VMRay Analyzer Report
Monitored Processes
Process Graph
Behavior Information - Grouped by Category
Process #1: tax tool.exe
(Host: 212, Network: 0)
+
InformationValue
ID / OS PID#1 / 0x990
OS Parent PID0x7cc (c:\windows\explorer.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\Desktop
File Namec:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe
Command Line"C:\Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe"
MonitorStart Time: 00:00:37, Reason: Analysis Target
UnmonitorEnd Time: 00:01:09, Reason: Terminated
Monitor Duration00:00:32
OS Thread IDs
#1
0x7BC
#2
0x9EC
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
Tax Tool.exe0x001400000x00163fffMemory Mapped FileReadable, Writable, ExecutableTrueTrueFalse
private_0x00000000008200000x008200000x0083ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000008200000x008200000x0082ffffPagefile Backed MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000008300000x008300000x00833fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000008400000x008400000x00841fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000008400000x008400000x00840fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000008500000x008500000x00863fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x00000000008700000x008700000x008affffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000008b00000x008b00000x009affffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000009b00000x009b00000x009b3fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x00000000009c00000x009c00000x009c1fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000009d00000x009d00000x00a0ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000000a100000x00a100000x00a10fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x0000000000a200000x00a200000x00a20fffPagefile Backed MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000000a700000x00a700000x00a7ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000000af00000x00af00000x00beffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
locale.nls0x00bf00000x00cadfffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
private_0x0000000000cb00000x00cb00000x00daffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000000dd00000x00dd00000x00e5ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x0000000000e600000x00e600000x00fe7fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x00000000010500000x010500000x0105ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
SortDefault.nls0x010600000x01396fffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
pagefile_0x00000000013a00000x013a00000x01520fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x00000000015300000x015300000x0292ffffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x00000000029300000x029300000x02a2ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
wow64win.dll0x64da00000x64e12fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wow64.dll0x64e200000x64e6efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wow64cpu.dll0x64e700000x64e77fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ntmarta.dll0x743200000x74347fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
secur32.dll0x743500000x74359fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
rsaenh.dll0x743600000x7438efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
bcrypt.dll0x743900000x743aafffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cryptsp.dll0x743b00000x743c2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
apphelp.dll0x743d00000x74460fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
bcryptprimitives.dll0x744700000x744c8fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cryptbase.dll0x744d00000x744d9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
sspicli.dll0x744e00000x744fdfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
msvcrt.dll0x745a00000x7465dfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
gdi32.dll0x746600000x747acfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
shell32.dll0x747b00000x75b6efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
rpcrt4.dll0x75b700000x75c1bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
user32.dll0x75dd00000x75f0ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
psapi.dll0x75f100000x75f15fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
windows.storage.dll0x75f200000x763fcfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
kernel32.dll0x764600000x7654ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ole32.dll0x768000000x768e9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
msctf.dll0x769c00000x76adffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
shlwapi.dll0x76ae00000x76b23fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
advapi32.dll0x76d700000x76deafffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
SHCore.dll0x76df00000x76e7cfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
kernel.appcore.dll0x76e800000x76e8bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
sechost.dll0x76e900000x76ed2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
KernelBase.dll0x76fa00000x77115fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
combase.dll0x771200000x772d9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
profapi.dll0x773400000x7734efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
imm32.dll0x773500000x7737afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
powrprof.dll0x773800000x773c3fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ntdll.dll0x773d00000x77548fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
pagefile_0x000000007f7000000x7f7000000x7f7fffffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x000000007f8000000x7f8000000x7f822fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x000000007f8280000x7f8280000x7f82afffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007f82b0000x7f82b0000x7f82dfffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007f82e0000x7f82e0000x7f82efffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007f82f0000x7f82f0000x7f82ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
private_0x000000007fff00000x7fff00000x7ffd2ef5ffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
ntdll.dll0x7ffd2ef600000x7ffd2f121fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
private_0x00007ffd2f1220000x7ffd2f1220000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
Created Files
+
FilenameFile SizeHash ValuesYARA MatchActions
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe0.00 KB (0 bytes)MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igb0.00 KB (0 bytes)MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\windows powershell (x86).ezu0.00 KB (0 bytes)MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe0.00 KB (0 bytes)MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		False
c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat0.00 KB (0 bytes)MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe121.50 KB (124416 bytes)MD5: 212ba96c626898e00e140d5fb3230dd8
SHA1: 204764a6e5f7b2426274da728ee07927b813f68d
SHA256: ec2504089edf0330d58433079b2a5f72c102582c399ad73c59777ee03363929a		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe0.26 KB (265 bytes)MD5: 598227eaf10572cd3a519f5036e3a0f8
SHA1: 5f972be1d9fed9292fdae2ab04017c234d2d96ee
SHA256: 67f1199a2804f65f9da317e82adf318953870e237558170e741e33820e8da33f		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe0.52 KB (529 bytes)MD5: 683dd5a2c796055086e0a367add3c5b4
SHA1: 4c548cc2706fb6d3e9e5dfea1cbeb8921eb40844
SHA256: 13416446403affb8e7f4e9db34e92143101e496cef63c2f6c1d019c6c85cdba2		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe1.08 KB (1103 bytes)MD5: 384efe8afe27bc20f037cbc8d84a7691
SHA1: 73d0c5fbb0a2687f0feddb000ca256ab4f43fdc9
SHA256: 73c3acdb9d33f60409d9a83ca7204a118e7b8f38fc2638d6c6a621806c2df20c		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe1.33 KB (1361 bytes)MD5: fde195c534195cb7fb9366b18301668f
SHA1: b98f70d52a2cf9c05d4d4a1c52599e8e45f14b9f
SHA256: 09c6cc653ac2cce1552324e4b17e2e11ef7c85c1f90918261b718ba31bf1f1d9		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe1.89 KB (1935 bytes)MD5: 0e2b555664f17266cf3b5420d4aba348
SHA1: 84c5723a050d3dcb65a460fb5b534a1977b00b72
SHA256: 190e2657688962f9bf414088e992b5f318a99044ba57418f112ecd78433b7d98		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe2.14 KB (2193 bytes)MD5: 40dc3af609187270c9b1f4bf6786aa91
SHA1: 47f557a9eb55f13ce9ca3b1aa0a6e6ff02b3ab9e
SHA256: 816326cc557001348409dc0492eea41b428b2728b2e458b65ae1fe8b463d42f9		False
c:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.bat0.20 KB (208 bytes)MD5: 3215eb29677705de660def9e4273ba00
SHA1: c82c24651b98844badc03c6f260427f0b71b4ee3
SHA256: 20e9f42ac7c3ed26c39fd332f57fc1fd8a140c95b33b69a1b4f9f6c8a98eb24d		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe2.39 KB (2451 bytes)MD5: d324f1fd479c2bacebc213132aff5e9b
SHA1: d4f7e27c169e61fd97bc902febacab1130591774
SHA256: ab9bfe1d9a700437dbaceaf589895ab78d4a19335adb93cbcb41894d03cd86c3		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe2.65 KB (2709 bytes)MD5: 9e56e008f2a7f27a1c9301f58b73a1fb
SHA1: e74bd51e9a5b3be896f19f4a12f31c581d0f6ddf
SHA256: d2001b0365dddaac19598d06b9912fb3ed9804b4f0a00f5170c464e19c0a7b7f		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe2.90 KB (2967 bytes)MD5: f42069389087f040bd6f6ecaf0fe6f4f
SHA1: cfe0ddda7548662df2da7cd897c8b0f069166819
SHA256: 327ebeb1a3f76d7c36ccb582a619f895ea2c76534b475ca9981e49b6ca430e4c		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe3.15 KB (3225 bytes)MD5: 2c2967db418be7858ce35e21caa1918a
SHA1: 5b04283d55662eb4bd4cf9e323d09463b67d1f7a
SHA256: 10f558a3e37bc36222252c81203bcae7a3cc2e7ada6ff3d95648fb3730458e03		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe3.40 KB (3485 bytes)MD5: 3e472ff90aad21bb3e5a8bc2c8648302
SHA1: fc4e97d91d56edf29ada45ae1d984d88739e7abf
SHA256: 1470ff8273b2d3e7bf490d044594eab83b5af7e1e6d45241677bf6e01e0b7128		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe3.66 KB (3743 bytes)MD5: 7a245ac97a224505665b541cbaeebee3
SHA1: fb77de1a8006c5cc48493e21778c03e9b7e190d0
SHA256: 62cd74f35b09b3aeba6cecef7202838b2f064346ae2497e7726c3f419acb2495		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe0.29 KB (300 bytes)MD5: f6a13797c4a7fbf5afc403b328c1e8c5
SHA1: 486f070991d6efbc629e37826f0e5ffd8d6dd57c
SHA256: 243f8a051986749e2377b8af05b0acd4f85b610ecbdd6f4aedf750972882f6a6		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe0.54 KB (558 bytes)MD5: ffc3df0ebee342a4e3356e9f3c0e85be
SHA1: d79aeb7c0083ade7c81985fec2e6b49937d7ec4d
SHA256: 713134ae03876de50ec03084726e1eafb2294dde6d6a47fbea86aa3958c1511d		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe0.76 KB (782 bytes)MD5: db2175e7cf910e0e24821d456ebb7585
SHA1: 5a102942a1cbac3fadfd9649cb428dbd75352aed
SHA256: 590375cde13ff61855b82b293ceb3c9f58c9c4efd5c0fb24bf0a779cab9943af		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe1.02 KB (1040 bytes)MD5: fbb0a72ea8e09554941663de29329a40
SHA1: 1f840d739104c7cd342dfd629f6c933ab4a105a0
SHA256: 487e26636554e2e99bbe89c2eebe1b4b852a8392e28d29e8923ce1d824d21d95		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe1.26 KB (1294 bytes)MD5: 5e28fab2d35f061f70502561be1f1df2
