75620d6ae02a9a3beb5eb47020012eee52001bf434304f4e77b43011a6e5595a (SHA256)
CrazyCrypt.exe
Windows Exe (x86-32)
Created at 2019-02-28 11:07:00
Monitored Processes
Behavior Information - Sequential View
Process #1: crazycrypt.exe
5169
27
| Information | Value |
|---|---|
| ID | #1 |
| File Name | c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe |
| Command Line | "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\CrazyCrypt.exe" |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:05, Reason: Analysis Target |
| Unmonitor | End Time: 00:05:05, Reason: Terminated by Timeout |
| Monitor Duration | 00:04:00 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x98c |
| Parent PID | 0x460 (c:\windows\explorer.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
990
0x
994
0x
998
0x
9AC
0x
9B0
0x
9B4
0x
9B8
0x
9BC
0x
AEC
0x
AF0
0x
AF4
0x
AF8
0x
0
0x
954
0x
958
0x
94C
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x00050fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00072fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x000fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000110000 | 0x00110000 | 0x00110fff | Pagefile Backed Memory | rw |
|
|
|
- |
| l_intl.nls | 0x00120000 | 0x00122fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x0022ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00230000 | 0x00296fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x003bffff | Private Memory | - |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x003c0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x003e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003f0000 | 0x003f0000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x00440fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000450000 | 0x00450000 | 0x0045ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000460000 | 0x00460000 | 0x0055ffff | Private Memory | rw |
|
|
|
- |
| rpcss.dll | 0x00560000 | 0x005dcfff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000560000 | 0x00560000 | 0x00561fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000570000 | 0x00570000 | 0x0057ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00594fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000005a0000 | 0x005a0000 | 0x005affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005b0000 | 0x005b0000 | 0x005bffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | rw |
|
|
|
- |
| windowsshell.manifest | 0x00600000 | 0x00600fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000600000 | 0x00600000 | 0x0060ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000610000 | 0x00610000 | 0x0061ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000620000 | 0x00620000 | 0x0069ffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00827fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x009b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000009c0000 | 0x009c0000 | 0x00abffff | Private Memory | rw |
|
|
|
- |
| gdipfontcachev1.dat | 0x00ac0000 | 0x00adafff | Memory Mapped File | rw |
|
|
|
|
| segoeui.ttf | 0x00ac0000 | 0x00b3efff | Memory Mapped File | r |
|
|
|
- |
| ariali.ttf | 0x00ac0000 | 0x00b47fff | Memory Mapped File | r |
|
|
|
- |
| arialbi.ttf | 0x00ac0000 | 0x00b49fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000ac0000 | 0x00ac0000 | 0x00ac1fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000ad0000 | 0x00ad0000 | 0x00adffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000ae0000 | 0x00ae0000 | 0x00aeffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000af0000 | 0x00af0000 | 0x00afffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b00000 | 0x00b00000 | 0x00b0ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b10000 | 0x00b10000 | 0x00b1ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b20000 | 0x00b20000 | 0x00b2ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b30000 | 0x00b30000 | 0x00b3ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b40000 | 0x00b40000 | 0x00b4ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000b50000 | 0x00b50000 | 0x00bcffff | Private Memory | rwx |
|
|
|
- |
| private_0x0000000000bd0000 | 0x00bd0000 | 0x00ccffff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x00cd0000 | 0x00f9efff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000fa0000 | 0x00fa0000 | 0x010a0fff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000010b0000 | 0x010b0000 | 0x0118efff | Pagefile Backed Memory | r |
|
|
|
- |
| crazycrypt.exe | 0x01190000 | 0x011affff | Memory Mapped File | rwx |
|
|
|
|
| pagefile_0x00000000011b0000 | 0x011b0000 | 0x025affff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000025b0000 | 0x025b0000 | 0x1a5affff | Private Memory | rw |
|
|
|
- |
| private_0x000000001a5b0000 | 0x1a5b0000 | 0x1ac7ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ac80000 | 0x1ac80000 | 0x1ad3ffff | Private Memory | rw |
|
|
|
- |
| tahoma.ttf | 0x1ac80000 | 0x1ad2afff | Memory Mapped File | r |
|
|
|
- |
| micross.ttf | 0x1ac80000 | 0x1ad1ffff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001ac80000 | 0x1ac80000 | 0x1ac8ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ac90000 | 0x1ac90000 | 0x1ac9ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001aca0000 | 0x1aca0000 | 0x1acaffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acb0000 | 0x1acb0000 | 0x1acbffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acc0000 | 0x1acc0000 | 0x1accffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acd0000 | 0x1acd0000 | 0x1acdffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ace0000 | 0x1ace0000 | 0x1aceffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001acf0000 | 0x1acf0000 | 0x1acfffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad00000 | 0x1ad00000 | 0x1ad0ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad10000 | 0x1ad10000 | 0x1ad1ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad30000 | 0x1ad30000 | 0x1ad3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ad40000 | 0x1ad40000 | 0x1ae3ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ae40000 | 0x1ae40000 | 0x1b09ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001ae40000 | 0x1ae40000 | 0x1af3ffff | Private Memory | rw |
|
|
|
- |
| arial.ttf | 0x1af40000 | 0x1affcfff | Memory Mapped File | r |
|
|
|
- |
| arialbd.ttf | 0x1af40000 | 0x1aff6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001b020000 | 0x1b020000 | 0x1b09ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b0e0000 | 0x1b0e0000 | 0x1b1dffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b1e0000 | 0x1b1e0000 | 0x1b2dffff | Private Memory | rw |
|
|
|
- |
| msjh.ttf | 0x1b2e0000 | 0x1c788fff | Memory Mapped File | r |
|
|
|
- |
| msyh.ttf | 0x1b2e0000 | 0x1c7a2fff | Memory Mapped File | r |
|
|
|
- |
| malgun.ttf | 0x1b2e0000 | 0x1b702fff | Memory Mapped File | r |
|
|
|
- |
| private_0x000000001b2e0000 | 0x1b2e0000 | 0x1b41ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b420000 | 0x1b420000 | 0x1b51ffff | Private Memory | rw |
|
|
|
- |
| private_0x000000001b710000 | 0x1b710000 | 0x1b90ffff | Private Memory | rw |
|
|
|
- |
| staticcache.dat | 0x1b910000 | 0x1c23ffff | Memory Mapped File | r |
|
|
|
- |
| msvcr80.dll | 0x753c0000 | 0x75488fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| system.runtime.remoting.ni.dll | 0x7fef0ad0000 | 0x7fef0bccfff | Memory Mapped File | rwx |
|
|
|
- |
| system.windows.forms.ni.dll | 0x7fef0bd0000 | 0x7fef1c65fff | Memory Mapped File | rwx |
|
|
|
- |
| system.drawing.ni.dll | 0x7fef1c70000 | 0x7fef1ea6fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorjit.dll | 0x7fef1eb0000 | 0x7fef2033fff | Memory Mapped File | rwx |
|
|
|
- |
| microsoft.visualbasic.ni.dll | 0x7fef2040000 | 0x7fef224cfff | Memory Mapped File | rwx |
|
|
|
- |
| system.ni.dll | 0x7fef2250000 | 0x7fef2c72fff | Memory Mapped File | rwx |
|
|
|
- |
| mscorlib.ni.dll | 0x7fef2c80000 | 0x7fef3b5bfff | Memory Mapped File | rwx |
|
|
|
- |
| mscorwks.dll | 0x7fef3b60000 | 0x7fef44fcfff | Memory Mapped File | rwx |
|
|
|
- |
| mscoreei.dll | 0x7fef46c0000 | 0x7fef4758fff | Memory Mapped File | rwx |
|
|
|
- |
| mscoree.dll | 0x7fef4b60000 | 0x7fef4bcefff | Memory Mapped File | rwx |
|
|
|
- |
| dwmapi.dll | 0x7fefbbb0000 | 0x7fefbbc7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdiplus.dll | 0x7fefbd70000 | 0x7fefbf84fff | Memory Mapped File | rwx |
|
|
|
- |
| uxtheme.dll | 0x7fefbf90000 | 0x7fefbfe5fff | Memory Mapped File | rwx |
|
|
|
- |
| comctl32.dll | 0x7fefc040000 | 0x7fefc233fff | Memory Mapped File | rwx |
|
|
|
- |
| version.dll | 0x7fefc970000 | 0x7fefc97bfff | Memory Mapped File | rwx |
|
|
|
- |
| cryptbase.dll | 0x7fefd6a0000 | 0x7fefd6aefff | Memory Mapped File | rwx |
|
|
|
- |
| profapi.dll | 0x7fefd7b0000 | 0x7fefd7befff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| shell32.dll | 0x7fefdf00000 | 0x7fefec87fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| ole32.dll | 0x7feff870000 | 0x7feffa72fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000007ff00030000 | 0x7ff00030000 | 0x7ff0003ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00040000 | 0x7ff00040000 | 0x7ff0004ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00050000 | 0x7ff00050000 | 0x7ff000effff | Private Memory | - |
|
|
|
- |
| private_0x000007ff000f0000 | 0x7ff000f0000 | 0x7ff000fffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00100000 | 0x7ff00100000 | 0x7ff0016ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00170000 | 0x7ff00170000 | 0x7ff0017ffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff00180000 | 0x7ff00180000 | 0x7ff001bffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff001c0000 | 0x7ff001c0000 | 0x7ff001cffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff001d0000 | 0x7ff001d0000 | 0x7ff001dffff | Private Memory | - |
|
|
|
- |
| private_0x000007ff001e0000 | 0x7ff001e0000 | 0x7ff001effff | Private Memory | - |
|
|
|
- |
| private_0x000007fffff10000 | 0x7fffff10000 | 0x7fffff1ffff | Private Memory | rwx |
|
|
|
- |
| private_0x000007fffff20000 | 0x7fffff20000 | 0x7fffffaffff | Private Memory | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffd8000 | 0x7fffffd8000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffda000 | 0x7fffffda000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdc000 | 0x7fffffdc000 | 0x7fffffddfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
|
For performance reasons, the remaining 182 entries are omitted.
The remaining entries can be found in flog.txt. |
||||||||
Created Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Y90-.mp4.id.9C354B42.[buykey@decryptionsales.online].crazy | 38.94 KB |
MD5:
c1c35eb01c2861ff86ec90105f1bc81e
SHA1: 88a547904bb677bbeef452689965314701facda6 SHA256: 8a9f15d2c7484f79991a895fbb36dd6f545d416ce95bcaf64b25abe21b4c41f3 SSDeep: 768:AH6GssmJPw0DoMk3BSAri2ZmIXvSRQmkZ0/b:AauMPw+oMk3BSU8IXNmRj |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\IoTrl5QTOTSX6.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | 13.80 KB |
MD5:
18128070c2461ada059d23e34c46a083
SHA1: ef8d696ec368e7348213250b65504b37f3ca0d09 SHA256: bd7ab9395ceda84ff52dfeea8ec1ae0bbdc31f580b1eeaa22a8bd2773ef4697d SSDeep: 192:8P5OYbH4yo2L96awK0xIXwDCYXh29kR4CUfs4ZMNt3INeYrtPKPAe/Dom6GGlTXj:IOmYxMnwpxIXXYQk344t4wuRKY+UVpLZ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\342WkTEC8.png.id.9C354B42.[buykey@decryptionsales.online].crazy | 28.14 KB |
MD5:
8080d206d26761c209fa253a022747e1
SHA1: 3cd521d3d2791c959ccb81ead096ea7929301f2a SHA256: 4dc10de2767c41086ef123a48e3b8fea7c06dda8f18e0604629baffe5d3f36ec SSDeep: 768:mvVxs7Z1PJqsTTBz1JmfOqP8rYDslPMiTRfjIos9icMhPS:mvXs91PnN1JkBV0TtjI/9khS |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\MCEh.wav.id.9C354B42.[buykey@decryptionsales.online].crazy | 47.19 KB |
MD5:
424aced1135c33b684305279dc9ae27d
SHA1: 0a3ab0032a21b0e4693d43b4acf7fd4602dae23e SHA256: cebafc11d3ad041a825c03c35c579760424442c4a6b9d8051ea8ee23e8905de5 SSDeep: 768:oPUM+oicfCvqiCAgj1DXu7pdEeDl6mYoMhzsco9uHal6Lw9UpETvr3x/6BREQlAA:nB0iaVwqUMmYzs/9uHaULwipEXxixAc5 |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\frCI.jpg.id.9C354B42.[buykey@decryptionsales.online].crazy | 13.61 KB |
