | | | | |
| ntdll.dll | 0x7ffb1ddd0000 | 0x7ffb1df91fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| Information | Value |
|---|---|
| ID / OS PID | #5 / 0xe00 |
| OS Parent PID | 0x1dc (c:\windows\system32\services.exe) |
| Initial Working Directory | C:\Windows\system32 |
| File Name | c:\programdata\baieaacu\xuaecwog.exe |
| Command Line | C:\ProgramData\BAIEAAcU\xUAEcwog.exe |
| Monitor | Start Time: 00:01:46, Reason: Created Daemon |
| Unmonitor | End Time: 00:02:20, Reason: Terminated |
| Monitor Duration | 00:00:34 |
| OS Thread IDs | #106 0xE04 #107 0xE08 |
| Remarks | No high level activity detected in monitored regions |
| Information | Value |
|---|---|
| ID / OS PID | #6 / 0xe38 |
| OS Parent PID | 0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe) |
| Initial Working Directory | C:\Users\WI2yhmtI onvScY7Pe\Desktop |
| File Name | c:\windows\syswow64\cmd.exe |
| Command Line | C:\Windows\system32\cmd.exe /c "C:\Users\WI2yhmtI onvScY7Pe\Desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware" |
| Monitor | Start Time: 00:02:22, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:20 |
| OS Thread IDs | #110 0xE3C #128 0xEAC |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| cmd.exe | 0x00070000 | 0x000bffff | Memory Mapped File | Readable, Writable, Executable | | | | |
| pagefile_0x0000000000350000 | 0x00350000 | 0x0434ffff | Pagefile Backed Memory | - | | | | |
| private_0x0000000004350000 | 0x04350000 | 0x0436ffff | Private Memory | Readable, Writable | | | | |
| pagefile_0x0000000004350000 | 0x04350000 | 0x0435ffff | Pagefile Backed Memory | Readable, Writable | | | | |
| private_0x0000000004360000 | 0x04360000 | 0x04363fff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004370000 | 0x04370000 | 0x04371fff | Private Memory | Readable, Writable | | | | |
| pagefile_0x0000000004380000 | 0x04380000 | 0x04393fff | Pagefile Backed Memory | Readable | | | | |
| private_0x00000000043a0000 | 0x043a0000 | 0x043dffff | Private Memory | Readable, Writable | | | | |
| private_0x00000000043e0000 | 0x043e0000 | 0x044dffff | Private Memory | Readable, Writable | | | | |
| pagefile_0x00000000044e0000 | 0x044e0000 | 0x044e3fff | Pagefile Backed Memory | Readable | | | | |
| pagefile_0x00000000044f0000 | 0x044f0000 | 0x044f0fff | Pagefile Backed Memory | Readable | | | | |
| private_0x0000000004500000 | 0x04500000 | 0x04501fff | Private Memory | Readable, Writable | | | | |
| locale.nls | 0x04510000 | 0x045cdfff | Memory Mapped File | Readable | | | | |
| private_0x00000000045e0000 | 0x045e0000 | 0x045effff | Private Memory | Readable, Writable | | | | |
| private_0x00000000045f0000 | 0x045f0000 | 0x0462ffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004630000 | 0x04630000 | 0x0472ffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004730000 | 0x04730000 | 0x0482ffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004890000 | 0x04890000 | 0x0489ffff | Private Memory | Readable, Writable | | | | |
| wow64.dll | 0x53cc0000 | 0x53d0efff | Memory Mapped File | Readable, Writable, Executable | | | | |
| wow64cpu.dll | 0x53d10000 | 0x53d17fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| wow64win.dll | 0x53d20000 | 0x53d92fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| msvcrt.dll | 0x74ef0000 | 0x74fadfff | Memory Mapped File | Readable, Writable, Executable | | | | |
| KernelBase.dll | 0x752e0000 | 0x75455fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| kernel32.dll | 0x75650000 | 0x7573ffff | Memory Mapped File | Readable, Writable, Executable | | | | |
| ntdll.dll | 0x77dc0000 | 0x77f38fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| pagefile_0x000000007f170000 | 0x7f170000 | 0x7f26ffff | Pagefile Backed Memory | Readable | | | | |