SHA1: 663a2e078f393dbd5b86894776f7fd259c00b539
SHA256: 6036dd202571a297e7508fe51edbfd25b7836fdc6809d97ad0b56cd73cf0e426		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe1.55 KB (1584 bytes)MD5: 64b1e0834f2346514bb4433aedc1016b
SHA1: 53683915912ba78c08c3f0937b74effa06c108d9
SHA256: b0a1869b21a956ba18b8f7c8b5e0cb8ae6c95b26bd29bd218b6b92cfa183cedf		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe1.80 KB (1842 bytes)MD5: f97e6372c6d29955ddf7c416f3708cc6
SHA1: e8a70512be9513c5fbb4d6d1d87be4b094816afe
SHA256: 0176cfe6bd77c649d36fbc85cf2c49eb6f8247ce1a70eec642bc2f0ccf8aa8bc		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe2.03 KB (2080 bytes)MD5: 9d681634feb1c951ea4059f5e10b523a
SHA1: 6be62c7771daced861cca5df6959b88d5e5ccfe3
SHA256: 5e32da45e07fa8771316f1674cdb7775fd7e2d56298256623d3c67ed7534e019		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe2.28 KB (2338 bytes)MD5: ba59d690511615ff5dba43b8dd5d9aa3
SHA1: d13e2219cefe5694c942550a0289234c6cc4808d
SHA256: 1b50c8286f18aee27ac5337f51a60d028190f24cde5627776a0243ad62b8cfee		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe2.53 KB (2593 bytes)MD5: e762c37b5807251f282414012fe2009b
SHA1: 96d7afcc2128b4d7211a07c9fe6bf99afa547d90
SHA256: c815a1a5b7d59c631ed0c207ef53d4426deb77b7dfad9e28ca1a11b492ac5b04		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe2.78 KB (2851 bytes)MD5: ea6441c70e9188d0ed6d0eb6a286a601
SHA1: 9df4f3cd002046976c2f493cabfdd239d565a687
SHA256: a1a80b8cbe0ae3ccb1de180eb7975983da6d7b1d8928318801a4e2a0fb67f347		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe3.02 KB (3089 bytes)MD5: 030ff7962063f02d5896a8431c841a57
SHA1: c10b994f30d9714b92f5aaa4854d79883d030596
SHA256: 943de26e7c618724d702aedb30d5aba8057bea2697c5acbbb38876e3c2dc738e		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe3.27 KB (3344 bytes)MD5: 98940ed2350b00d2ef6629dfb9f08c00
SHA1: ebc46c3cca6048a71ce9573676e368684f90478a
SHA256: 65d061d505641ae4d3ee64bc8c6972a958c16db59bdcfbca096bd40f74eb70a9		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe3.52 KB (3602 bytes)MD5: 357f32a54d5d517df86e981bd9019870
SHA1: c0d4ec432c0e3bdb31b6222583148acd077a135d
SHA256: 7c6e9e56ce32afcab61799d28374b6c7f57972f1fae7819c751bcf3233c758d5		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe3.75 KB (3840 bytes)MD5: 4142c9a690eb4e1d0b215a747f333546
SHA1: 3764fad05b6b3fa10d03cefc337f24a6ae424525
SHA256: 27f289761a908db346923240a85b20ed5e5f89b569b443ee9994f5d22df85624		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe4.00 KB (4095 bytes)MD5: 3ff8ec0ba3fea26c14b27fe8ca267d44
SHA1: 91b2244d60ca5612c986312975f278da359eb2cc
SHA256: b5c5e72c914d2624dc68d09a826acda5f0d84753d2e09fa0c76b7331a46b60f6		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe4.25 KB (4353 bytes)MD5: e46d6766caf36eafeac7a3f827215fb3
SHA1: e1f3a7e548578540fdb9ea1db517f15a99a36ad7
SHA256: 2abc10027eca4fec37d699b0d8041c7f3be80933a82c3ff66ebfb54dc0c296d8		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe4.48 KB (4591 bytes)MD5: 39c96c7e7dbc025832df850bfc74323b
SHA1: 3c95a66fb5db650f50363bd8c0d0612d190b9ba0
SHA256: d57f2612bbb151f0bcd3f97dc99395d763f04649f3a4a8331bddd59c4816a13d		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe4.70 KB (4808 bytes)MD5: aa7ed1b1d6502b7bdcb0b33985edc3f6
SHA1: 6fae494693abfbc112f9252f59aea3d2f3a8bfbe
SHA256: 73590e55e6f6eaad180030898fd2f3e1c085b023931795cf8060fee8f09b8397		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe4.95 KB (5066 bytes)MD5: 53b81458b9f35668bc97f234805c5796
SHA1: 943dd361b17f42fedea9d1e0eddc2e8ca255fa2a
SHA256: f6232588fb72f18b5d28ac56bfdc4419178a46385d6ed0a047eb12ae8310858e		False
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoe5.18 KB (5303 bytes)MD5: 61d8c35dfdf0c7474057df1e12399328
SHA1: 0646ffed24eef4ec10b2e2033e7bf3411fa628a0
SHA256: 274307bf49ed0bccbaba90b17a059ce2fb3515dedeeffe840bc3d4ce700ea544		False
Host Behavior
File (54)
+
OperationFilenameAdditional InformationSuccessCountLogfile
CREATEdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGFalse2
Fn
CREATEdesired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALFalse2
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exedesired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_OPEN, create_options = FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0True1
Fn
CREATEvmgenerationcountershare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEhgfsshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEvmcishare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEvboxguestshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEvboxmouseshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEvboxvideoshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEvboxminirddnshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEvboxtrayipcshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEvirtualmachineservicesshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEprl_pvshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEprl_tgshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEprl_timeshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEc:\popupkiller.exeshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEc:\stimulator.exeshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEc:\tools\execute.exeshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEnpf_ndiswanipshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEsiceshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEsiwvidshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEsiwdebugshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEnticeshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEregvxgshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEfilevxgshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEregsysshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEfilemshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEtrwshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEicextshare_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoedesired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igbdesired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\windows powershell (x86).ezudesired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exedesired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exedesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exedesired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exedesired_access = FILE_WRITE_EA, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_OPEN, create_options = FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0True1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roamingdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = OPEN_EXISTING, file_attributes = FILE_FLAG_BACKUP_SEMANTICSTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exedesired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\javadesired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoedesired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash playerdesired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGFalse3
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igbdesired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\windows powershell (x86).ezudesired_access = FILE_WRITE_ATTRIBUTES, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGTrue1
Fn
CREATEc:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.batdesired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue2
Fn
CREATE_DIRFalse2
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exesize = 124416True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exesize = 124416True1
Fn
Data
WRITEc:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.batsize = 208True1
Fn
Data
Process (9)
+
OperationProcess NameAdditional InformationSuccessCountLogfile
CREATE"C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe"os_tid = 0xbcc, os_pid = 0x84, creation_flags = CREATE_DEFAULT_ERROR_MODE, current_directory = C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming, show_window = SW_HIDETrue1
Fn
CREATE"C:\Windows\system32\cmd.exe" \c "C:\Users\WI2YHM~1\AppData\Local\Temp\upd823d0e12.bat"os_tid = 0xcb0, os_pid = 0xcac, creation_flags = CREATE_DEFAULT_ERROR_MODE, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDETrue1
Fn
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_OPERATION, READ_CONTROL, desired_access = PROCESS_VM_OPERATION, READ_CONTROLTrue1
Fn
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATIONTrue1
Fn
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITETrue5
Fn
Module (29)
+
OperationModuleAdditional InformationSuccessCountLogfile
LOADNTDLLbase_address = 0x773d0000True2
Fn
LOADadvapi32.dllbase_address = 0x76d70000True1
Fn
LOADshlwapi.dllbase_address = 0x76ae0000True1
Fn
LOADshell32.dllbase_address = 0x747b0000True1
Fn
LOADole32.dllbase_address = 0x76800000True1
Fn
LOADapi-ms-win-core-com-l1-1-0base_address = 0x77120000True1
Fn
LOADpsapi.dllbase_address = 0x75f10000True1
Fn
LOADsecur32.dllbase_address = 0x74350000True1
Fn
LOADSSPICLIbase_address = 0x744e0000True1
Fn
LOADSbieDll.dllbase_address = 0x0False1
Fn
GET_HANDLEc:\windows\syswow64\kernel32.dllbase_address = 0x76460000True2
Fn
GET_HANDLEc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exebase_address = 0x140000True1
Fn
GET_HANDLEc:\windows\syswow64\ntdll.dllbase_address = 0x773d0000True1
Fn
GET_HANDLEadvapi32.dllbase_address = 0x0False1
Fn
GET_HANDLEshlwapi.dllbase_address = 0x0False1
Fn
GET_HANDLEshell32.dllbase_address = 0x0False1
Fn
GET_HANDLEole32.dllbase_address = 0x0False1
Fn
GET_HANDLEpsapi.dllbase_address = 0x0False1
Fn
GET_HANDLEsecur32.dllbase_address = 0x0False1
Fn
GET_HANDLEc:\windows\syswow64\user32.dllbase_address = 0x75dd0000True1
Fn
GET_FILENAMEc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exefile_name = C:\Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe, module_name = psapi.dll, os_pid = 0x990True1
Fn
GET_FILENAMEc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exefile_name = C:\Users\WI2yhmtI onvScY7Pe\Desktop\Tax Tool.exe, module_name = secur32.dll, os_pid = 0x990True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\ntdll.dllfunction = RtlAddVectoredExceptionHandler, address = 0x7742f090True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\ntdll.dllfunction = RtlInitializeCriticalSection, address = 0x774295f0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\combase.dllfunction = CLSIDFromString, address = 0x771d1390True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\sspicli.dllfunction = GetUserNameExW, address = 0x744ec5f0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = wine_get_unix_file_name, address = 0x0False1
Fn
Registry (69)
+
OperationKeyAdditional InformationSuccessCountLogfile
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\MicrosoftTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\NarratorTrue2
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\WABTrue4
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\FeedsTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\WcmSvcTrue3
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\SpeechTrue3