MD5:
92acaa352d334ff4704b001d4ca04da3
SHA1: 4b2b96573241ce430a589b2b7da8e270c6e4e129 SHA256: 5518673789ea0e870c7edc41d55d30fbc2f98ad4119d7ecd0022c9d86d29b799 SSDeep: 192:cyt4RLplk43Hk6QHAWNzjbUsFgpnMHL6W97eVNBP8RHYs+2g4w3znK+mzOJTcHnc:cQ4TN3k65WadpD3BOH7t3w3m+KTW1+3s |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\FILES ENCRYPTED.txt | 0.13 KB |
MD5:
8e5c69f75f3c777976d23d86a0e064b8
SHA1: 749505b24144c18c82bac300b7cfbd1e56dc7bf9 SHA256: 9e24b551689370ed32f80713fda8c57e49b22d5317acb0372cd572b374f7d484 SSDeep: 3:gJ9QVP9AuFJKZkFDSQFVFf2bj503G31LAlF+LDFc5Y0RXcT:gXGljJdjFvkAGRQQLDFqY0xcT |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\xeoTJv4Tf_T FQ6GC.png.id.9C354B42.[buykey@decryptionsales.online].crazy | 87.84 KB |
MD5:
86c523fbd2ae98614472fbe0b548ccd1
SHA1: a9d3a43196d5deb076ce794d9c13b7477ba27e60 SHA256: bbaba0b72fdc53659c39e3eaba2492102e4c6be9c487eb379b3d8ddc5a3e037b SSDeep: 1536:1r47Ux4/lRnhM17F1q3DwgW5hO6dVobdfn9apTqsY95XnN845oYrlf:1rEUAwFbqi71dqR96+5Dealf |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\YEzJBw.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | 89.92 KB |
MD5:
2b2877db35cbe0ce9a1cde842635a4fc
SHA1: c4e3b550f0dcc0e231b8f524c28cce5603f14d83 SHA256: dcf616c1501e7019af8e9c2fdc316f766148aeba0c94b29ff050f068a5ed0539 SSDeep: 1536:E1UbXoNCYxHbIZD1f9Ngt4srFbjviOnNr/jeAC+XKIbFxAFsTTUVLLS2lI:E1NCYo1fAt4AyOBbRbFeFU4VblI |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\GB8gg.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | 99.58 KB |
MD5:
a00317e365c069c3b1bb7543d02a0eb6
SHA1: c1c69a7174481b784e4506b919b7296310835158 SHA256: 9c4ad045d65642a4f54d43b5e2525d323f47b7dd05304fce81b0d501a005d779 SSDeep: 3072:4iimPChrT20oFVTj+F/xcIk+RucjD1mlWLQ3D/:4iZ6hrT27HT22+YRB/ |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Music\-FfGLM.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | 79.38 KB |
MD5:
f932ec25c904286eb556915ae115acb5
SHA1: 5a2bffe166a5a668d083b12a54d5be1159a11127 SHA256: 957560d7521decd3e6b3d696d8daf70e22f6efbe61c892419779f646381c3c90 SSDeep: 1536:sgGucVpNLqYTD06QJgyig345HOCOwE+zyXArdLvo75cXlg+5DQnGwIL:sgGXNL1AJTig3Hs2ArdLvCwlbQIL |
|
|
| C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\NAdu7zq2Ultdz.mp3.id.9C354B42.[buykey@decryptionsales.online].crazy | 56.31 KB |
MD5:
daf5509c965617b67ce990560015126a
SHA1: 81a197751720c8d92d65f109fbfa0f2a1e474c6c SHA256: c064da1c8c0f885b93383b6adf5b8d9269da571ce89e73e38f4ba8618347b414 SSDeep: 768:6kNQvNNn1CiU84d8+F9hHsD5Dury3AdHSwO9wcPutD0VL4lsQqhmN1TyaDdG:6kNm/4C8LM9cHSw5cfVL4eA1RpG |
|
|
Modified Files
| Filename | File Size | Hash Values | YARA Match | Actions |
|---|---|---|---|---|
| c:\users\5p5nrgjn0js halpmcxz\appdata\local\gdipfontcachev1.dat | 106.27 KB |
MD5:
92e128dcb152d05f07faf5da64bd1c91
SHA1: 2174814ca563fc2b9679fffbf1b40bdf3ac9abec SHA256: 11437a99f5f9c0a6df09c64abc8828ad3ecd8cf4fa601340ded86b8945edff43 SSDeep: 768:i8HrbdvVyZHgTl7ho5sZWN/Ys9byFRQ+AwqGuGyZoVyOF7rrlqTIyMnm:/pVyZHgTl7h6tKR7AwqlGyZQVO1Mnm |
|
|
Threads
Thread 0x990
5060
27
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Info | type = Operating System |
|
3 | |
| Module | Get Handle | module_name = c:\windows\system32\user32.dll, base_address = 0x77640000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\user32.dll, function = DefWindowProcW, address_out = 0x7788b0ac |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
2 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| System | Get Info | type = Operating System |
|
1 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgJITDebugLaunchSetting, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework, value_name = DbgManagedDebugger, type = REG_NONE |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
2 | |
| Window | Create | window_name = .NET-BroadcastEventWindow.2.0.0.0.378734a.0, class_name = .NET-BroadcastEventWindow.2.0.0.0.378734a.0, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
2 | |
| Window | Create | class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
2 | |
| Window | Create | window_name = Desativa_OffWin, class_name = WindowsForms10.BUTTON.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | window_name = Desativa_Off, class_name = WindowsForms10.BUTTON.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
2 | |
| Window | Create | window_name = buykey@decryptionsales.online, class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
2 | |
| Window | Create | class_name = WindowsForms10.EDIT.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | window_name = btnSerial, class_name = WindowsForms10.BUTTON.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | window_name = Windows is working on updates wait till complete, class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.Window.8.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | window_name = Don't turn off your computer, this will take a while., class_name = WindowsForms10.STATIC.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
2 | |
| Window | Create | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.msctls_progress32.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | class_name = WindowsForms10.LISTBOX.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| Mutex | Create | mutex_name = SINGLE_INSTANCE_APP_MUTEX |
|
1 | |
| Process | Create | process_name = cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f, os_pid = 0x9c4, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Process | Create | process_name = cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm / v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f, os_pid = 0x9cc, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Process | Create | process_name = cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm /v EnableLUA /t REG_DWORD /d 0 /f, os_pid = 0x9d4, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Process | Create | process_name = cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 00000001 /f, os_pid = 0x9dc, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Process | Create | process_name = cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f, os_pid = 0x9e4, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Process | Create | process_name = cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 00000001 /f, os_pid = 0x9ec, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Process | Create | process_name = cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableBehaviorMonitoring /t REG_DWORD /d 00000001 /f, os_pid = 0xa04, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Process | Create | process_name = cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableOnAccessProtection /t REG_DWORD /d 00000001 /f, os_pid = 0xa0c, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Process | Create | process_name = cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableScanOnRealtimeEnable /t REG_DWORD /d 00000001 /f, os_pid = 0xa14, creation_flags = CREATE_NORMAL_PRIORITY_CLASS, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWMINIMIZED |
|
1 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| File | Get Info | filename = C:\Boot, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Config.Msi, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\PerfLogs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| File | Get Info | filename = C:\Boot\cs-CZ, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\da-DK, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\de-DE, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\el-GR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\en-US, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\es-ES, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\fi-FI, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\Fonts, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\fr-FR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\hu-HU, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\it-IT, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\ja-JP, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\ko-KR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\nb-NO, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\nl-NL, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\pl-PL, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\pt-BR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\pt-PT, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\ru-RU, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\sv-SE, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\tr-TR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\zh-CN, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\zh-HK, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\zh-TW, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\PerfLogs\Admin, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Adobe, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Application Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Favorites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft Help, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Mozilla, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Oracle, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Start Menu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Sun, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default User, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public, type = file_attributes |
|
2 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Adobe\Acrobat, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Adobe\ARM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Assistance, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Crypto, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\DeviceSync, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\DRM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\eHome, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Event Viewer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\IdentityCRL, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Media Player, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\MF, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\MSDN, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\NetFramework, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Network, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\OFFICE, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\RAC, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Search, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\User Account Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Vault, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\VISIO, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\WwanSvc, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Mozilla\logs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{f325f05b-f963-4640-a43b-c8a494cdda0f}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Sun\Java, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Application Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Cookies, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Downloads, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Links, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Local Settings, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\My Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\NetHood, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\PrintHood, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Recent, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Searches, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\SendTo, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Start Menu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Adobe, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Application Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Favorites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft Help, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Mozilla, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Oracle, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Start Menu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Sun, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Application Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Contacts, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Cookies, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Downloads, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Favorites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Links, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Local Settings, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Music, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\My Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\NetHood, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\PrintHood, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Recent, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Saved Games, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Searches, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\SendTo, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Start Menu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Videos, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Downloads, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Favorites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Libraries, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Music, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Recorded TV, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Videos, type = file_attributes |