| pagefile_0x000000007f270000 | 0x7f270000 | 0x7f292fff | Pagefile Backed Memory | Readable | | | | |
| private_0x000000007f297000 | 0x7f297000 | 0x7f299fff | Private Memory | Readable, Writable | | | | |
| private_0x000000007f29a000 | 0x7f29a000 | 0x7f29afff | Private Memory | Readable, Writable | | | | |
| private_0x000000007f29c000 | 0x7f29c000 | 0x7f29efff | Private Memory | Readable, Writable | | | | |
| private_0x000000007f29f000 | 0x7f29f000 | 0x7f29ffff | Private Memory | Readable, Writable | | | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | | | |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfb1ddcffff | Private Memory | Readable | | | | |
| pagefile_0x00007dfb1ddd0000 | 0x7dfb1ddd0000 | 0x7ffb1ddcffff | Pagefile Backed Memory | - | | | | |
| ntdll.dll | 0x7ffb1ddd0000 | 0x7ffb1df91fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| private_0x00007ffb1df92000 | 0x7ffb1df92000 | 0x7ffffffeffff | Private Memory | Readable | | | | |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| MOD | GET_HANDLE | module_name = c:\windows\syswow64\cmd.exe, base_address = 0x70000 | | 1 | |
| MOD | GET_HANDLE | module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75650000 | | 1 | |
| MOD | GET_PROC_ADDRESS | module_name = c:\windows\syswow64\kernel32.dll, function = SetThreadUILanguage, address = 0x75692780 | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #7 / 0xe4c |
| OS Parent PID | 0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe) |
| Initial Working Directory | C:\Users\WI2yhmtI onvScY7Pe\Desktop |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1 |
| Monitor | Start Time: 00:02:23, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:19 |
| OS Thread IDs | #111 0xE50 |
| Remarks | No high level activity detected in monitored regions |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| reg.exe | 0x003a0000 | 0x003f2fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| pagefile_0x0000000000c60000 | 0x00c60000 | 0x04c5ffff | Pagefile Backed Memory | - | | | | |
| private_0x0000000004c60000 | 0x04c60000 | 0x04c7ffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004c80000 | 0x04c80000 | 0x04c81fff | Private Memory | Readable, Writable | | | | |
| pagefile_0x0000000004c90000 | 0x04c90000 | 0x04ca3fff | Pagefile Backed Memory | Readable | | | | |
| private_0x0000000004cb0000 | 0x04cb0000 | 0x04ceffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004cf0000 | 0x04cf0000 | 0x04d2ffff | Private Memory | Readable, Writable | | | | |
| pagefile_0x0000000004d30000 | 0x04d30000 | 0x04d33fff | Pagefile Backed Memory | Readable | | | | |
| pagefile_0x0000000004d40000 | 0x04d40000 | 0x04d40fff | Pagefile Backed Memory | Readable | | | | |
| private_0x0000000004d50000 | 0x04d50000 | 0x04d51fff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004f40000 | 0x04f40000 | 0x04f4ffff | Private Memory | Readable, Writable | | | | |
| wow64.dll | 0x53cc0000 | 0x53d0efff | Memory Mapped File | Readable, Writable, Executable | | | | |
| wow64win.dll | 0x53d20000 | 0x53d92fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| ntdll.dll | 0x77dc0000 | 0x77f38fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| pagefile_0x000000007e4c0000 | 0x7e4c0000 | 0x7e4e2fff | Pagefile Backed Memory | Readable | | | | |
| private_0x000000007e4e8000 | 0x7e4e8000 | 0x7e4e8fff | Private Memory | Readable, Writable | | | | |
| private_0x000000007e4ec000 | 0x7e4ec000 | 0x7e4eefff | Private Memory | Readable, Writable | | | | |
| private_0x000000007e4ef000 | 0x7e4ef000 | 0x7e4effff | Private Memory | Readable, Writable | | | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | | | |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfb1ddcffff | Private Memory | Readable | | | | |