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\FaxTrue3
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\GameBarTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\KeyboardTrue3
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\WispTrue2
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\FTPTrue4
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDriveTrue3
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsTrue3
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\UnistoreTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\UserDataTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\PeerNetTrue4
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\PimTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\Java VMTrue2
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\PoomTrue2
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\MSFTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\SkyDriveTrue2
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\F12True1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\OskTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\CuxiyTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\HayfraTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\YgizgoTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\FaboTrue1
Fn
OPEN_KEYHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionTrue4
Fn
OPEN_KEYHKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware ToolsFalse1
Fn
OPEN_KEYHKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest AdditionsFalse1
Fn
OPEN_KEYHKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__False1
Fn
OPEN_KEYHKEY_LOCAL_MACHINE\HARDWARE\Description\SystemTrue1
Fn
OPEN_KEYHKEY_CURRENT_USER\Software\WINEFalse1
Fn
OPEN_KEYHKEY_LOCAL_MACHINE\Software\WINEFalse1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionvalue_name = InstallDate, data_ident_out = 0True2
Fn
READ_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionvalue_name = DigitalProductIdFalse2
Fn
READ_VALUEHKEY_LOCAL_MACHINE\HARDWARE\Description\Systemvalue_name = SystemBiosVersion, data_ident_out = 0True1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\HARDWARE\Description\Systemvalue_name = SystemBiosVersion, data_ident_out = PTLTD - 6040000True1
Fn
User (10)
+
OperationUser/Group/ServerAdditional InformationSuccessCountLogfile
LOOKUP_PRIVILEGELocalhostprivilege = SeSecurityPrivilegeTrue5
Fn
SET_PRIVILEGELocalhostc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilegeTrue5
Fn
Keyboard (2)
+
OperationVirtual Key CodeAdditional InformationSuccessCountLogfile
GET_INFOKB_LOCALE_IDTrue2
Fn
System (29)
+
OperationInformationSuccessCountLogfile
SLEEPduration = 0 milliseconds (0.000 seconds)True28
Fn
SLEEPduration = -1 (infinite)True1
Fn
Mutex (10)
+
OperationNameAdditional InformationSuccessCountLogfile
CREATE8A000000B7496798F6145935AA3E2760initial_owner = 0True2
Fn
CREATEMicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutexinitial_owner = 0True1
Fn
CREATESandboxie_SingleInstanceMutex_Controlinitial_owner = 0True1
Fn
CREATEFrz_Stateinitial_owner = 0True1
Fn
CREATE4B000000D586D2D8AB6E07EC44CC9183initial_owner = 0True1
Fn
OPENC0000000844EE6C40648470D345E7B65desired_access = SYNCHRONIZEFalse1
Fn
RELEASE8A000000B7496798F6145935AA3E2760True2
Fn
RELEASE4B000000D586D2D8AB6E07EC44CC9183True1
Fn
Process #2: devices.exe
(Host: 83, Network: 0)
+
InformationValue
ID / OS PID#2 / 0x84
OS Parent PID0x990 (c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming
File Namec:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe
Command Line"C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe"
MonitorStart Time: 00:00:57, Reason: Child Process
UnmonitorEnd Time: 00:01:09, Reason: Terminated
Monitor Duration00:00:12
OS Thread IDs
#3
0xBCC
#4
0x8E4
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
Devices.exe0x00bd00000x00bf3fffMemory Mapped FileReadable, Writable, ExecutableTrueTrueFalse
private_0x0000000000c400000x00c400000x00c5ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x0000000000c400000x00c400000x00c4ffffPagefile Backed MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000000c500000x00c500000x00c53fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000000c600000x00c600000x00c61fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000000c600000x00c600000x00c60fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x0000000000c700000x00c700000x00c83fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x0000000000c900000x00c900000x00ccffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000000cd00000x00cd00000x00dcffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x0000000000dd00000x00dd00000x00dd3fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x0000000000de00000x00de00000x00de1fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
locale.nls0x00df00000x00eadfffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
private_0x0000000000eb00000x00eb00000x00eeffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000000ef00000x00ef00000x00ef0fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x0000000000f000000x00f000000x00f00fffPagefile Backed MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000000f600000x00f600000x00f6ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000010500000x010500000x0114ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000011f00000x011f00000x0127ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000012800000x012800000x0137ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000014c00000x014c00000x014cffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
SortDefault.nls0x014d00000x01806fffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
pagefile_0x00000000018100000x018100000x01997fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x00000000019a00000x019a00000x01b20fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x0000000001b300000x01b300000x02f2ffffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
wow64win.dll0x64da00000x64e12fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wow64.dll0x64e200000x64e6efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wow64cpu.dll0x64e700000x64e77fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ntmarta.dll0x743200000x74347fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
secur32.dll0x743500000x74359fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
rsaenh.dll0x743600000x7438efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
bcrypt.dll0x743900000x743aafffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cryptsp.dll0x743b00000x743c2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
apphelp.dll0x743d00000x74460fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
bcryptprimitives.dll0x744700000x744c8fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cryptbase.dll0x744d00000x744d9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
sspicli.dll0x744e00000x744fdfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
msvcrt.dll0x745a00000x7465dfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
gdi32.dll0x746600000x747acfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
shell32.dll0x747b00000x75b6efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
rpcrt4.dll0x75b700000x75c1bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
user32.dll0x75dd00000x75f0ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
psapi.dll0x75f100000x75f15fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
windows.storage.dll0x75f200000x763fcfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
kernel32.dll0x764600000x7654ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ole32.dll0x768000000x768e9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
msctf.dll0x769c00000x76adffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
shlwapi.dll0x76ae00000x76b23fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
advapi32.dll0x76d700000x76deafffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
SHCore.dll0x76df00000x76e7cfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
kernel.appcore.dll0x76e800000x76e8bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
sechost.dll0x76e900000x76ed2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
KernelBase.dll0x76fa00000x77115fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
combase.dll0x771200000x772d9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
profapi.dll0x773400000x7734efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
imm32.dll0x773500000x7737afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
powrprof.dll0x773800000x773c3fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ntdll.dll0x773d00000x77548fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
pagefile_0x000000007e3f00000x7e3f00000x7e4effffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x000000007e4f00000x7e4f00000x7e512fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x000000007e5130000x7e5130000x7e513fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e5180000x7e5180000x7e518fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e51a0000x7e51a0000x7e51cfffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e51d0000x7e51d0000x7e51ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
private_0x000000007fff00000x7fff00000x7ffd2ef5ffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
ntdll.dll0x7ffd2ef600000x7ffd2f121fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
private_0x00007ffd2f1220000x7ffd2f1220000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
Host Behavior
File (11)
+
OperationFilenameAdditional InformationSuccessCountLogfile
CREATEdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGFalse1
Fn
CREATEdesired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exedesired_access = FILE_READ_EA, file_attributes = FILE_ATTRIBUTE_NORMAL, create_disposition = FILE_OPEN, create_options = FILE_NON_DIRECTORY_FILE, ea_buffer = 0, ea_length = 0True1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoedesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGTrue2
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoedesired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue2
Fn
CREATE_DIRFalse1
Fn
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 265True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 265True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 529True1
Fn
Data
Process (9)
+
OperationProcess NameAdditional InformationSuccessCountLogfile
CREATEC:\Windows\SysWOW64\svchost.exe -k netsvcsos_tid = 0x540, os_pid = 0x2ec, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDETrue1
Fn
CREATEC:\Windows\SysWOW64\svchost.exe -k netsvcsos_tid = 0xc58, os_pid = 0xc54, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDETrue1
Fn
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_OPERATION, READ_CONTROL, desired_access = PROCESS_VM_OPERATION, READ_CONTROLTrue1
Fn
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATIONTrue1
Fn
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITETrue5
Fn
Memory (10)
+
OperationAddressAdditional InformationSuccessCountLogfile
ALLOC0x4eb0000process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0x2ec, size = 147456, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITETrue1