|
2 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Adobe\Acrobat\10.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Adobe\ARM\Reader_10.0.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Assistance\Client, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Crypto\DSS, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Crypto\Keys, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Crypto\RSA, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage\Device, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage\Task, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\DRM\Server, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\eHome\logs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Event Viewer\Views, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\MSDN\8.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Network\Connections, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Network\Downloader, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\OFFICE\UICaptions, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\RAC\Outbound, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\RAC\PublishedData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\RAC\StateData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\RAC\Temp, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Search\Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\User Account Pictures\Default Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\AIT, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Caches, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\DeviceMetadataStore, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\DRM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\GameExplorer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Ringtones, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Sqm, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\WER, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Definition Updates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\LocalCopy, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Quarantine, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Scans, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Support, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSFax, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSScan, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\WwanSvc\Profiles, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Sun\Java\Java Update, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\pYBMagiZk, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9tRJy, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Music, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Videos, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VUI8dbs8a6E_sx, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\EQ8UuS6KEr, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A0V0PHPNzfBYDIW3, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\dlnFWX8-gis4AfHnlPs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\lDO-fZKyN8HI5j, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\YqeM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Adobe\Acrobat, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Adobe\ARM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Assistance, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Crypto, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Device Stage, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\DeviceSync, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\DRM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\eHome, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Event Viewer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\IdentityCRL, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Media Player, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\MF, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\MSDN, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\NetFramework, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Network, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\OFFICE, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\RAC, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Search, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\User Account Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Vault, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\VISIO, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows Defender, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows NT, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\WwanSvc, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Mozilla\logs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{f325f05b-f963-4640-a43b-c8a494cdda0f}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Sun\Java, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\LocalLow, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Roaming, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Documents\My Music, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Documents\My Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Documents\My Videos, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Favorites\Links, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Favorites\Microsoft Websites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Favorites\MSN Websites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Favorites\Windows Live, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Documents\My Music, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Documents\My Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Documents\My Videos, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Music\Sample Music, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Pictures\Sample Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Recorded TV\Sample Media, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Videos\Sample Videos, type = file_attributes |
|
2 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| File | Get Info | filename = C:\ProgramData\Adobe\Acrobat\10.0\Replicate, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Assistance\Client\1.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Event Viewer\Views\ApplicationViewsRootNode, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\OFFICE\UICaptions\1036, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\OFFICE\UICaptions\3082, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Search\Data\Applications, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Search\Data\Temp, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\DRM\Cache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Sqm\Manifest, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Sqm\Sessions, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Sqm\Upload, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu\Programs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\WER\ReportArchive, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\WER\ReportQueue, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Scans\History, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSFax\ActivityLog, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSFax\Inbox, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSFax\Queue, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSFax\SentItems, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages\Patch, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\packages\vcRuntimeMinimum_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\packages\vcRuntimeAdditional_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages\vcRuntimeMinimum_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages\vcRuntimeAdditional_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Application Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Deployment, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\History, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft Help, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Mozilla, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temporary Internet Files, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\VirtualStore, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Identities, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Macromedia, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a\-HqxMx4, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a\6SyWqeVc5yzr, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9tRJy\lbiZNM0EI_XyLx1 DZ9, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes\_private, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\EQ8UuS6KEr\W8JKzPrZW, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\aW44WW0 Tu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj\sS212v32k5JqAk8yl, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6\nAikDiB6TQqHeUWBw, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\X0MqL_ZtdkVFYJuKw90y, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Adobe\Acrobat\10.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Adobe\ARM\Reader_10.0.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Assistance\Client, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Crypto\DSS, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Crypto\Keys, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Crypto\RSA, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Device Stage\Device, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Device Stage\Task, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\DRM\Server, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\eHome\logs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Event Viewer\Views, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\MSDN\8.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\NetFramework\BreadcrumbStore, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Network\Connections, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Network\Downloader, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\OFFICE\UICaptions, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\OfficeSoftwareProtectionPlatform\Cache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\RAC\Outbound, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\RAC\PublishedData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\RAC\StateData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\RAC\Temp, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Search\Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\AIT, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\Caches, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\DRM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\GameExplorer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\Power Efficiency Diagnostics, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\Ringtones, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\Sqm, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\Start Menu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\WER, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows Defender\Definition Updates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows Defender\LocalCopy, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows Defender\Quarantine, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows Defender\Scans, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows Defender\Support, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows NT\MSFax, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows NT\MSScan, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\WwanSvc\Profiles, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Sun\Java\Java Update, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Application Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\History, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temp, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Temporary Internet Files, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\LocalLow\Microsoft, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Roaming\Identities, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Roaming\Microsoft, type = file_attributes |