| pagefile_0x00007dfb1ddd0000 | 0x7dfb1ddd0000 | 0x7ffb1ddcffff | Pagefile Backed Memory | - | | | | |
| ntdll.dll | 0x7ffb1ddd0000 | 0x7ffb1df91fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| private_0x00007ffb1df92000 | 0x7ffb1df92000 | 0x7ffffffeffff | Private Memory | Readable | | | | |
| Information | Value |
|---|---|
| ID / OS PID | #9 / 0xe60 |
| OS Parent PID | 0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe) |
| Initial Working Directory | C:\Users\WI2yhmtI onvScY7Pe\Desktop |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2 |
| Monitor | Start Time: 00:02:26, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:16 |
| OS Thread IDs | #115 0xE64 #131 0xEC0 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| reg.exe | 0x003a0000 | 0x003f2fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| pagefile_0x00000000009b0000 | 0x009b0000 | 0x049affff | Pagefile Backed Memory | - | | | | |
| private_0x00000000049b0000 | 0x049b0000 | 0x049cffff | Private Memory | Readable, Writable | | | | |
| pagefile_0x00000000049b0000 | 0x049b0000 | 0x049bffff | Pagefile Backed Memory | Readable, Writable | | | | |
| private_0x00000000049c0000 | 0x049c0000 | 0x049c3fff | Private Memory | Readable, Writable | | | | |
| private_0x00000000049d0000 | 0x049d0000 | 0x049d1fff | Private Memory | Readable, Writable | | | | |
| pagefile_0x00000000049e0000 | 0x049e0000 | 0x049f3fff | Pagefile Backed Memory | Readable | | | | |
| private_0x0000000004a00000 | 0x04a00000 | 0x04a3ffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004a40000 | 0x04a40000 | 0x04a7ffff | Private Memory | Readable, Writable | | | | |
| pagefile_0x0000000004a80000 | 0x04a80000 | 0x04a83fff | Pagefile Backed Memory | Readable | | | | |
| pagefile_0x0000000004a90000 | 0x04a90000 | 0x04a90fff | Pagefile Backed Memory | Readable | | | | |
| private_0x0000000004aa0000 | 0x04aa0000 | 0x04aa1fff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004ab0000 | 0x04ab0000 | 0x04aeffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004af0000 | 0x04af0000 | 0x04b2ffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004b40000 | 0x04b40000 | 0x04b4ffff | Private Memory | Readable, Writable | | | | |
| locale.nls | 0x04b50000 | 0x04c0dfff | Memory Mapped File | Readable | | | | |
| private_0x0000000004ca0000 | 0x04ca0000 | 0x04d9ffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004e40000 | 0x04e40000 | 0x04e4ffff | Private Memory | Readable, Writable | | | | |
| wow64.dll | 0x53cc0000 | 0x53d0efff | Memory Mapped File | Readable, Writable, Executable | | | | |
| wow64cpu.dll | 0x53d10000 | 0x53d17fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| wow64win.dll | 0x53d20000 | 0x53d92fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| bcryptprimitives.dll | 0x74e60000 | 0x74eb8fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| cryptbase.dll | 0x74ec0000 | 0x74ec9fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| sspicli.dll | 0x74ed0000 | 0x74eedfff | Memory Mapped File | Readable, Writable, Executable | | | | |
| msvcrt.dll | 0x74ef0000 | 0x74fadfff | Memory Mapped File | Readable, Writable, Executable | | | | |
| advapi32.dll | 0x74fb0000 | 0x7502afff | Memory Mapped File | Readable, Writable, Executable | | | | |
| KernelBase.dll | 0x752e0000 | 0x75455fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| kernel32.dll | 0x75650000 | 0x7573ffff | Memory Mapped File | Readable, Writable, Executable | | | | |
| ws2_32.dll | 0x75b90000 | 0x75bebfff | Memory Mapped File | Readable, Writable, Executable | | | | |
| sechost.dll | 0x75eb0000 | 0x75ef2fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| nsi.dll | 0x76050000 | 0x76056fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| rpcrt4.dll | 0x76860000 | 0x7690bfff | Memory Mapped File | Readable, Writable, Executable | | | | |