Fn
ALLOC0x5b0000process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0xc54, size = 147456, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITETrue1
Fn
WRITE0x4eb0000process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0x2ec, size = 147456True1
Fn
Data
WRITE0x4ece724process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0x2ec, size = 4True1
Fn
Data
WRITE0x4ece840process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0x2ec, size = 4True1
Fn
Data
WRITE0x4ecee38process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0x2ec, size = 4True1
Fn
Data
WRITE0x5b0000process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0xc54, size = 147456True1
Fn
Data
WRITE0x5ce724process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0xc54, size = 4True1
Fn
Data
WRITE0x5ce840process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0xc54, size = 4True1
Fn
Data
WRITE0x5cee38process_name = C:\Windows\SysWOW64\svchost.exe -k netsvcs, os_pid = 0xc54, size = 4True1
Fn
Data
Thread (2)
+
OperationProcess NameAdditional InformationSuccessCountLogfile
CREATEC:\Windows\SysWOW64\svchost.exe -k netsvcsos_pid = 0x2ec, proc_address = 0x4ebc978, flags = THREAD_RUNS_IMMEDIATELYTrue1
Fn
CREATEC:\Windows\SysWOW64\svchost.exe -k netsvcsos_pid = 0xc54, proc_address = 0x5bc978, flags = THREAD_RUNS_IMMEDIATELYTrue1
Fn
Module (24)
+
OperationModuleAdditional InformationSuccessCountLogfile
LOADNTDLLbase_address = 0x773d0000True2
Fn
LOADadvapi32.dllbase_address = 0x76d70000True1
Fn
LOADshlwapi.dllbase_address = 0x76ae0000True1
Fn
LOADshell32.dllbase_address = 0x747b0000True1
Fn
LOADole32.dllbase_address = 0x76800000True1
Fn
LOADapi-ms-win-core-com-l1-1-0base_address = 0x77120000True1
Fn
LOADpsapi.dllbase_address = 0x75f10000True1
Fn
LOADsecur32.dllbase_address = 0x74350000True1
Fn
LOADSSPICLIbase_address = 0x744e0000True1
Fn
GET_HANDLEc:\windows\syswow64\kernel32.dllbase_address = 0x76460000True1
Fn
GET_HANDLEc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exebase_address = 0xbd0000True1
Fn
GET_HANDLEc:\windows\syswow64\ntdll.dllbase_address = 0x773d0000True1
Fn
GET_HANDLEadvapi32.dllbase_address = 0x0False1
Fn
GET_HANDLEshlwapi.dllbase_address = 0x0False1
Fn
GET_HANDLEshell32.dllbase_address = 0x0False1
Fn
GET_HANDLEole32.dllbase_address = 0x0False1
Fn
GET_HANDLEpsapi.dllbase_address = 0x0False1
Fn
GET_HANDLEsecur32.dllbase_address = 0x0False1
Fn
GET_FILENAMEc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exefile_name = C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe, module_name = psapi.dll, os_pid = 0x990True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\ntdll.dllfunction = RtlAddVectoredExceptionHandler, address = 0x7742f090True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\ntdll.dllfunction = RtlInitializeCriticalSection, address = 0x774295f0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\combase.dllfunction = CLSIDFromString, address = 0x771d1390True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\sspicli.dllfunction = GetUserNameExW, address = 0x744ec5f0True1
Fn
Registry (4)
+
OperationKeyAdditional InformationSuccessCountLogfile
OPEN_KEYHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionTrue2
Fn
READ_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionvalue_name = InstallDate, data_ident_out = 0True1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionvalue_name = DigitalProductIdFalse1
Fn
User (10)
+
OperationUser/Group/ServerAdditional InformationSuccessCountLogfile
LOOKUP_PRIVILEGELocalhostprivilege = SeSecurityPrivilegeTrue5
Fn
SET_PRIVILEGELocalhostc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilegeTrue5
Fn
Mutex (13)
+
OperationNameAdditional InformationSuccessCountLogfile
CREATE8A000000B7496798F6145935AA3E2760initial_owner = 0True3
Fn
CREATE9C0000002CCF1F00ECD770C403E9DE7Binitial_owner = 1True1
Fn
CREATE54000000F61A7DE2C294AD9653CFD4FDinitial_owner = 1True1
Fn
CREATEAD0000002B4477546D3A308A977C30F1initial_owner = 1True1
Fn
OPEND20000002A14C6E52964F51932B9F49Fdesired_access = SYNCHRONIZEFalse2
Fn
OPENA1000000DA6AF38235D35BF570C2C4E9desired_access = SYNCHRONIZEFalse2
Fn
RELEASE8A000000B7496798F6145935AA3E2760True3
Fn
Process #3: svchost.exe
(Host: 1960, Network: 0)
+
InformationValue
ID / OS PID#3 / 0x2ec
OS Parent PID0x84 (c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming
File Namec:\windows\syswow64\svchost.exe
Command LineC:\Windows\SysWOW64\svchost.exe -k netsvcs
MonitorStart Time: 00:00:58, Reason: Child Process
UnmonitorEnd Time: 00:02:38, Reason: Terminated by Timeout
Monitor Duration00:01:40
OS Thread IDs
#5
0x540
#6
0x7E4
#7
0x24C
#17
0xD4C
#18
0xD50
#21
0xD6C
#22
0xD70
#23
0xD74
#24
0xD78
#25
0xD7C
#26
0xD80
#27
0xD84
#28
0xD88
#34
0xDA0
#35
0xDA4
#36
0xDAC
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
svchost.exe0x009000000x0090afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
pagefile_0x0000000000db00000x00db00000x04daffffPagefile Backed Memory-TrueFalseFalse
  • Region Actions
private_0x0000000004db00000x04db00000x04dcffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x0000000004db00000x04db00000x04dbffffPagefile Backed MemoryReadable, WritableTrueFalseFalse
  • Region Actions
svchost.exe.mui0x04dc00000x04dc0fffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
private_0x0000000004dd00000x04dd00000x04dd0fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004dd00000x04dd00000x04dd0fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x0000000004de00000x04de00000x04df3fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x0000000004e000000x04e000000x04e3ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004e400000x04e400000x04e7ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x0000000004e800000x04e800000x04e83fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x0000000004e900000x04e900000x04e90fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x0000000004ea00000x04ea00000x04ea1fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004eb00000x04eb00000x04ed3fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
  • Region Actions
private_0x0000000004ee00000x04ee00000x04f1ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004ee00000x04ee00000x04efefffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004ee00000x04ee00000x04f1ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004f200000x04f200000x04f5ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004f200000x04f200000x04f5ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004f600000x04f600000x04f9ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004fa00000x04fa00000x04fdffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004fe00000x04fe00000x04fe0fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004ff00000x04ff00000x04ff0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
  • Region Actions
private_0x00000000050000000x050000000x05003fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
locale.nls0x050100000x050cdfffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
private_0x00000000050d00000x050d00000x050e2fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000050d00000x050d00000x050d0fffPagefile Backed MemoryReadable, WritableTrueFalseFalse
  • Region Actions
counters.dat0x050e00000x050e0fffMemory Mapped FileReadable, WritableTrueTrueFalse
private_0x00000000050f00000x050f00000x050f6fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000051000000x051000000x051fffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000052000000x052000000x052fffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000053000000x053000000x0533ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000053400000x053400000x05340fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000053400000x053400000x05352fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000053400000x053400000x0534ffffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x00000000053500000x053500000x05350fffPagefile Backed MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000053600000x053600000x05363fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000053700000x053700000x053affffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000053b00000x053b00000x053effffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000053f00000x053f00000x053f1fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x00000000054000000x054000000x054fffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000055000000x055000000x0553ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000055400000x055400000x0557ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000055800000x055800000x055bffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000055c00000x055c00000x055c4fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000055d00000x055d00000x055e2fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
mswsock.dll.mui0x055d00000x055d2fffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
pagefile_0x00000000055e00000x055e00000x055e1fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x00000000055f00000x055f00000x055f0fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
crypt32.dll.mui0x055f00000x055f9fffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
private_0x00000000056000000x056000000x057cffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000056000000x056000000x056fffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
SortDefault.nls0x057000000x05a36fffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
pagefile_0x0000000005a400000x05a400000x05bc7fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x0000000005bd00000x05bd00000x05d50fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x0000000005d600000x05d600000x0715ffffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x00000000071600000x071600000x0725ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000072600000x072600000x0735ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000073600000x073600000x0745ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000074600000x074600000x0755ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000075600000x075600000x0759ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000075a00000x075a00000x0769ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000076a00000x076a00000x076dffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000076e00000x076e00000x077dffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000077e00000x077e00000x077f2fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000077e00000x077e00000x0781ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000078200000x078200000x0785ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000078600000x078600000x0789ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000078600000x078600000x07872fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000078600000x078600000x07872fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000078600000x078600000x07870fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000078a00000x078a00000x078dffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000078e00000x078e00000x078f2fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