|
2 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| File | Get Info | filename = C:\ProgramData\Adobe\Acrobat\10.0\Replicate\Security, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Search\Data\Applications\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SharePoint, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Tablet PC, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Scans\History\Results, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Scans\History\Store, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages\Patch\x64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch\x64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Acrobat, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Adobe\Color, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Apps\2.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\CrashReports, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Credentials, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Event Viewer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Feeds Cache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\FORMS, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\IME12, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\IMJP12, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\IMJP8_1, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\IMJP9_0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Internet Explorer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Media Player, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Office, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Outlook, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Publisher, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\TaskSchedulerConfig, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Visio, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Media, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Sidebar, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Mozilla\Firefox, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Mozilla\updates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Cookies, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\History, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Temporary Internet Files, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\WPDNSE, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\~nsu.tmp, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Acrobat, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Adobe\Linguistics, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\CryptnetUrlCache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\IME12, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\IMJP12, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\IMJP8_1, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\IMJP9_0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Microsoft\Internet Explorer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow\Sun\Java, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Acrobat, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Flash Player, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Headlights, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\Linguistics, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Adobe\LogTransport2, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Macromedia\Flash Player, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\AddIns, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Credentials, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Crypto, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Document Building Blocks, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Excel, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\IME12, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\IMJP12, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\IMJP8_1, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\IMJP9_0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Internet Explorer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\MMC, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\MS Project, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Network, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Office, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Outlook, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\PowerPoint, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Proof, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Protect, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Publisher, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Publisher Building Blocks, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Speech, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\SystemCertificates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\UProof, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Word, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Extensions, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\o2dzQZNBDDx1G3, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q\fV5QjQ\pIbphXFMT3WS7Z6C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN\tv-bIyAk cNG\S PT0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Adobe\Acrobat\10.0\Replicate, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Assistance\Client\1.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Crypto\DSS\MachineKeys, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Crypto\RSA\MachineKeys, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Crypto\RSA\S-1-5-18, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Event Viewer\Views\ApplicationViewsRootNode, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\OFFICE\UICaptions\1036, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\OFFICE\UICaptions\3082, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Search\Data\Applications, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Search\Data\Temp, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\DRM\Cache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\Sqm\Manifest, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\Sqm\Sessions, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\Sqm\Upload, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\Start Menu\Programs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\WER\ReportArchive, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows\WER\ReportQueue, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Backup, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Updates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\{D2B0B133-42ED-44D3-809A-46EBB62BA863}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows Defender\Scans\History, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows NT\MSFax\ActivityLog, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows NT\MSFax\Inbox, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows NT\MSFax\Queue, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows NT\MSFax\SentItems, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages\Patch, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages\Patch, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages\vcRuntimeMinimum_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\packages\vcRuntimeMinimum_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\packages\vcRuntimeAdditional_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages\vcRuntimeMinimum_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages\vcRuntimeAdditional_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages\vcRuntimeMinimum_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages\vcRuntimeAdditional_amd64, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages\vcRuntimeAdditional_x86, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft\Credentials, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft\Feeds, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft\Feeds Cache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft\Internet Explorer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft\Media Player, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft\Windows Mail, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft\Windows Media, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\LocalLow\Microsoft\CryptnetUrlCache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Roaming\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Roaming\Microsoft\Credentials, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Roaming\Microsoft\Crypto, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Roaming\Microsoft\Protect, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Roaming\Microsoft\SystemCertificates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData\Roaming\Microsoft\Windows, type = file_attributes |
|
2 | |
| Module | Get Handle | module_name = c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe, base_address = 0x1190000 |
|
1 | |
| Window | Create | window_name = TimerNativeWindow, class_name = WindowsForms10.Window.0.app.0.378734a, wndproc_parameter = 0 |
|
1 | |
| System | Sleep | duration = 100 milliseconds (0.100 seconds) |
|
1 | |