| ntdll.dll | 0x77dc0000 | 0x77f38fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| pagefile_0x000000007f890000 | 0x7f890000 | 0x7f98ffff | Pagefile Backed Memory | Readable | | | | |
| pagefile_0x000000007f990000 | 0x7f990000 | 0x7f9b2fff | Pagefile Backed Memory | Readable | | | | |
| private_0x000000007f9b5000 | 0x7f9b5000 | 0x7f9b5fff | Private Memory | Readable, Writable | | | | |
| private_0x000000007f9b9000 | 0x7f9b9000 | 0x7f9b9fff | Private Memory | Readable, Writable | | | | |
| private_0x000000007f9ba000 | 0x7f9ba000 | 0x7f9bcfff | Private Memory | Readable, Writable | | | | |
| private_0x000000007f9bd000 | 0x7f9bd000 | 0x7f9bffff | Private Memory | Readable, Writable | | | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | | | |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfb1ddcffff | Private Memory | Readable | | | | |
| pagefile_0x00007dfb1ddd0000 | 0x7dfb1ddd0000 | 0x7ffb1ddcffff | Pagefile Backed Memory | - | | | | |
| ntdll.dll | 0x7ffb1ddd0000 | 0x7ffb1df91fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| private_0x00007ffb1df92000 | 0x7ffb1df92000 | 0x7ffffffeffff | Private Memory | Readable | | | | |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| MOD | GET_HANDLE | module_name = c:\windows\syswow64\reg.exe, base_address = 0x3a0000 | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | | 1 | |
| REG | CREATE_KEY | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | | 1 | |
| REG | READ_VALUE | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, value_name = Hidden | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced, value_name = Hidden, data = 2 | | 1 | |
| FILE | OPEN | file_name = STD_OUTPUT_HANDLE | | 3 | |
| FILE | WRITE | file_name = STD_OUTPUT_HANDLE, size = 39 | | 1 |
| Information | Value |
|---|---|
| ID / OS PID | #10 / 0xe68 |
| OS Parent PID | 0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe) |
| Initial Working Directory | C:\Users\WI2yhmtI onvScY7Pe\Desktop |
| File Name | c:\windows\syswow64\reg.exe |
| Command Line | reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f |
| Monitor | Start Time: 00:02:26, Reason: Child Process |
| Unmonitor | End Time: 00:02:42, Reason: Terminated by Timeout |
| Monitor Duration | 00:00:16 |
| OS Thread IDs | #116 0xE6C #132 0xED0 |
| Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
|---|---|---|---|---|---|---|---|---|
| reg.exe | 0x003a0000 | 0x003f2fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| pagefile_0x0000000000410000 | 0x00410000 | 0x0440ffff | Pagefile Backed Memory | - | | | | |
| private_0x0000000004410000 | 0x04410000 | 0x0442ffff | Private Memory | Readable, Writable | | | | |
| pagefile_0x0000000004410000 | 0x04410000 | 0x0441ffff | Pagefile Backed Memory | Readable, Writable | | | | |
| private_0x0000000004420000 | 0x04420000 | 0x04423fff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004430000 | 0x04430000 | 0x04431fff | Private Memory | Readable, Writable | | | | |
| pagefile_0x0000000004440000 | 0x04440000 | 0x04453fff | Pagefile Backed Memory | Readable | | | | |
| private_0x0000000004460000 | 0x04460000 | 0x0449ffff | Private Memory | Readable, Writable | | | | |
| private_0x00000000044a0000 | 0x044a0000 | 0x044dffff | Private Memory | Readable, Writable | | | | |
| pagefile_0x00000000044e0000 | 0x044e0000 | 0x044e3fff | Pagefile Backed Memory | Readable | | | | |
| pagefile_0x00000000044f0000 | 0x044f0000 | 0x044f0fff | Pagefile Backed Memory | Readable | | | | |
| private_0x0000000004500000 | 0x04500000 | 0x04501fff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004520000 | 0x04520000 | 0x0452ffff | Private Memory | Readable, Writable | | | | |