winnlsres.dll0x078e00000x078e4fffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
winnlsres.dll.mui0x078f00000x078fffffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
private_0x00000000079000000x079000000x0793ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000079400000x079400000x0797ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000079a00000x079a00000x079a4fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000007a000000x07a000000x07baffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000007a000000x07a000000x07afffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000007b000000x07b000000x07bfffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
wow64win.dll0x64da00000x64e12fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wow64.dll0x64e200000x64e6efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wow64cpu.dll0x64e700000x64e77fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ncryptsslp.dll0x736600000x73679fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cabinet.dll0x736800000x736a1fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
webio.dll0x736b00000x73717fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
dhcpcsvc.dll0x737200000x73733fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
dhcpcsvc6.dll0x737400000x73752fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cryptnet.dll0x737600000x73785fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
gpapi.dll0x737900000x737aefffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
dpapi.dll0x737b00000x737b7fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ntasn1.dll0x737c00000x737e7fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ncrypt.dll0x737f00000x7380ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
mskeyprotect.dll0x738100000x7381ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
schannel.dll0x738200000x7387ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
comctl32.dll0x738800000x73a88fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
FWPUCLNT.DLL0x73a900000x73ad5fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
rasadhlp.dll0x73ae00000x73ae7fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
dnsapi.dll0x73af00000x73b73fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
mswsock.dll0x73b800000x73bcdfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
winhttp.dll0x73bd00000x73c76fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
winnsi.dll0x73c800000x73c87fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
IPHLPAPI.DLL0x73c900000x73cbffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
urlmon.dll0x73cc00000x73e1ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
iertutil.dll0x73e200000x740e0fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wininet.dll0x740f00000x74313fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ntmarta.dll0x743200000x74347fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
secur32.dll0x743500000x74359fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
rsaenh.dll0x743600000x7438efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
bcrypt.dll0x743900000x743aafffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cryptsp.dll0x743b00000x743c2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
OnDemandConnRouteHelper.dll0x743d00000x743e0fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
uxtheme.dll0x743f00000x74464fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
bcryptprimitives.dll0x744700000x744c8fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cryptbase.dll0x744d00000x744d9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
sspicli.dll0x744e00000x744fdfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
msvcrt.dll0x745a00000x7465dfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
gdi32.dll0x746600000x747acfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
shell32.dll0x747b00000x75b6efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
rpcrt4.dll0x75b700000x75c1bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
user32.dll0x75dd00000x75f0ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
psapi.dll0x75f100000x75f15fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
windows.storage.dll0x75f200000x763fcfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
Wldap32.dll0x764000000x76452fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
kernel32.dll0x764600000x7654ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
oleaut32.dll0x765500000x765e1fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
crypt32.dll0x765f00000x76764fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
msasn1.dll0x768f00000x768fdfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wintrust.dll0x769000000x76941fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
nsi.dll0x769500000x76956fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ws2_32.dll0x769600000x769bbfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
msctf.dll0x769c00000x76adffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
shlwapi.dll0x76ae00000x76b23fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
advapi32.dll0x76d700000x76deafffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
SHCore.dll0x76df00000x76e7cfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
kernel.appcore.dll0x76e800000x76e8bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
kernel.appcore.dll0x76e800000x76e8bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
sechost.dll0x76e900000x76ed2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
KernelBase.dll0x76fa00000x77115fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
combase.dll0x771200000x772d9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
profapi.dll0x773400000x7734efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
imm32.dll0x773500000x7737afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
powrprof.dll0x773800000x773c3fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ntdll.dll0x773d00000x77548fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
private_0x000000007e7c20000x7e7c20000x7e7c4fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e7c50000x7e7c50000x7e7c7fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e7c80000x7e7c80000x7e7cafffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e7cb0000x7e7cb0000x7e7cdfffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e7ce0000x7e7ce0000x7e7d0fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e7d10000x7e7d10000x7e7d3fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e7d40000x7e7d40000x7e7d6fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e7d70000x7e7d70000x7e7d9fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e7da0000x7e7da0000x7e7dcfffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e7dd0000x7e7dd0000x7e7dffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x000000007e7e00000x7e7e00000x7e8dffffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x000000007e8e00000x7e8e00000x7e902fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x000000007e9030000x7e9030000x7e905fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e9060000x7e9060000x7e908fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e9060000x7e9060000x7e908fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e9090000x7e9090000x7e909fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e90b0000x7e90b0000x7e90dfffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007e90e0000x7e90e0000x7e90efffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
private_0x000000007fff00000x7fff00000x7dfd2ef5ffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x00007dfd2ef600000x7dfd2ef600000x7ffd2ef5ffffPagefile Backed Memory-TrueFalseFalse
  • Region Actions
ntdll.dll0x7ffd2ef600000x7ffd2f121fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
private_0x00007ffd2f1220000x7ffd2f1220000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
Injection Information
+
Injection TypeSource ProcessSource Os Thread IDInjection InfoSuccessCountLogfile
Modify Memoryc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe0xbccaddress = 0x4eb0000, size = 147456True1
Fn
Data
Modify Memoryc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe0xbccaddress = 0x4ece724, size = 4True1
Fn
Data
Modify Memoryc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe0xbccaddress = 0x4ece840, size = 4True1
Fn
Data
Modify Memoryc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe0xbccaddress = 0x4ecee38, size = 4True1
Fn
Data
Create Remote Threadc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe0xbccaddress = 0x4ebc978, flags = THREAD_RUNS_IMMEDIATELYTrue1
Fn
Created Files
+
FilenameFile SizeHash ValuesYARA MatchActions
c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.tmp3.66 KB (3743 bytes)MD5: 7a245ac97a224505665b541cbaeebee3
SHA1: fb77de1a8006c5cc48493e21778c03e9b7e190d0
SHA256: 62cd74f35b09b3aeba6cecef7202838b2f064346ae2497e7726c3f419acb2495		False
Host Behavior
File (133)
+
OperationFilenameAdditional InformationSuccessCountLogfile
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoedesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGTrue28
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoedesired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue29
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igbdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGTrue14
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoedesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE, create_disposition = OPEN_EXISTINGTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exedesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoedesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGFalse1
Fn
MOVEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.tmpsource_file_name = c:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoeTrue1
Fn