| File | Get Info | filename = C:\Boot, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Config.Msi, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\PerfLogs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\cs-CZ, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\da-DK, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\de-DE, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\el-GR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\en-US, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\es-ES, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\fi-FI, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\Fonts, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\fr-FR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\hu-HU, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\it-IT, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\ja-JP, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\ko-KR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\nb-NO, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\nl-NL, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\pl-PL, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\pt-BR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\pt-PT, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\ru-RU, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\sv-SE, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\tr-TR, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\zh-CN, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\zh-HK, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Boot\zh-TW, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\PerfLogs\Admin, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Adobe, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Application Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Favorites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft Help, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Mozilla, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Oracle, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Start Menu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Sun, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default User, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-001B-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0043-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0044-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0054-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-00A1-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-00B4-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-00BA-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{91140000-0011-0000-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{91140000-003B-0000-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{91140000-0057-0000-1000-0000000FF1CE}-C, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Adobe\Acrobat, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Adobe\ARM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Assistance, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Crypto, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\DeviceSync, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\DRM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\eHome, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Event Viewer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\IdentityCRL, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Media Player, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\MF, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\MSDN, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\NetFramework, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Network, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\OFFICE, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\RAC, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Search, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\User Account Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Vault, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\VISIO, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\WwanSvc, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Mozilla\logs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{3c3aafc8-d898-43ec-998f-965ffdae065a}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{e52a6842-b0ac-476e-b48f-378a97a67346}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{e6e75766-da0f-4ba2-9788-6ea593ce702d}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{f325f05b-f963-4640-a43b-c8a494cdda0f}, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Sun\Java, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Application Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Contacts, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Cookies, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Downloads, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Links, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Local Settings, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\My Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\NetHood, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\PrintHood, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Recent, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Saved Games, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Searches, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\SendTo, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Start Menu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Adobe, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Application Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Favorites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft Help, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Mozilla, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Oracle, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Package Cache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Start Menu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Sun, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\AppData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Application Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Contacts, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Cookies, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Downloads, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Favorites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Links, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Local Settings, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Music, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\My Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\NetHood, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\PrintHood, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Recent, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Saved Games, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Searches, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\SendTo, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Start Menu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Default\Videos, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Desktop, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Documents, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Downloads, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Favorites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Libraries, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Music, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Recorded TV, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\Public\Videos, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.en, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.es, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-002C-0409-1000-0000000FF1CE}-C\Proof.fr, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\MSOCache\All Users\{90140000-0117-0409-1000-0000000FF1CE}-C\Access.en-us, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Adobe\Acrobat\10.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Adobe\ARM\Reader_10.0.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Assistance\Client, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Crypto\DSS, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Crypto\Keys, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Crypto\RSA, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage\Device, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Device Stage\Task, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\DRM\Server, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\eHome\logs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Event Viewer\Views, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\MSDN\8.0, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Network\Connections, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Network\Downloader, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\OFFICE\UICaptions, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\RAC\Outbound, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\RAC\PublishedData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\RAC\StateData, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\RAC\Temp, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Search\Data, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\User Account Pictures\Default Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\AIT, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Caches, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\DeviceMetadataStore, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\DRM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\GameExplorer, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Power Efficiency Diagnostics, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Ringtones, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Sqm, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Start Menu, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\Templates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows\WER, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Definition Updates, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\LocalCopy, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Quarantine, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Scans, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows Defender\Support, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSFax, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\Windows NT\MSScan, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Microsoft\WwanSvc\Profiles, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\42D5BEC7DDFBD49E76467529CBC2868987BF8460\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\54050A5F8AE7F0C56E553F0090146C17A1D2BF8D\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Package Cache\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\packages, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\ProgramData\Sun\Java\Java Update, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\LocalLow, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\c Dq5hcOVfh519j-9a, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\pYBMagiZk, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\9tRJy, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Music, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Pictures, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Shapes, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\My Videos, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\Outlook Files, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\VUI8dbs8a6E_sx, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Documents\yG_UzdwPFgf0Q, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Links, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Microsoft Websites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\MSN Websites, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Favorites\Windows Live, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\EQ8UuS6KEr, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\PTSeo8U3g, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Music\vY8SYTb, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\4T8UAInZgSm4 N-5gj, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\A0V0PHPNzfBYDIW3, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\dlnFWX8-gis4AfHnlPs, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\lDO-fZKyN8HI5j, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\YqeM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Pictures\Yrfr6, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Videos\3m pibGalRLIOAUhZKN, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Adobe\Acrobat, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Adobe\ARM, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Assistance, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Crypto, type = file_attributes |
|
2 | |
| File | Get Info | filename = C:\Users\All Users\Microsoft\Device Stage, type = file_attributes |
|
2 | |
|
For performance reasons, the remaining 2094 entries are omitted.
