Information | Value |
---|---|
ID | #1 |
File Name | c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe |
Command Line | "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" |
Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
Monitor | Start Time: 00:00:20, Reason: Analysis Target |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:05:01 |
Information | Value |
---|---|
PID | 0x9f4 |
Parent PID | 0x564 (c:\windows\explorer.exe) |
Is Created or Modified Executable | |
Integrity Level | High (Elevated) |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
Thread IDs |
0x
9F8
0x
A08
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000001a0000 | 0x001a0000 | 0x001affff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b6fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | Readable |
|
|||
msctf.dll.mui | 0x001d0000 | 0x001d0fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x00000000001e0000 | 0x001e0000 | 0x0025ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000260000 | 0x00260000 | 0x0029ffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000002a0000 | 0x002a0000 | 0x0039ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000003a0000 | 0x003a0000 | 0x003a1fff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000003a0000 | 0x003a0000 | 0x003a8fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x00000000003b0000 | 0x003b0000 | 0x003b0fff | Private Memory | Readable, Writable |
|
|||
lxqfwvdqlkd.exe | 0x00400000 | 0x00447fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
locale.nls | 0x00450000 | 0x004b6fff | Memory Mapped File | Readable |
|
|||
private_0x00000000004f0000 | 0x004f0000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000580000 | 0x00580000 | 0x0058ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000590000 | 0x00590000 | 0x00717fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000720000 | 0x00720000 | 0x008a0fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000008b0000 | 0x008b0000 | 0x01caffff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000001cb0000 | 0x01cb0000 | 0x01d1ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001d70000 | 0x01d70000 | 0x01d7ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001d80000 | 0x01d80000 | 0x0217ffff | Private Memory | Readable, Writable |
|
|||
sortdefault.nls | 0x02180000 | 0x0244efff | Memory Mapped File | Readable |
|
|||
private_0x0000000002450000 | 0x02450000 | 0x0254ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002450000 | 0x02450000 | 0x024fffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002450000 | 0x02450000 | 0x024cffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000024f0000 | 0x024f0000 | 0x024fffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002510000 | 0x02510000 | 0x0254ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000002550000 | 0x02550000 | 0x0262efff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000002630000 | 0x02630000 | 0x0272ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002780000 | 0x02780000 | 0x0278ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000002790000 | 0x02790000 | 0x02b82fff | Pagefile Backed Memory | Readable |
|
|||
staticcache.dat | 0x02b90000 | 0x034bffff | Memory Mapped File | Readable |
|
|||
private_0x00000000034c0000 | 0x034c0000 | 0x074bffff | Private Memory | Readable, Writable, Executable |
|
|||
msvbvm60.dll | 0x72940000 | 0x72a92fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
dwmapi.dll | 0x73430000 | 0x73442fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
uxtheme.dll | 0x738b0000 | 0x7392ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64win.dll | 0x73a70000 | 0x73acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64.dll | 0x73ad0000 | 0x73b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64cpu.dll | 0x73b40000 | 0x73b47fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
winspool.drv | 0x74e60000 | 0x74eb0fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sxs.dll | 0x74ec0000 | 0x74f1efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
cryptbase.dll | 0x750b0000 | 0x750bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sspicli.dll | 0x750c0000 | 0x7511ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
user32.dll | 0x75120000 | 0x7521ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sechost.dll | 0x75240000 | 0x75258fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcrt.dll | 0x75260000 | 0x7530bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernelbase.dll | 0x75320000 | 0x75365fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
rpcrt4.dll | 0x753c0000 | 0x754affff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdi32.dll | 0x754e0000 | 0x7556ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ole32.dll | 0x75570000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
shell32.dll | 0x75790000 | 0x763d9fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
oleaut32.dll | 0x763e0000 | 0x7646efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernel32.dll | 0x765b0000 | 0x766bffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
lpk.dll | 0x76750000 | 0x76759fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
advapi32.dll | 0x76760000 | 0x767fffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msctf.dll | 0x76a00000 | 0x76acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
imm32.dll | 0x76ad0000 | 0x76b2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