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 529True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1103True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2193True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2451True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2709True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2967True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3225True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3485True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exesize = 124416True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 300True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 558True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 782True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1040True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1294True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1584True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1842True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2080True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2338True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2593True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2851True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3089True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3344True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3602True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3840True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 4095True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 4353True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 4591True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 4808True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 5066True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1103True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1361True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2451True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2709True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2967True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3225True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3485True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3743True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 300True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 558True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 782True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1040True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1294True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1584True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1842True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2080True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2338True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2593True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2851True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3089True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3344True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3602True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 3840True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 4095True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 4353True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 4591True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 4808True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 5066True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 5303True1
Fn
Data
Process (1429)
+
OperationProcess NameAdditional InformationSuccessCountLogfile
OPENSystem Idle Processos_pid = 0x0, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENSystemos_pid = 0x4, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\smss.exeos_pid = 0x108, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\csrss.exeos_pid = 0x150, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\wininit.exeos_pid = 0x18c, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\csrss.exeos_pid = 0x194, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\winlogon.exeos_pid = 0x1c4, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\services.exeos_pid = 0x1dc, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\lsass.exeos_pid = 0x1e4, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\svchost.exeos_pid = 0x23c, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\svchost.exeos_pid = 0x25c, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\dwm.exeos_pid = 0x2e4, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\svchost.exeos_pid = 0x320, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\svchost.exeos_pid = 0x334, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\svchost.exeos_pid = 0x354, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\svchost.exeos_pid = 0x368, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\svchost.exeos_pid = 0x390, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\svchost.exeos_pid = 0x274, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\spoolsv.exeos_pid = 0x230, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\svchost.exeos_pid = 0x41c, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\svchost.exeos_pid = 0x550, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\sihost.exeos_pid = 0x700, desired_access = PROCESS_QUERY_INFORMATIONTrue37
Fn
OPENc:\windows\system32\taskhostw.exeos_pid = 0x728, desired_access = PROCESS_QUERY_INFORMATIONTrue37
Fn
OPENc:\windows\explorer.exeos_pid = 0x7cc, desired_access = PROCESS_QUERY_INFORMATIONTrue37
Fn
OPENc:\windows\system32\runtimebroker.exeos_pid = 0x4b0, desired_access = PROCESS_QUERY_INFORMATIONTrue37
Fn
OPENc:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exeos_pid = 0x910, desired_access = PROCESS_QUERY_INFORMATIONTrue37
Fn
OPENc:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exeos_pid = 0xa10, desired_access = PROCESS_QUERY_INFORMATIONTrue37
Fn
OPENc:\windows\system32\svchost.exeos_pid = 0x590, desired_access = PROCESS_QUERY_INFORMATIONTrue37
Fn
OPENc:\windows\system32\wbem\wmiadap.exeos_pid = 0xb34, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\sppsvc.exeos_pid = 0x6ac, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\backgroundtaskhost.exeos_pid = 0x414, desired_access = PROCESS_QUERY_INFORMATIONTrue12
Fn
OPENc:\windows\system32\backgroundtaskhost.exeos_pid = 0xba8, desired_access = PROCESS_QUERY_INFORMATIONTrue37
Fn
OPENc:\windows\system32\wbem\wmiprvse.exeos_pid = 0xfc, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\system32\audiodg.exeos_pid = 0x3f8, desired_access = PROCESS_QUERY_INFORMATIONFalse37
Fn
OPENc:\windows\syswow64\svchost.exeos_pid = 0xc54, desired_access = PROCESS_QUERY_INFORMATIONTrue74
Fn
OPENc:\windows\system32\backgroundtaskhost.exeos_pid = 0xdc0, desired_access = PROCESS_QUERY_INFORMATIONTrue25
Fn
OPENc:\program files\windows defender\mpcmdrun.exeos_pid = 0xde0, desired_access = PROCESS_QUERY_INFORMATIONFalse1
Fn
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_OPERATION, READ_CONTROL, desired_access = PROCESS_VM_OPERATION, READ_CONTROLTrue1
Fn
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATIONTrue1
Fn
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITETrue57
Fn
OPEN_TOKENc:\windows\syswow64\svchost.exeos_pid = 0xc54, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATIONTrue37
Fn
Module (42)
+
OperationModuleAdditional InformationSuccessCountLogfile
LOADKERNEL32.dllbase_address = 0x76460000True1
Fn
LOADNTDLLbase_address = 0x773d0000True4
Fn
LOADadvapi32.dllbase_address = 0x76d70000True1
Fn
LOADshlwapi.dllbase_address = 0x76ae0000True1
Fn
LOADpsapi.dllbase_address = 0x75f10000True1
Fn
LOADwininet.dllbase_address = 0x740f0000True1
Fn
LOADsecur32.dllbase_address = 0x74350000True1
Fn
LOADSSPICLIbase_address = 0x744e0000True1
Fn
LOADcrypt32.dllbase_address = 0x765f0000True1
Fn
LOADurlmon.dllbase_address = 0x73cc0000True1
Fn
GET_HANDLEc:\windows\syswow64\ntdll.dllbase_address = 0x773d0000True1
Fn
GET_HANDLEadvapi32.dllbase_address = 0x0False1
Fn
GET_HANDLEshlwapi.dllbase_address = 0x0False1
Fn
GET_HANDLEpsapi.dllbase_address = 0x0False1
Fn
GET_HANDLEc:\windows\syswow64\user32.dllbase_address = 0x75dd0000True1
Fn
GET_HANDLEwininet.dllbase_address = 0x0False1
Fn
GET_HANDLEsecur32.dllbase_address = 0x0False1
Fn
GET_HANDLEcrypt32.dllbase_address = 0x0False1
Fn
GET_HANDLEurlmon.dllbase_address = 0x0False1
Fn
GET_FILENAMEc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exefile_name = C:\Windows\SysWOW64\svchost.exe, module_name = psapi.dll, os_pid = 0x990True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = InterlockedIncrement, address = 0x76477520True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = HeapFree, address = 0x764725e0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = GetProcessHeap, address = 0x76477910True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = HeapDestroy, address = 0x7647d940True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = HeapCreate, address = 0x76479950True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = InterlockedExchange, address = 0x76477650True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = HeapAlloc, address = 0x7740da90True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = GetProcAddress, address = 0x76477940True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = LoadLibraryA, address = 0x7647d8d0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = GetModuleHandleA, address = 0x76479640True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = GetLastError, address = 0x76472db0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = InterlockedDecrement, address = 0x76477560True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = Sleep, address = 0x764777b0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = HeapReAlloc, address = 0x7740bae0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\ntdll.dllfunction = RtlAddVectoredExceptionHandler, address = 0x7742f090True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\ntdll.dllfunction = RtlInitializeCriticalSection, address = 0x774295f0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\sspicli.dllfunction = GetUserNameExW, address = 0x744ec5f0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\ntdll.dllfunction = RtlEnterCriticalSection, address = 0x77415e80True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\ntdll.dllfunction = RtlLeaveCriticalSection, address = 0x77415e00True1
Fn
Registry (58)
+
OperationKeyAdditional InformationSuccessCountLogfile
CREATE_KEYHKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\RunTrue1
Fn
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\FaboTrue1
Fn
OPEN_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\FaboTrue22
Fn
OPEN_KEYHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionTrue2
Fn
READ_VALUEHKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabovalue_name = OnpiwaadFalse14
Fn
READ_VALUEHKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabovalue_name = VipougFalse2
Fn
READ_VALUEHKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabovalue_name = VipougTrue12
Fn
Data
READ_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionvalue_name = InstallDate, data_ident_out = 0True1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersionvalue_name = DigitalProductIdFalse1
Fn
WRITE_VALUEHKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Runvalue_name = Devices.exe, data = "C:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming\Sun\Java\Devices.exe"True1
Fn
WRITE_VALUEHKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabovalue_name = VipougTrue1
Fn
Data
User (114)
+
OperationUser/Group/ServerAdditional InformationSuccessCountLogfile
LOOKUP_PRIVILEGELocalhostprivilege = SeSecurityPrivilegeTrue57
Fn
SET_PRIVILEGELocalhostc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilegeTrue57
Fn
System (115)
+
OperationInformationSuccessCountLogfile
SLEEPduration = -1 (infinite)True39
Fn
SLEEPduration = 60000 milliseconds (60.000 seconds)False1
Fn
SLEEPduration = -1 (infinite)False1
Fn
GET_INFOtype = SYSTEM_PROCESS_INFORMATIONFalse37
Fn
GET_INFOtype = SYSTEM_PROCESS_INFORMATIONTrue37
Fn
Mutex (69)
+
OperationNameAdditional InformationSuccessCountLogfile
CREATED20000002A14C6E52964F51932B9F49Finitial_owner = 1True1
Fn
CREATE8A000000B7496798F6145935AA3E2760initial_owner = 0True30
Fn
CREATED9000000F219E1C779E2E7AC08DFD815initial_owner = 0True1
Fn
CREATE7D0000008AA73D983C6DEAFF4C3848A7initial_owner = 0True1
Fn
CREATE3B000000F5DFE9C2D11C32931F7D5BB4initial_owner = 0True1