The remaining entries can be found in glog.xml. |
|||||
Thread 0x998
1
0
| Category | Operation | Information | Success | Count | Logfile |
|---|
Thread 0xaec
3
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
3 |
Thread 0xaf0
52
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| COM | Create | interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER |
|
1 | |
| Module | Load | module_name = C:\Windows\Microsoft.NET\Framework64\v2.0.50727\\wminet_utils.dll, base_address = 0x642ffff0000 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ResetSecurity, address_out = 0x642ffff20e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SetSecurity, address_out = 0x642ffff21b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = BlessIWbemServices, address_out = 0x642ffff2290 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = BlessIWbemServicesObject, address_out = 0x642ffff23b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetPropertyHandle, address_out = 0x642ffff24d0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = WritePropertyValue, address_out = 0x642ffff2500 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = Clone, address_out = 0x642ffff2530 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = VerifyClientKey, address_out = 0x642ffff31f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetQualifierSet, address_out = 0x642ffff2a50 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = Get, address_out = 0x642ffff2700 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = Put, address_out = 0x642ffff26c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = Delete, address_out = 0x642ffff2750 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetNames, address_out = 0x642ffff2760 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = BeginEnumeration, address_out = 0x642ffff27b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = Next, address_out = 0x642ffff27c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = EndEnumeration, address_out = 0x642ffff2810 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetPropertyQualifierSet, address_out = 0x642ffff2820 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = Clone, address_out = 0x642ffff2530 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetObjectText, address_out = 0x642ffff2840 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SpawnDerivedClass, address_out = 0x642ffff2860 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = SpawnInstance, address_out = 0x642ffff2880 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CompareTo, address_out = 0x642ffff28a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetPropertyOrigin, address_out = 0x642ffff28c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = InheritsFrom, address_out = 0x642ffff28e0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetMethod, address_out = 0x642ffff28f0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = PutMethod, address_out = 0x642ffff2940 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = DeleteMethod, address_out = 0x642ffff2990 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = BeginMethodEnumeration, address_out = 0x642ffff29a0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = NextMethod, address_out = 0x642ffff29b0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = EndMethodEnumeration, address_out = 0x642ffff2a00 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetMethodQualifierSet, address_out = 0x642ffff2a10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetMethodOrigin, address_out = 0x642ffff2a30 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QualifierSet_Get, address_out = 0x642ffff2a60 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QualifierSet_Put, address_out = 0x642ffff2ab0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QualifierSet_Delete, address_out = 0x642ffff2ae0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QualifierSet_GetNames, address_out = 0x642ffff2af0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QualifierSet_BeginEnumeration, address_out = 0x642ffff2b10 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QualifierSet_Next, address_out = 0x642ffff2b20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = QualifierSet_EndEnumeration, address_out = 0x642ffff2b70 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetCurrentApartmentType, address_out = 0x642ffff2a50 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = GetDemultiplexedStub, address_out = 0x642ffff2060 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CreateInstanceEnumWmi, address_out = 0x642ffff1760 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CreateClassEnumWmi, address_out = 0x642ffff18c0 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ExecQueryWmi, address_out = 0x642ffff1a20 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ExecNotificationQueryWmi, address_out = 0x642ffff1b90 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = PutInstanceWmi, address_out = 0x642ffff1d00 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = PutClassWmi, address_out = 0x642ffff1e00 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = CloneEnumWbemClassObject, address_out = 0x642ffff1f00 |
|
1 | |
| Module | Get Address | module_name = Unknown module name, function = ConnectServerWmi, address_out = 0x642ffff34c0 |
|
1 | |
| COM | Create | interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER |
|
1 |
Process #2: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #2 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9c4 |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9C8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0030ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003d0000 | 0x003d0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00687fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x01c1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c20000 | 0x01c20000 | 0x01f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f70000 | 0x0223efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0x9c8
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 114161 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab10000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\reg.exe, os_pid = 0xadc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #3: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #3 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm / v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9cc |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9D0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00170000 | 0x001d6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003a0000 | 0x003a0000 | 0x0049ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004a0000 | 0x004a0000 | 0x00627fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000630000 | 0x00630000 | 0x007b0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000007c0000 | 0x007c0000 | 0x01bbffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001bc0000 | 0x01bc0000 | 0x01f02fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f10000 | 0x021defff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0x9d0
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 113880 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab10000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\reg.exe, os_pid = 0xa9c, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #4: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #4 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm /v EnableLUA /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9d4 |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9D8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x0016ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002d0000 | 0x00336fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000500000 | 0x00500000 | 0x0050ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00697fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x00820fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000830000 | 0x00830000 | 0x01c2ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c30000 | 0x01c30000 | 0x01f72fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f80000 | 0x0224efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0x9d8
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 113833 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab10000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\reg.exe, os_pid = 0xac4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000000 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #5: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #5 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9dc |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9E0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000560000 | 0x00560000 | 0x0056ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x00880fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000890000 | 0x00890000 | 0x01c8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c90000 | 0x01c90000 | 0x01fd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fe0000 | 0x022aefff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0x9e0
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 113927 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab10000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\reg.exe, os_pid = 0xaa4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #6: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #6 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9e4 |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9E8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00066fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000a0000 | 0x000a0000 | 0x0019ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001d0000 | 0x001d0000 | 0x002cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002d0000 | 0x00336fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000340000 | 0x00340000 | 0x0043ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000440000 | 0x00440000 | 0x005c7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005d0000 | 0x005d0000 | 0x00750fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000760000 | 0x00760000 | 0x01b5ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001b60000 | 0x01b60000 | 0x01ea2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01eb0000 | 0x0217efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdb000 | 0x7fffffdb000 | 0x7fffffdbfff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0x9e8
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 113989 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab10000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\reg.exe, os_pid = 0xacc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #7: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #7 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0x9ec |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
9F0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000400000 | 0x00400000 | 0x004fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00687fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x00810fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000820000 | 0x00820000 | 0x01c1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c20000 | 0x01c20000 | 0x01f62fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f70000 | 0x0223efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0x9f0