usp10.dll | 0x76b30000 | 0x76bccfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
shlwapi.dll | 0x77100000 | 0x77156fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000077160000 | 0x77160000 | 0x77259fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000077260000 | 0x77260000 | 0x7737efff | Private Memory | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77380000 | 0x77528fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77560000 | 0x776dffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
Operation | Filename | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Get Info | STD_INPUT_HANDLE | type = file_type | 1 |
Fn
|
|
Get Info | STD_OUTPUT_HANDLE | type = file_type | 1 |
Fn
|
|
Get Info | STD_ERROR_HANDLE | type = file_type | 1 |
Fn
|
|
Open | STD_INPUT_HANDLE | 1 |
Fn
|
||
Open | STD_OUTPUT_HANDLE | 1 |
Fn
|
||
Open | STD_ERROR_HANDLE | 1 |
Fn
|
Operation | Key | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors | 2 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | os_pid = 0xa24, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Get Context | c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | os_tid = 0x9f8 | 1 |
Fn
|
|
Set Context | c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | os_tid = 0x9f8 | 1 |
Fn
|
|
Resume | c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | os_tid = 0x9f8 | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Allocate | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | address = 0x34c0004, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 55337240 | 1 |
Fn
|
|
Write | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | address = 0x400000, size = 512 | 1 |
Fn
Data
|
|
Write | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | address = 0x400000, size = 1 | 1 |
Fn
Data
|
|
Write | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | address = 0x401000, size = 141824 | 1 |
Fn
Data
|
|
Write | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | address = 0x7efde008, size = 4 | 1 |
Fn
Data
|
Operation | Module | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Load | OLEAUT32.DLL | base_address = 0x763e0000 | 1 |
Fn
|
|
Load | SXS.DLL | base_address = 0x74ec0000 | 1 |
Fn
|
|
Load | ADVAPI32.DLL | base_address = 0x76760000 | 2 |
Fn
|
|
Load | user32 | base_address = 0x75120000 | 5 |
Fn
|
|
Load | winspool.drv | base_address = 0x74e60000 | 1 |
Fn
|
|
Load | Msvbvm60.dll | base_address = 0x72940000 | 1 |
Fn
|
|
Load | kernel32 | base_address = 0x765b0000 | 18 |
Fn
|
|
Load | advapi32 | base_address = 0x76760000 | 1 |
Fn
|
|
Load | shell32 | base_address = 0x75790000 | 1 |
Fn
|
|
Load | ntdll | base_address = 0x77560000 | 8 |
Fn
|
|
Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x765b0000 | 2 |
Fn
|
|
Get Handle | c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | base_address = 0x400000 | 1 |
Fn
|
|
Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x763e0000 | 1 |
Fn
|
|
Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x75570000 | 1 |
Fn
|
|
Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x75120000 | 1 |
Fn
|
|
Get Filename | process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe, size = 260 | 3 |
Fn
|
||
Get Filename | process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 | 3 |
Fn
|
||
Get Filename | c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe, size = 260 | 2 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = IsTNT, address_out = 0x0 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x765c5235 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = OleLoadPictureEx, address_out = 0x764470a1 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = DispCallFunc, address_out = 0x763f3dcf | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = LoadTypeLibEx, address_out = 0x763f07b7 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = UnRegisterTypeLib, address_out = 0x76411ca9 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = CreateTypeLib2, address_out = 0x763f8e70 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromUdate, address_out = 0x763f7684 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarUdateFromDate, address_out = 0x763fcc98 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = GetAltMonthNames, address_out = 0x7642903a | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNumFromParseNum, address_out = 0x763f6231 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarParseNumFromStr, address_out = 0x763f5fea | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR4, address_out = 0x76403f94 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR8, address_out = 0x76404e9e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromDate, address_out = 0x7642db72 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromI4, address_out = 0x76412a8c | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromCy, address_out = 0x7642d737 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromDec, address_out = 0x7642e015 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromTypeInfo, address_out = 0x7642cc3d | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromGuids, address_out = 0x7642d1c4 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetRecordInfo, address_out = 0x7642d48c | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetRecordInfo, address_out = 0x7642d4c6 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetIID, address_out = 0x7642d509 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetIID, address_out = 