| locale.nls | 0x04530000 | 0x045edfff | Memory Mapped File | Readable | | | | |
| private_0x00000000045f0000 | 0x045f0000 | 0x0462ffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004630000 | 0x04630000 | 0x0466ffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004680000 | 0x04680000 | 0x0477ffff | Private Memory | Readable, Writable | | | | |
| private_0x0000000004900000 | 0x04900000 | 0x0490ffff | Private Memory | Readable, Writable | | | | |
| wow64.dll | 0x53cc0000 | 0x53d0efff | Memory Mapped File | Readable, Writable, Executable | | | | |
| wow64cpu.dll | 0x53d10000 | 0x53d17fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| wow64win.dll | 0x53d20000 | 0x53d92fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| bcryptprimitives.dll | 0x74e60000 | 0x74eb8fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| cryptbase.dll | 0x74ec0000 | 0x74ec9fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| sspicli.dll | 0x74ed0000 | 0x74eedfff | Memory Mapped File | Readable, Writable, Executable | | | | |
| msvcrt.dll | 0x74ef0000 | 0x74fadfff | Memory Mapped File | Readable, Writable, Executable | | | | |
| advapi32.dll | 0x74fb0000 | 0x7502afff | Memory Mapped File | Readable, Writable, Executable | | | | |
| KernelBase.dll | 0x752e0000 | 0x75455fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| kernel32.dll | 0x75650000 | 0x7573ffff | Memory Mapped File | Readable, Writable, Executable | | | | |
| ws2_32.dll | 0x75b90000 | 0x75bebfff | Memory Mapped File | Readable, Writable, Executable | | | | |
| sechost.dll | 0x75eb0000 | 0x75ef2fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| nsi.dll | 0x76050000 | 0x76056fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| rpcrt4.dll | 0x76860000 | 0x7690bfff | Memory Mapped File | Readable, Writable, Executable | | | | |
| ntdll.dll | 0x77dc0000 | 0x77f38fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| pagefile_0x000000007ef60000 | 0x7ef60000 | 0x7f05ffff | Pagefile Backed Memory | Readable | | | | |
| pagefile_0x000000007f060000 | 0x7f060000 | 0x7f082fff | Pagefile Backed Memory | Readable | | | | |
| private_0x000000007f085000 | 0x7f085000 | 0x7f087fff | Private Memory | Readable, Writable | | | | |
| private_0x000000007f088000 | 0x7f088000 | 0x7f088fff | Private Memory | Readable, Writable | | | | |
| private_0x000000007f08a000 | 0x7f08a000 | 0x7f08cfff | Private Memory | Readable, Writable | | | | |
| private_0x000000007f08d000 | 0x7f08d000 | 0x7f08dfff | Private Memory | Readable, Writable | | | | |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable | | | | |
| private_0x000000007fff0000 | 0x7fff0000 | 0x7dfb1ddcffff | Private Memory | Readable | | | | |
| pagefile_0x00007dfb1ddd0000 | 0x7dfb1ddd0000 | 0x7ffb1ddcffff | Pagefile Backed Memory | - | | | | |
| ntdll.dll | 0x7ffb1ddd0000 | 0x7ffb1df91fff | Memory Mapped File | Readable, Writable, Executable | | | | |
| private_0x00007ffb1df92000 | 0x7ffb1df92000 | 0x7ffffffeffff | Private Memory | Readable | | | | |
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| MOD | GET_HANDLE | module_name = c:\windows\syswow64\reg.exe, base_address = 0x3a0000 | | 1 | |
| REG | OPEN_KEY | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System | | 1 | |
| REG | CREATE_KEY | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | | 1 | |
| REG | READ_VALUE | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, value_name = EnableLUA | | 1 | |
| REG | WRITE_VALUE | reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, value_name = EnableLUA, data = 0 | | 1 | |
| FILE | OPEN | file_name = STD_OUTPUT_HANDLE | | 3 | |
| FILE | WRITE | file_name = STD_OUTPUT_HANDLE, size = 39 | | 1 |