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 114021 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab10000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\reg.exe, os_pid = 0xabc, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #8: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #8 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableBehaviorMonitoring /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa04 |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A08
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x001effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x002effff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002f0000 | 0x002f0000 | 0x002f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0040ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000540000 | 0x00540000 | 0x0054ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x00860fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000870000 | 0x00870000 | 0x01c6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c70000 | 0x01c70000 | 0x01fb2fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01fc0000 | 0x0228efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xa08
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 114052 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab10000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\reg.exe, os_pid = 0xab4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #9: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #9 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableOnAccessProtection /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa0c |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A10
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000050000 | 0x00050000 | 0x00056fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x00070fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x002b0000 | 0x00316fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000410000 | 0x00410000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000420000 | 0x00420000 | 0x0051ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000520000 | 0x00520000 | 0x006a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006b0000 | 0x006b0000 | 0x00830fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000840000 | 0x00840000 | 0x01c3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c40000 | 0x01c40000 | 0x01f82fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f90000 | 0x0225efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xa10
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 114130 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab10000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\reg.exe, os_pid = 0xad4, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #10: cmd.exe
59
0
| Information | Value |
|---|---|
| ID | #10 |
| File Name | c:\windows\system32\cmd.exe |
| Command Line | cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableScanOnRealtimeEnable /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:19, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:03 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa14 |
| Parent PID | 0x98c (c:\users\5p5nrgjn0js halpmcxz\desktop\crazycrypt.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
A18
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000000d0000 | 0x000d0000 | 0x001cffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x001f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0027ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003e0000 | 0x003e0000 | 0x004dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000004e0000 | 0x004e0000 | 0x00667fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000670000 | 0x00670000 | 0x007f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000800000 | 0x00800000 | 0x01bfffff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000001c00000 | 0x01c00000 | 0x01f42fff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01f50000 | 0x0221efff | Memory Mapped File | r |
|
|
|
- |
| cmd.exe | 0x4ab10000 | 0x4ab68fff | Memory Mapped File | rwx |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| winbrand.dll | 0x7fef8dc0000 | 0x7fef8dc7fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd5000 | 0x7fffffd5000 | 0x7fffffd5fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xa18
59
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:54 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 114099 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\cmd.exe, base_address = 0x4ab10000 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x77756d40 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
3 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
2 | |
| Environment | Get Environment String | - |
|
2 | |
| Registry | Open Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 24, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| Registry | Read Value | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE |
|
1 | |
| Module | Get Filename | process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\system32\cmd.exe, size = 260 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Environment | Get Environment String | name = PROMPT |
|
1 | |
| Environment | Set Environment String | name = PROMPT, value = $P$G |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe |
|
1 | |
| Environment | Get Environment String | name = KEYS |
|
1 | |
| File | Get Info | filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop, type = file_attributes |
|
2 | |
| Environment | Set Environment String | name = =C:, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\kernel32.dll, base_address = 0x77740000 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x777523d0 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x77748290 |
|
1 | |
| Module | Get Address | module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x777517e0 |
|
1 | |
| Environment | Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ |
|
1 | |
| Environment | Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC |
|
1 | |
| Process | Create | process_name = C:\Windows\system32\reg.exe, os_pid = 0xaac, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL |
|
1 | |
| Environment | Set Environment String | name = COPYCMD |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCode, value = 00000001 |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| Environment | Set Environment String | name = =ExitCodeAscii |
|
1 | |
| Environment | Get Environment String | - |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Open | filename = STD_INPUT_HANDLE |
|
1 |
Process #11: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #11 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm / v ConsentPromptBehaviorUser /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xa9c |
| Parent PID | 0x9cc (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00066fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000070000 | 0x00070000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000f0000 | 0x00156fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000160000 | 0x00160000 | 0x0025ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000260000 | 0x00260000 | 0x00261fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000370000 | 0x00370000 | 0x004f7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000500000 | 0x00500000 | 0x00680fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000690000 | 0x00690000 | 0x01a8ffff | Pagefile Backed Memory | r |
|
|
|
- |
| reg.exe.mui | 0x01a90000 | 0x01a98fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000001aa0000 | 0x01aa0000 | 0x01aa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ab0000 | 0x01ab0000 | 0x01ab0fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01ac0000 | 0x01d8efff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd3000 | 0x7fffffd3000 | 0x7fffffd3fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xaa0
9
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 114613 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\reg.exe, base_address = 0xfff70000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Get Info | filename = STD_ERROR_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
2 | |
| File | Write | filename = STD_ERROR_HANDLE, size = 52 |
|
1 |
Process #12: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #12 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaa4 |
| Parent PID | 0x9dc (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AA8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x000cffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x000d0000 | 0x00136fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x0000000000140000 | 0x00140000 | 0x00146fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x00160000 | 0x00168fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001a0000 | 0x001a0000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000003b0000 | 0x003b0000 | 0x003bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003c0000 | 0x003c0000 | 0x00547fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000550000 | 0x00550000 | 0x006d0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006e0000 | 0x006e0000 | 0x01adffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01ae0000 | 0x01daefff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xaa8
9
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 114691 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\reg.exe, base_address = 0xfff70000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Get Info | filename = STD_ERROR_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
2 | |
| File | Write | filename = STD_ERROR_HANDLE, size = 52 |
|
1 |
Process #13: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #13 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableScanOnRealtimeEnable /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xaac |
| Parent PID | 0xa14 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x000e0000 | 0x000e8fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000290000 | 0x00290000 | 0x0029ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00730fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x01b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b40000 | 0x01e0efff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xab0
9
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 115159 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\reg.exe, base_address = 0xfff70000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Get Info | filename = STD_ERROR_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
2 | |
| File | Write | filename = STD_ERROR_HANDLE, size = 52 |
|
1 |
Process #14: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #14 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableBehaviorMonitoring /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xab4 |
| Parent PID | 0xa04 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AB8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| private_0x00000000000c0000 | 0x000c0000 | 0x001bffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x001e0000 | 0x001e8fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000270000 | 0x00270000 | 0x00270fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000430000 | 0x00430000 | 0x005b7fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x00000000005d0000 | 0x005d0000 | 0x005dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000005e0000 | 0x005e0000 | 0x00760fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000770000 | 0x00770000 | 0x01b6ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b70000 | 0x01e3efff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd4000 | 0x7fffffd4000 | 0x7fffffd4fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xab8
9