0x763fe7bb | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCopyData, address_out = 0x763fe496 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayAllocDescriptorEx, address_out = 0x763fddf1 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCreateEx, address_out = 0x7642d53f | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormat, address_out = 0x76432055 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatDateTime, address_out = 0x764320ea | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatNumber, address_out = 0x76432151 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatPercent, address_out = 0x764321f5 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatCurrency, address_out = 0x76432288 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarWeekdayName, address_out = 0x76432335 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMonthName, address_out = 0x764323d5 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x76405934 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x76405a98 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCat, address_out = 0x764059b4 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7645e405 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarEqv, address_out = 0x7645ef07 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7645f00a | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarImp, address_out = 0x7645ef47 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7645f15e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7645dbd4 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7645ecfa | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarPow, address_out = 0x7645ea66 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7645d332 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7645ee2e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAbs, address_out = 0x7645ca11 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFix, address_out = 0x7645cc5f | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarInt, address_out = 0x7645cde7 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7645c802 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7645ec66 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarRound, address_out = 0x7645d155 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x763fb0dc | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecAdd, address_out = 0x76415f3e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecCmp, address_out = 0x76404fd0 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCat, address_out = 0x76400d2c | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyMulI4, address_out = 0x764159ed | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCmp, address_out = 0x763ef8b8 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x755b9d4e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x75580782 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\sxs.dll | function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x74f07685 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x75137d2f | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromWindow, address_out = 0x75143150 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromRect, address_out = 0x7515e7a0 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromPoint, address_out = 0x75145281 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x7514451a | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x75144413 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\advapi32.dll | function = CloseEventLog, address_out = 0x767677c3 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\advapi32.dll | function = SetAclInformation, address_out = 0x767a34e3 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = CreateDialogIndirectParamA, address_out = 0x7514b029 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\winspool.drv | function = DeletePrintProcessorA, address_out = 0x74e68aff | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExA, address_out = 0x7513d22e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = ShowWindow, address_out = 0x75140dfb | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\msvbvm60.dll | function = rtcDoEvents, address_out = 0x72a0e0f7 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = EnumWindows, address_out = 0x7513d1cf | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x765c1856 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x765c110c | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x765c10ff | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = SetErrorMode, address_out = 0x765c1b00 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x765c11a9 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAllocEx, address_out = 0x765dd9b0 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x75141218 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x76774907 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x765c1410 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x757a3c71 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x765c1282 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x765c3f5c | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x765dd802 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x766445bf | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x765c103d | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathW, address_out = 0x765dd4dc | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x765ca315 