Fn
CREATEC0000000844EE6C40648470D345E7B65initial_owner = 0True1
Fn
CREATE4A000000AF17366BF4960AE62A76878Cinitial_owner = 0True1
Fn
CREATED5000000C70E48D5408251026F4BDA97initial_owner = 0True1
Fn
OPEN4B000000D586D2D8AB6E07EC44CC9183desired_access = SYNCHRONIZETrue1
Fn
RELEASE8A000000B7496798F6145935AA3E2760True30
Fn
RELEASED5000000C70E48D5408251026F4BDA97True1
Fn
Process #4: svchost.exe
(Host: 82, Network: 0)
+
InformationValue
ID / OS PID#4 / 0xc54
OS Parent PID0x84 (c:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\AppData\Roaming
File Namec:\windows\syswow64\svchost.exe
Command LineC:\Windows\SysWOW64\svchost.exe -k netsvcs
MonitorStart Time: 00:01:04, Reason: Child Process
UnmonitorEnd Time: 00:02:38, Reason: Terminated by Timeout
Monitor Duration00:01:34
OS Thread IDs
#8
0xC58
#9
0xC5C
#10
0xC64
#19
0xD54
#20
0xD58
#29
0xD8C
#30
0xD90
#31
0xD94
#32
0xD98
#33
0xD9C
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
private_0x00000000004b00000x004b00000x004cffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000004b00000x004b00000x004bffffPagefile Backed MemoryReadable, WritableTrueFalseFalse
  • Region Actions
svchost.exe.mui0x004c00000x004c0fffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
private_0x00000000004d00000x004d00000x004d0fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000004d00000x004d00000x004d0fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000004e00000x004e00000x004f3fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x00000000005000000x005000000x0053ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000005400000x005400000x0057ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000005800000x005800000x00583fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x00000000005900000x005900000x00590fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x00000000005a00000x005a00000x005a1fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000005b00000x005b00000x005d3fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
  • Region Actions
private_0x00000000005e00000x005e00000x0061ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000006200000x006200000x0065ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000006600000x006600000x0069ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000006a00000x006a00000x006a0fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000006b00000x006b00000x006b6fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000006c00000x006c00000x006fffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000007000000x007000000x007fffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
locale.nls0x008000000x008bdfffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
private_0x00000000008c00000x008c00000x008c0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
  • Region Actions
svchost.exe0x009000000x0090afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
pagefile_0x00000000009100000x009100000x0490ffffPagefile Backed Memory-TrueFalseFalse
  • Region Actions
private_0x0000000004a100000x04a100000x04a13fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004ae00000x04ae00000x04ae3fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004b000000x04b000000x04bfffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004c000000x04c000000x04cfffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004e100000x04e100000x04e14fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004f000000x04f000000x0501ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x0000000004f000000x04f000000x04ffffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
SortDefault.nls0x050000000x05336fffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
pagefile_0x00000000053400000x053400000x054c7fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x00000000054d00000x054d00000x05650fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x00000000056600000x056600000x06a5ffffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
wow64win.dll0x64da00000x64e12fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wow64.dll0x64e200000x64e6efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wow64cpu.dll0x64e700000x64e77fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wininet.dll0x740f00000x74313fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ntmarta.dll0x743200000x74347fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
secur32.dll0x743500000x74359fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
rsaenh.dll0x743600000x7438efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
bcrypt.dll0x743900000x743aafffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cryptsp.dll0x743b00000x743c2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
bcryptprimitives.dll0x744700000x744c8fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cryptbase.dll0x744d00000x744d9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
sspicli.dll0x744e00000x744fdfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
msvcrt.dll0x745a00000x7465dfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
gdi32.dll0x746600000x747acfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
rpcrt4.dll0x75b700000x75c1bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
user32.dll0x75dd00000x75f0ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
psapi.dll0x75f100000x75f15fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
kernel32.dll0x764600000x7654ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
msctf.dll0x769c00000x76adffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
shlwapi.dll0x76ae00000x76b23fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
advapi32.dll0x76d700000x76deafffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
sechost.dll0x76e900000x76ed2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
KernelBase.dll0x76fa00000x77115fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
combase.dll0x771200000x772d9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
imm32.dll0x773500000x7737afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ntdll.dll0x773d00000x77548fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
pagefile_0x000000007f3700000x7f3700000x7f46ffffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x000000007f4700000x7f4700000x7f492fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x000000007f4940000x7f4940000x7f496fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007f4970000x7f4970000x7f499fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007f49a0000x7f49a0000x7f49afffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007f49c0000x7f49c0000x7f49efffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007f49f0000x7f49f0000x7f49ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
private_0x000000007fff00000x7fff00000x7dfd2ef5ffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x00007dfd2ef600000x7dfd2ef600000x7ffd2ef5ffffPagefile Backed Memory-TrueFalseFalse
  • Region Actions
ntdll.dll0x7ffd2ef600000x7ffd2f121fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
private_0x00007ffd2f1220000x7ffd2f1220000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
Injection Information
+
Injection TypeSource ProcessSource Os Thread IDInjection InfoSuccessCountLogfile
Modify Memoryc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe0xbccaddress = 0x5b0000, size = 147456True1
Fn
Data
Modify Memoryc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe0xbccaddress = 0x5ce724, size = 4True1
Fn
Data
Modify Memoryc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe0xbccaddress = 0x5ce840, size = 4True1
Fn
Data
Modify Memoryc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe0xbccaddress = 0x5cee38, size = 4True1
Fn
Data
Create Remote Threadc:\users\wi2yhmti onvscy7pe\appdata\roaming\sun\java\devices.exe0xbccaddress = 0x5bc978, flags = THREAD_RUNS_IMMEDIATELYTrue1
Fn
Host Behavior
File (9)
+
OperationFilenameAdditional InformationSuccessCountLogfile
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoedesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGTrue2
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoedesired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue2
Fn
CREATEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\desktop (create shortcut).igbdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, create_disposition = OPEN_EXISTINGTrue1
Fn
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1361True1
Fn
Data
READc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1935True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 1935True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\appdata\roaming\adobe\flash player\1e45a456cb803f4096a6a7598c65e692_8c74eee4-8873-4eb3-9315-336075ff5033.hoesize = 2193True1
Fn
Data
Process (6)
+
OperationProcess NameAdditional InformationSuccessCountLogfile
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_OPERATION, READ_CONTROL, desired_access = PROCESS_VM_OPERATION, READ_CONTROLTrue1
Fn
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_OPERATION, desired_access = PROCESS_VM_OPERATIONTrue1
Fn
OPEN_TOKENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exeos_pid = 0x990, desired_access = PROCESS_VM_WRITE, desired_access = PROCESS_VM_WRITETrue4
Fn
Module (34)
+
OperationModuleAdditional InformationSuccessCountLogfile
LOADKERNEL32.dllbase_address = 0x76460000True1
Fn
LOADNTDLLbase_address = 0x773d0000True2
Fn
LOADadvapi32.dllbase_address = 0x76d70000True1
Fn
LOADshlwapi.dllbase_address = 0x76ae0000True1
Fn
LOADpsapi.dllbase_address = 0x75f10000True1
Fn
LOADwininet.dllbase_address = 0x740f0000True1
Fn
LOADsecur32.dllbase_address = 0x74350000True1
Fn
LOADSSPICLIbase_address = 0x744e0000True1
Fn
GET_HANDLEc:\windows\syswow64\ntdll.dllbase_address = 0x773d0000True1
Fn
GET_HANDLEadvapi32.dllbase_address = 0x0False1
Fn
GET_HANDLEshlwapi.dllbase_address = 0x0False1
Fn
GET_HANDLEpsapi.dllbase_address = 0x0False1
Fn
GET_HANDLEc:\windows\syswow64\user32.dllbase_address = 0x75dd0000True1
Fn
GET_HANDLEwininet.dllbase_address = 0x0False1
Fn
GET_HANDLEsecur32.dllbase_address = 0x0False1
Fn
GET_FILENAMEc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exefile_name = C:\Windows\SysWOW64\svchost.exe, module_name = psapi.dll, os_pid = 0x990True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = InterlockedIncrement, address = 0x76477520True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = HeapFree, address = 0x764725e0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = GetProcessHeap, address = 0x76477910True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = HeapDestroy, address = 0x7647d940True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = HeapCreate, address = 0x76479950True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = InterlockedExchange, address = 0x76477650True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = HeapAlloc, address = 0x7740da90True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = GetProcAddress, address = 0x76477940True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = LoadLibraryA, address = 0x7647d8d0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = GetModuleHandleA, address = 0x76479640True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = GetLastError, address = 0x76472db0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = InterlockedDecrement, address = 0x76477560True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = Sleep, address = 0x764777b0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = HeapReAlloc, address = 0x7740bae0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\ntdll.dllfunction = RtlAddVectoredExceptionHandler, address = 0x7742f090True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\ntdll.dllfunction = RtlInitializeCriticalSection, address = 0x774295f0True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\sspicli.dllfunction = GetUserNameExW, address = 0x744ec5f0True1