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:56 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 115191 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\reg.exe, base_address = 0xfff70000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Get Info | filename = STD_ERROR_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
2 | |
| File | Write | filename = STD_ERROR_HANDLE, size = 52 |
|
1 |
Process #15: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #15 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xabc |
| Parent PID | 0x9ec (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AC0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| private_0x00000000000e0000 | 0x000e0000 | 0x000effff | Private Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x000f0000 | 0x000f8fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x00110fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000220000 | 0x00220000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00730fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x01b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b40000 | 0x01e0efff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xac0
9
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 114473 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\reg.exe, base_address = 0xfff70000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Get Info | filename = STD_ERROR_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
2 | |
| File | Write | filename = STD_ERROR_HANDLE, size = 52 |
|
1 |
Process #16: reg.exe
13
0
| Information | Value |
|---|---|
| ID | #16 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm /v EnableLUA /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xac4 |
| Parent PID | 0x9d4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AC8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x000e0000 | 0x000e8fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000210000 | 0x00210000 | 0x0028ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000310000 | 0x00310000 | 0x0031ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000320000 | 0x00320000 | 0x0041ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000420000 | 0x00420000 | 0x005a7fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000005b0000 | 0x005b0000 | 0x00730fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000740000 | 0x00740000 | 0x01b3ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b40000 | 0x01e0efff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x01e10000 | 0x01ecffff | Memory Mapped File | rw |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffdd000 | 0x7fffffdd000 | 0x7fffffdefff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffdf000 | 0x7fffffdf000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xac8
13
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 114504 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\reg.exe, base_address = 0xfff70000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm, value_name = EnableLUA |
|
1 | |
| Registry | Write Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Systemm, value_name = EnableLUA, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 39 |
|
1 |
Process #17: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #17 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xacc |
| Parent PID | 0x9e4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0005ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000060000 | 0x00060000 | 0x00066fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x00080000 | 0x00088fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00210000 | 0x00276fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000380000 | 0x00380000 | 0x00507fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000510000 | 0x00510000 | 0x00690fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000006a0000 | 0x006a0000 | 0x01a9ffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000001aa0000 | 0x01aa0000 | 0x01aa0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000001ab0000 | 0x01ab0000 | 0x01ab0fff | Private Memory | rw |
|
|
|
- |
| sortdefault.nls | 0x01ac0000 | 0x01d8efff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xad0
9
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 114551 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\reg.exe, base_address = 0xfff70000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Get Info | filename = STD_ERROR_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
2 | |
| File | Write | filename = STD_ERROR_HANDLE, size = 52 |
|
1 |
Process #18: reg.exe
9
0
| Information | Value |
|---|---|
| ID | #18 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableOnAccessProtection /t REG_DWORD /d 00000001 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xad4 |
| Parent PID | 0xa0c (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AD8
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | r |
|
|
|
- |
| pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x000e0000 | 0x000e8fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000130000 | 0x00130000 | 0x001affff | Private Memory | rw |
|
|
|
- |
| private_0x00000000001b0000 | 0x001b0000 | 0x002affff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000300000 | 0x00300000 | 0x003fffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000400000 | 0x00400000 | 0x00587fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000590000 | 0x00590000 | 0x00710fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000720000 | 0x00720000 | 0x01b1ffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b20000 | 0x01deefff | Memory Mapped File | r |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd9000 | 0x7fffffd9000 | 0x7fffffd9fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xad8
9
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:56 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 115206 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\reg.exe, base_address = 0xfff70000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
1 | |
| File | Get Info | filename = STD_ERROR_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_ERROR_HANDLE |
|
2 | |
| File | Write | filename = STD_ERROR_HANDLE, size = 52 |
|
1 |
Process #19: reg.exe
13
0
| Information | Value |
|---|---|
| ID | #19 |
| File Name | c:\windows\system32\reg.exe |
| Command Line | reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f |
| Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
| Monitor | Start Time: 00:01:20, Reason: Child Process |
| Unmonitor | End Time: 00:01:22, Reason: Self Terminated |
| Monitor Duration | 00:00:02 |
OS Process Information
| Information | Value |
|---|---|
| PID | 0xadc |
| Parent PID | 0x9c4 (c:\windows\system32\cmd.exe) |
| Is Created or Modified Executable |
|
| Integrity Level | High (Elevated) |
| Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
| Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
| Thread IDs |
0x
AE0
|
Region
| Name | Start VA | End VA | Type | Permissions | Monitored | Dumped | YARA | Actions |
|---|---|---|---|---|---|---|---|---|
| private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | rw |
|
|
|
- |
| pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000040000 | 0x00040000 | 0x00040fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x0000000000050000 | 0x00050000 | 0x0014ffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x0000000000150000 | 0x00150000 | 0x00156fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000160000 | 0x00160000 | 0x00161fff | Pagefile Backed Memory | rw |
|
|
|
- |
| reg.exe.mui | 0x00170000 | 0x00178fff | Memory Mapped File | rw |
|
|
|
- |
| private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | rw |
|
|
|
- |
| private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | rw |
|
|
|
- |
| locale.nls | 0x00210000 | 0x00276fff | Memory Mapped File | r |
|
|
|
- |
| private_0x0000000000280000 | 0x00280000 | 0x00280fff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002d0000 | 0x002d0000 | 0x002dffff | Private Memory | rw |
|
|
|
- |
| private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | rw |
|
|
|
- |
| pagefile_0x00000000003e0000 | 0x003e0000 | 0x00567fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000570000 | 0x00570000 | 0x006f0fff | Pagefile Backed Memory | r |
|
|
|
- |
| pagefile_0x0000000000700000 | 0x00700000 | 0x01afffff | Pagefile Backed Memory | r |
|
|
|
- |
| sortdefault.nls | 0x01b00000 | 0x01dcefff | Memory Mapped File | r |
|
|
|
- |
| kernelbase.dll.mui | 0x01dd0000 | 0x01e8ffff | Memory Mapped File | rw |
|
|
|
- |
| user32.dll | 0x77640000 | 0x77739fff | Memory Mapped File | rwx |
|
|
|
- |
| kernel32.dll | 0x77740000 | 0x7785efff | Memory Mapped File | rwx |
|
|
|
- |
| ntdll.dll | 0x77860000 | 0x77a08fff | Memory Mapped File | rwx |
|
|
|
- |
| private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | r |
|
|
|
- |
| private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | r |
|
|
|
- |
| reg.exe | 0xfff70000 | 0xfffc5fff | Memory Mapped File | rwx |
|
|
|
- |
| kernelbase.dll | 0x7fefd900000 | 0x7fefd96afff | Memory Mapped File | rwx |
|
|
|
- |
| usp10.dll | 0x7fefdb80000 | 0x7fefdc48fff | Memory Mapped File | rwx |
|
|
|
- |
| lpk.dll | 0x7fefdd30000 | 0x7fefdd3dfff | Memory Mapped File | rwx |
|
|
|
- |
| imm32.dll | 0x7fefdd40000 | 0x7fefdd6dfff | Memory Mapped File | rwx |
|
|
|
- |
| nsi.dll | 0x7fefdef0000 | 0x7fefdef7fff | Memory Mapped File | rwx |
|
|
|
- |
| gdi32.dll | 0x7fefed10000 | 0x7fefed76fff | Memory Mapped File | rwx |
|
|
|
- |
| msctf.dll | 0x7fefed80000 | 0x7fefee88fff | Memory Mapped File | rwx |
|
|
|
- |
| advapi32.dll | 0x7feff0f0000 | 0x7feff1cafff | Memory Mapped File | rwx |
|
|
|
- |
| rpcrt4.dll | 0x7feff1d0000 | 0x7feff2fcfff | Memory Mapped File | rwx |
|
|
|
- |
| shlwapi.dll | 0x7feff4e0000 | 0x7feff550fff | Memory Mapped File | rwx |
|
|
|
- |
| sechost.dll | 0x7feff850000 | 0x7feff86efff | Memory Mapped File | rwx |
|
|
|
- |
| msvcrt.dll | 0x7feffa80000 | 0x7feffb1efff | Memory Mapped File | rwx |
|
|
|
- |
| ws2_32.dll | 0x7feffb20000 | 0x7feffb6cfff | Memory Mapped File | rwx |
|
|
|
- |
| apisetschema.dll | 0x7feffb80000 | 0x7feffb80fff | Memory Mapped File | rwx |
|
|
|
- |
| pagefile_0x000007fffffb0000 | 0x7fffffb0000 | 0x7fffffd2fff | Pagefile Backed Memory | r |
|
|
|
- |
| private_0x000007fffffd7000 | 0x7fffffd7000 | 0x7fffffd7fff | Private Memory | rw |
|
|
|
- |
| private_0x000007fffffde000 | 0x7fffffde000 | 0x7fffffdffff | Private Memory | rw |
|
|
|
- |
Threads
Thread 0xae0
13
0
| Category | Operation | Information | Success | Count | Logfile |
|---|---|---|---|---|---|
| System | Get Time | type = System Time, time = 1627-02-19 14:11:55 (UTC) |
|
1 | |
| System | Get Time | type = Ticks, time = 115144 |
|
1 | |
| Module | Get Handle | module_name = c:\windows\system32\reg.exe, base_address = 0xfff70000 |
|
1 | |
| Registry | Open Key | reg_name = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System |
|
1 | |
| Registry | Create Key | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System |
|
1 | |
| Registry | Read Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System, value_name = ConsentPromptBehaviorAdmin |
|
1 | |
| Registry | Write Value | reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System, value_name = ConsentPromptBehaviorAdmin, data = 0, size = 4, type = REG_DWORD_LITTLE_ENDIAN |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
1 | |
| File | Get Info | filename = STD_OUTPUT_HANDLE, type = file_type |
|
1 | |
| File | Open | filename = STD_OUTPUT_HANDLE |
|
2 | |
| File | Write | filename = STD_OUTPUT_HANDLE, size = 39 |
|
1 |