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x765c196e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x765c3ed3 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x765c5223 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtAllocateVirtualMemory, address_out = 0x7757fab0 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtWriteVirtualMemory, address_out = 0x7757fe04 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtTerminateThread, address_out = 0x77580074 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtOpenEvent, address_out = 0x7757fe98 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x7757fc70 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtGetContextThread, address_out = 0x77580c20 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtSetContextThread, address_out = 0x77581910 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtResumeThread, address_out = 0x77580058 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x765d174d | 1 |
Fn
|
Operation | Window Name | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | class_name = ThunderRT6Main, wndproc_parameter = 0 | 1 |
Fn
|
||
Create | class_name = VBMsoStdCompMgr, wndproc_parameter = 0 | 1 |
Fn
|
||
Create | class_name = VBFocusRT6, wndproc_parameter = 0 | 1 |
Fn
|
||
Create | Southlander | wndproc_parameter = 0 | 1 |
Fn
|
|
Create | Southlander | wndproc_parameter = 0 | 1 |
Fn
|
|
Create | çSÌ¥’ËhєÃ7¯¸X ²B | class_name = STATIC, wndproc_parameter = 0 | 1 |
Fn
|
|
Set Attribute | class_name = VBMsoStdCompMgr, index = 0, new_long = 5185692 | 1 |
Fn
|
||
Set Attribute | Southlander | index = 18446744073709551600, new_long = 114229248 | 1 |
Fn
|
|
Set Attribute | Southlander | index = 18446744073709551596, new_long = 256 | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Get Cursor | x_out = 431, y_out = 118 | 525 |
Fn
|
|
Get Cursor | x_out = 1040, y_out = 843 | 1 |
Fn
|
|
Sleep | duration = 0 milliseconds (0.000 seconds) | 3 |
Fn
|
|
Sleep | duration = 2000 milliseconds (2.000 seconds) | 1 |
Fn
|
|
Sleep | duration = 1 milliseconds (0.001 seconds) | 525 |
Fn
|
|
Get Time | type = Ticks, time = 59529 | 3 |
Fn
|
|
Get Time | type = Ticks, time = 59576 | 6 |
Fn
|
|
Get Time | type = Ticks, time = 66066 | 1 |
Fn
|
|
Get Time | type = Ticks, time = 74646 | 1 |
Fn
|
|
Get Time | type = Ticks, time = 76658 | 1 |
Fn
|
|
Get Info | type = Operating System | 3 |
Fn
|
|
Get Info | type = Operating System | 2 |
Fn
|
|
Get Info | type = Hardware Information | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Create | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Get Environment String | 1 |
Fn
Data
|
Information | Value |
---|---|
ID | #2 |
File Name | c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe |
Command Line | "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" |
Initial Working Directory | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\ |
Monitor | Start Time: 00:00:51, Reason: Child Process |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:04:30 |
Information | Value |
---|---|
PID | 0xa24 |
Parent PID | 0x9f4 (c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe) |
Is Created or Modified Executable | |
Integrity Level | High (Elevated) |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege |
Thread IDs |
0x
A28
0x
A2C
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x0003dfff | Private Memory | Readable, Writable, Executable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|||
locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|||
private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000250000 | 0x00250000 | 0x00273fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000280000 | 0x00280000 | 0x0028dfff | Private Memory | Readable, Writable, Executable |
|
|||
imm32.dll | 0x00290000 | 0x002adfff | Memory Mapped File | Readable |
|
|||
private_0x0000000000290000 | 0x00290000 | 0x00290fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000002a0000 | 0x002a0000 | 0x002a0fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000002b0000 | 0x002b0000 | 0x002d3fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
pagefile_0x00000000002e0000 | 0x002e0000 | 0x002f3fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000300000 | 0x00300000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000400000 | 0x00400000 | 0x00423fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000430000 | 0x00430000 | 0x0052ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000590000 | 0x00590000 | 0x0068ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000690000 | 0x00690000 | 0x00810fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000690000 | 0x00690000 | 0x0071afff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000820000 | 0x00820000 | 0x00b22fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000b30000 | 0x00b30000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000b30000 | 0x00b30000 | 0x00cb7fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000cd0000 | 0x00cd0000 | 0x00cdffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000ce0000 | 0x00ce0000 | 0x00e60fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000e70000 | 0x00e70000 | 0x0226ffff | Pagefile Backed Memory | Readable |
|
|||
wow64win.dll | 0x73a70000 | 0x73acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64.dll | 0x73ad0000 | 0x73b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64cpu.dll | 0x73b40000 | 0x73b47fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