Fn
Registry (13)
+
OperationKeyAdditional InformationSuccessCountLogfile
CREATE_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\FaboTrue1
Fn
OPEN_KEYHKEY_CURRENT_USER\SOFTWARE\Microsoft\FaboTrue4
Fn
READ_VALUEHKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabovalue_name = OnpiwaadFalse1
Fn
READ_VALUEHKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabovalue_name = VipougTrue6
Fn
Data
WRITE_VALUEHKEY_CURRENT_USER\SOFTWARE\Microsoft\Fabovalue_name = VipougTrue1
Fn
Data
User (8)
+
OperationUser/Group/ServerAdditional InformationSuccessCountLogfile
LOOKUP_PRIVILEGELocalhostprivilege = SeSecurityPrivilegeTrue4
Fn
SET_PRIVILEGELocalhostc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe, os_pid = 0x990, desired_access = PROCESS_VM_WRITE, disable_all_privileges = 0, privilege = SeSecurityPrivilegeTrue4
Fn
System (2)
+
OperationInformationSuccessCountLogfile
SLEEPduration = -1 (infinite)False2
Fn
Mutex (10)
+
OperationNameAdditional InformationSuccessCountLogfile
CREATEA1000000DA6AF38235D35BF570C2C4E9initial_owner = 1True1
Fn
CREATE8A000000B7496798F6145935AA3E2760initial_owner = 0True2
Fn
CREATED5000000C70E48D5408251026F4BDA97initial_owner = 0True1
Fn
CREATEC0000000844EE6C40648470D345E7B65initial_owner = 0True1
Fn
CREATE4A000000AF17366BF4960AE62A76878Cinitial_owner = 0True1
Fn
OPEN4B000000D586D2D8AB6E07EC44CC9183desired_access = SYNCHRONIZETrue1
Fn
RELEASE8A000000B7496798F6145935AA3E2760True2
Fn
RELEASED5000000C70E48D5408251026F4BDA97True1
Fn
Process #5: cmd.exe
(Host: 88, Network: 0)
+
InformationValue
ID / OS PID#5 / 0xcac
OS Parent PID0x990 (c:\users\wi2yhmti onvscy7pe\desktop\tax tool.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\Desktop
File Namec:\windows\syswow64\cmd.exe
Command Line"C:\Windows\system32\cmd.exe" /c "C:\Users\WI2YHM~1\AppData\Local\Temp\upd823d0e12.bat"
MonitorStart Time: 00:01:09, Reason: Child Process
UnmonitorEnd Time: 00:01:21, Reason: Terminated
Monitor Duration00:00:12
OS Thread IDs
#11
0xCB0
#16
0xD00
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
private_0x00000000000e00000x000e00000x000fffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000000e00000x000e00000x000effffPagefile Backed MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000000f00000x000f00000x000f3fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000001000000x001000000x00101fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000001000000x001000000x00103fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000001100000x001100000x00123fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x00000000001300000x001300000x0016ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000001700000x001700000x0026ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
pagefile_0x00000000002700000x002700000x00273fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x00000000002800000x002800000x00280fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x00000000002900000x002900000x00291fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000002a00000x002a00000x002dffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000003000000x003000000x0030ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000003200000x003200000x0041ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
locale.nls0x004200000x004ddfffMemory Mapped FileReadableFalseFalseFalse
  • Region Actions
private_0x00000000004e00000x004e00000x005dffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x00000000007000000x007000000x0070ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
cmd.exe0x009c00000x00a0ffffMemory Mapped FileReadable, Writable, ExecutableTrueFalseFalse
  • Region Actions
pagefile_0x0000000000a100000x00a100000x04a0ffffPagefile Backed Memory-TrueFalseFalse
  • Region Actions
wow64win.dll0x64da00000x64e12fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wow64.dll0x64e200000x64e6efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
wow64cpu.dll0x64e700000x64e77fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cmdext.dll0x744600000x74467fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
bcryptprimitives.dll0x744700000x744c8fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
cryptbase.dll0x744d00000x744d9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
sspicli.dll0x744e00000x744fdfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
msvcrt.dll0x745a00000x7465dfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
rpcrt4.dll0x75b700000x75c1bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
kernel32.dll0x764600000x7654ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
advapi32.dll0x76d700000x76deafffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
sechost.dll0x76e900000x76ed2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
KernelBase.dll0x76fa00000x77115fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
ntdll.dll0x773d00000x77548fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
pagefile_0x000000007e9f00000x7e9f00000x7eaeffffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x000000007eaf00000x7eaf00000x7eb12fffPagefile Backed MemoryReadableTrueFalseFalse
  • Region Actions
private_0x000000007eb160000x7eb160000x7eb16fffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007eb180000x7eb180000x7eb1afffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007eb1b0000x7eb1b0000x7eb1bfffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007eb1d0000x7eb1d0000x7eb1ffffPrivate MemoryReadable, WritableTrueFalseFalse
  • Region Actions
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
private_0x000000007fff00000x7fff00000x7dfd2ef5ffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
pagefile_0x00007dfd2ef600000x7dfd2ef600000x7ffd2ef5ffffPagefile Backed Memory-TrueFalseFalse
  • Region Actions
ntdll.dll0x7ffd2ef600000x7ffd2f121fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
  • Region Actions
private_0x00007ffd2f1220000x7ffd2f1220000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
  • Region Actions
Host Behavior
File (62)
+
OperationFilenameAdditional InformationSuccessCountLogfile
CREATEc:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.batdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALTrue5
Fn
CREATEc:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.batdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
OPENSTD_OUTPUT_HANDLETrue13
Fn
OPENSTD_INPUT_HANDLETrue7
Fn
OPENc:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.batTrue25
Fn
OPENc:\users\wi2yhmti onvscy7pe\desktop\tax tool.exedesired_access = DELETE, share_mode = FILE_SHARE_DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENTTrue1
Fn
OPENc:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.batdesired_access = DELETE, share_mode = FILE_SHARE_DELETE, open_options = FILE_NON_DIRECTORY_FILE, FILE_DELETE_ON_CLOSE, FILE_OPEN_FOR_BACKUP_INTENTTrue1
Fn
OPENSTD_ERROR_HANDLETrue3
Fn
READc:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.batsize = 8191True1
Fn
Data
READc:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.batsize = 8191True1
Fn
Data
READc:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.batsize = 8191True1
Fn
Data
READc:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.batsize = 8191True1
Fn
Data
READc:\users\wi2yhm~1\appdata\local\temp\upd823d0e12.batsize = 8191True1
Fn
Data
WRITESTD_ERROR_HANDLEsize = 33True1
Fn
Data
Process (1)
+
OperationProcess NameAdditional InformationSuccessCountLogfile
SET_CURDIRc:\windows\syswow64\cmd.exeos_pid = 0xcac, new_path_name = c:\users\wi2yhmti onvscy7pe\desktopTrue1
Fn
Module (8)
+
OperationModuleAdditional InformationSuccessCountLogfile
GET_HANDLEc:\windows\syswow64\cmd.exebase_address = 0x9c0000True1
Fn
GET_HANDLEc:\windows\syswow64\kernel32.dllbase_address = 0x76460000True2
Fn
GET_FILENAMEC:\Windows\SysWOW64\cmd.exeTrue1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = SetThreadUILanguage, address = 0x764a2780True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = CopyFileExW, address = 0x7647fa80True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = IsDebuggerPresent, address = 0x7647a790True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = SetConsoleInputExeNameW, address = 0x770b35c0True1
Fn
Registry (17)
+
OperationKeyAdditional InformationSuccessCountLogfile
OPEN_KEYHKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\SystemFalse1
Fn
OPEN_KEYHKEY_LOCAL_MACHINE\Software\Microsoft\Command ProcessorTrue1
Fn
OPEN_KEYHKEY_CURRENT_USER\Software\Microsoft\Command ProcessorTrue1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\Software\Microsoft\Command Processorvalue_name = DisableUNCCheck, data_ident_out = 80False1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\Software\Microsoft\Command Processorvalue_name = EnableExtensions, data_ident_out = 1True1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\Software\Microsoft\Command Processorvalue_name = DelayedExpansion, data_ident_out = 1False1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\Software\Microsoft\Command Processorvalue_name = DefaultColor, data_ident_out = 0True1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\Software\Microsoft\Command Processorvalue_name = CompletionChar, data_ident_out = 64True1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\Software\Microsoft\Command Processorvalue_name = PathCompletionChar, data_ident_out = 64True1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\Software\Microsoft\Command Processorvalue_name = AutoRun, data_ident_out = 64False1
Fn
READ_VALUEHKEY_CURRENT_USER\Software\Microsoft\Command Processorvalue_name = DisableUNCCheck, data_ident_out = 64False1
Fn
READ_VALUEHKEY_CURRENT_USER\Software\Microsoft\Command Processorvalue_name = EnableExtensions, data_ident_out = 1True1
Fn
READ_VALUEHKEY_CURRENT_USER\Software\Microsoft\Command Processorvalue_name = DelayedExpansion, data_ident_out = 1False1
Fn
READ_VALUEHKEY_CURRENT_USER\Software\Microsoft\Command Processorvalue_name = DefaultColor, data_ident_out = 0True1
Fn
READ_VALUEHKEY_CURRENT_USER\Software\Microsoft\Command Processorvalue_name = CompletionChar, data_ident_out = 9True1
Fn
READ_VALUEHKEY_CURRENT_USER\Software\Microsoft\Command Processorvalue_name = PathCompletionChar, data_ident_out = 9True1
Fn
READ_VALUEHKEY_CURRENT_USER\Software\Microsoft\Command Processorvalue_name = AutoRun, data_ident_out = 9False1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy". 
































Screenshot



Expand-Icon


Exit-Icon






icon_left




icon_left








image