cryptbase.dll | 0x750b0000 | 0x750bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sspicli.dll | 0x750c0000 | 0x7511ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
user32.dll | 0x75120000 | 0x7521ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sechost.dll | 0x75240000 | 0x75258fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcrt.dll | 0x75260000 | 0x7530bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernelbase.dll | 0x75320000 | 0x75365fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
rpcrt4.dll | 0x753c0000 | 0x754affff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdi32.dll | 0x754e0000 | 0x7556ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernel32.dll | 0x765b0000 | 0x766bffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
lpk.dll | 0x76750000 | 0x76759fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
advapi32.dll | 0x76760000 | 0x767fffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msctf.dll | 0x76a00000 | 0x76acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
imm32.dll | 0x76ad0000 | 0x76b2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
usp10.dll | 0x76b30000 | 0x76bccfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000077160000 | 0x77160000 | 0x77259fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000077260000 | 0x77260000 | 0x7737efff | Private Memory | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77380000 | 0x77528fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77560000 | 0x776dffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
---|---|---|---|---|---|---|
Modify Memory | #1: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | 0x9f8 | address = 0x400000, size = 512 | 1 |
Fn
Data
|
|
Modify Memory | #1: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | 0x9f8 | address = 0x400000, size = 1 | 1 |
Fn
Data
|
|
Modify Memory | #1: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | 0x9f8 | address = 0x401000, size = 141824 | 1 |
Fn
Data
|
|
Modify Memory | #1: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | 0x9f8 | address = 0x7efde008, size = 4 | 1 |
Fn
Data
|
|
Modify Control Flow | #1: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | 0x9f8 | os_tid = 0xa28, address = 0x775701c4 | 1 |
Fn
|
Operation | Filename | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 2 |
Fn
|
|
Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Windows\SysWOW64\msiexec.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended | 2 |
Fn
|
|
Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Windows\SysWOW64\msiexec.exe | type = extended | 1 |
Fn
|
|
Read | \??\C:\Windows\SysWOW64\ntdll.dll | offset = 0, size = 1292096 | 1 |
Fn
|
|
Read | \??\C:\Windows\SysWOW64\msiexec.exe | offset = 0, size = 73216 | 1 |
Fn
Data
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Get Info | c:\windows\explorer.exe | type = PROCESS_WOW64_INFORMATION | 1 |
Fn
|
|
Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION | 1 |
Fn
|
|
Get Info | c:\windows\syswow64\msiexec.exe | type = PROCESS_BASIC_INFORMATION | 1 |
Fn
|
|
Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION | 1 |
Fn
|
|
Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION | 1 |
Fn
|
|
Open | c:\windows\syswow64\msiexec.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Open | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Open | c:\windows\syswow64\msiexec.exe | os_tid = 0xa3c | 1 |
Fn
|
|
Suspend | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Get Context | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Queue APC | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Set Context | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Resume | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Resume | c:\windows\syswow64\msiexec.exe | os_tid = 0xa3c | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Read | c:\windows\explorer.exe | address = 0x7fffffdf000, size = 64 | 1 |
Fn
Data
|
|
Read | c:\windows\explorer.exe | address = 0x2e0b000, size = 680 | 1 |
Fn
Data
|
|
Read | c:\windows\syswow64\msiexec.exe | address = 0x7efde008, size = 4 | 1 |
Fn
Data
|
|
Read | c:\windows\syswow64\msiexec.exe | address = 0x9e0000, size = 81920 | 1 |
Fn
Data
|
Operation | Module | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Load | advapi32.dll | base_address = 0x0 | 1 |
Fn
|
|
Load | user32.dll | base_address = 0x0 | 1 |
Fn
|
|
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633256 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1631500 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633256 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633272 | 1 |
Fn
|
||
Map | process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x250000 | 1 |
Fn
|
||
Map | process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x690000 | 1 |
Fn
|
||
Map | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2dc0000 | 1 |
Fn
|
||
Map | process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2b0000 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xd0000 | 1 |
Fn
|
||
Map | process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2e0000 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9e0000 | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Sleep | duration = 1630732 milliseconds (1630.732 seconds) | 1 |
Fn
|
|
Get Info | type = SYSTEM_PROCESS_INFORMATION | 2 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Set Environment String | name = L53886-W, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe, environment = 0 | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Check for Presence | c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | 1 |
Fn
|
Information | Value |
---|---|
ID | #3 |
File Name | c:\windows\explorer.exe |
Command Line | C:\Windows\Explorer.EXE |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:00:52, Reason: Injection |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:04:29 |
Information | Value |
---|---|
PID | 0x564 |
Parent PID | 0xffffffffffffffff (Unknown) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
540
0x
5A4
0x
758
0x
774
0x
73C
0x
71C
0x
718
0x
704
0x
278
0x
6BC
0x
6EC
0x
480
0x
47C
0x
7D4
0x
7D0
0x
734
0x
6B0
0x
67C
0x
678
0x
674
0x
670
0x
66C
0x
660
0x
65C
0x
654
0x
630
0x
59C
0x
598
0x
594
0x
590
0x
58C
0x
570
0x
568
0x
A7C
0x
B10
0x
B5C
0x
B60
0x
B88
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | Readable |
|
|||
locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|||
pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000100000 | 0x00100000 | 0x00100fff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000110000 | 0x00110000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000190000 | 0x00190000 | 0x001cffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d1fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000001f0000 | 0x001f0000 | 0x001f1fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000200000 | 0x00200000 | 0x00217fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000220000 | 0x00220000 | 0x00220fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000230000 | 0x00230000 | 0x00230fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000450000 | 0x00450000 | 0x005d7fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000005e0000 | 0x005e0000 | 0x00760fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000770000 | 0x00770000 | 0x01b6ffff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000001b70000 | 0x01b70000 | 0x01f62fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000001f70000 | 0x01f70000 | 0x01f8bfff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000001f90000 | 0x01f90000 | 0x01f92fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000001fa0000 | 0x01fa0000 | 0x01fa4fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001fb0000 | 0x01fb0000 | 0x01fbffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001fc0000 | 0x01fc0000 | 0x01fc0fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001fd0000 | 0x01fd0000 | 0x0204ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002050000 | 0x02050000 | 0x020cffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000020d0000 | 0x020d0000 | 0x021aefff | Pagefile Backed Memory | Readable |
|
|||
sortdefault.nls | 0x021b0000 | 0x0247efff | Memory Mapped File | Readable |
|
|||
pagefile_0x0000000002480000 | 0x02480000 | 0x02481fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000002490000 | 0x02490000 | 0x02491fff | Pagefile Backed Memory | Readable |
|
|||
comctl32.dll.mui | 0x024a0000 | 0x024a2fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x00000000024b0000 | 0x024b0000 | 0x024b0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000024c0000 | 0x024c0000 | 0x024dbfff | Private Memory | Readable, Writable |
|
|||
private_0x00000000024e0000 | 0x024e0000 | 0x024e0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000024f0000 | 0x024f0000 | 0x0256ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002570000 | 0x02570000 | 0x02578fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002580000 | 0x02580000 | 0x025dffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000025e0000 | 0x025e0000 | 0x0264bfff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002650000 | 0x02650000 | 0x0274ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002750000 | 0x02750000 | 0x0277ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002780000 | 0x02780000 | 0x0278ffff | Private Memory |
|
||||
private_0x0000000002790000 | 0x02790000 | 0x0279ffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000027a0000 | 0x027a0000 | 0x027affff | Private Memory | Readable, Writable |
|
|||
private_0x00000000027b0000 | 0x027b0000 | 0x027bffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000027c0000 | 0x027c0000 | 0x027cffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000027d0000 | 0x027d0000 | 0x027dffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000027e0000 | 0x027e0000 | 0x027effff | Private Memory | Readable, Writable |
|
|||
private_0x00000000027f0000 | 0x027f0000 | 0x027fffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002800000 | 0x02800000 | 0x0280ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002810000 | 0x02810000 | 0x0281ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002820000 | 0x02820000 | 0x0282ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002830000 | 0x02830000 | 0x0292ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000002930000 | 0x02930000 | 0x02931fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000002940000 | 0x02940000 | 0x02940fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002950000 | 0x02950000 | 0x02950fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002960000 | 0x02960000 | 0x02967fff | Private Memory | Readable, Writable |
|
|||
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db | 0x02970000 | 0x0299ffff | Memory Mapped File | Readable |
|
|||
pagefile_0x00000000029a0000 | 0x029a0000 | 0x029a0fff | Pagefile Backed Memory | Readable, Writable |
|
|||
cversions.2.db | 0x029b0000 | 0x029b3fff | Memory Mapped File | Readable |
|
|||
cversions.2.db | 0x029c0000 | 0x029c3fff | Memory Mapped File | Readable |
|
|||
pagefile_0x00000000029d0000 | 0x029d0000 | 0x029d1fff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000029e0000 | 0x029e0000 | 0x029effff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000029f0000 | 0x029f0000 | 0x029f1fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000002a00000 | 0x02a00000 | 0x02a47fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002a50000 | 0x02a50000 | 0x02a53fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000002a60000 | 0x02a60000 | 0x02a61fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000002a70000 | 0x02a70000 | 0x02a73fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002a80000 | 0x02a80000 | 0x02b7ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002b80000 | 0x02b80000 | 0x02c7ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000002c90000 | 0x02c90000 | 0x02c90fff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x0000000002ca0000 | 0x02ca0000 | 0x02ca1fff | Pagefile Backed Memory | Readable |
|
|||
wininet.dll.mui | 0x02cb0000 | 0x02cbcfff | Memory Mapped File | Readable, Writable |
|
|||
index.dat | 0x02cc0000 | 0x02cc7fff | Memory Mapped File | Readable, Writable |
|
|||
index.dat | 0x02cd0000 | 0x02cd3fff | Memory Mapped File | Readable, Writable |
|
|||
index.dat | 0x02ce0000 | 0x02ceffff | Memory Mapped File | Readable, Writable |
|
|||
index.dat | 0x02cf0000 | 0x02cfffff | Memory Mapped File | Readable, Writable |
|
|||
pagefile_0x0000000002d00000 | 0x02d00000 | 0x02d00fff | Pagefile Backed Memory | Readable, Writable |
|
|||
thumbcache_1024.db | 0x02d90000 | 0x02d90fff | Memory Mapped File | Readable, Writable |
|
|||
thumbcache_sr.db | 0x02da0000 | 0x02da0fff | Memory Mapped File | Readable, Writable |
|
|||
thumbcache_idx.db | 0x02db0000 | 0x02db0fff | Memory Mapped File | Readable, Writable |
|
|||
pagefile_0x0000000002dc0000 | 0x02dc0000 | 0x02e4afff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
pagefile_0x0000000002e80000 | 0x02e80000 | 0x031c2fff | Pagefile Backed Memory | Readable |
|
|||
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db | 0x031d0000 | 0x031fffff | Memory Mapped File | Readable |
|
|||
private_0x0000000003200000 | 0x03200000 | 0x03200fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003210000 | 0x03210000 | 0x03213fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003220000 | 0x03220000 | 0x0329ffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000032a0000 | 0x032a0000 | 0x0331ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003320000 | 0x03320000 | 0x03320fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003330000 | 0x03330000 | 0x033affff | Private Memory | Readable, Writable |
|
|||
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x033b0000 | 0x03415fff | Memory Mapped File | Readable |
|
|||
private_0x0000000003420000 | 0x03420000 | 0x03420fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003430000 | 0x03430000 | 0x034affff | Private Memory | Readable, Writable |
|
|||
private_0x00000000034b0000 | 0x034b0000 | 0x034b0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000034c0000 | 0x034c0000 | 0x034c0fff | Private Memory | Readable, Writable |
|
|||
thumbcache_1024.db | 0x034d0000 | 0x034d0fff | Memory Mapped File | Readable, Writable |
|
|||
pagefile_0x00000000034e0000 | 0x034e0000 | 0x034e1fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000034f0000 | 0x034f0000 | 0x034f0fff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x0000000003500000 | 0x03500000 | 0x03501fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000003510000 | 0x03510000 | 0x03510fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003520000 | 0x03520000 | 0x0359ffff | Private Memory | Readable, Writable |
|
|||
staticcache.dat | 0x035a0000 | 0x03ecffff | Memory Mapped File | Readable |
|
|||
pagefile_0x0000000003ed0000 | 0x03ed0000 | 0x03ed1fff | Pagefile Backed Memory | Readable |
|
|||
cversions.2.db | 0x03ee0000 | 0x03ee3fff | Memory Mapped File | Readable |
|
|||
private_0x0000000003ef0000 | 0x03ef0000 | 0x03ef0fff | Private Memory | Readable, Writable, Executable |
|
|||
pagefile_0x0000000003f00000 | 0x03f00000 | 0x03f01fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000003f10000 | 0x03f10000 | 0x03f11fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000003f20000 | 0x03f20000 | 0x03f21fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000003f30000 | 0x03f30000 | 0x03f30fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003f40000 | 0x03f40000 | 0x03f40fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003f50000 | 0x03f50000 | 0x03f50fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003f60000 | 0x03f60000 | 0x03fdffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003fe0000 | 0x03fe0000 | 0x03fe0fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003ff0000 | 0x03ff0000 | 0x03ff0fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000004000000 | 0x04000000 | 0x04000fff | Private Memory | Readable, Writable |
|
|||
cversions.2.db | 0x04010000 | 0x04013fff | Memory Mapped File | Readable |
|
|||
{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x04020000 | 0x04020fff | Memory Mapped File | Readable |
|
|||
cversions.2.db | 0x04030000 | 0x04033fff | Memory Mapped File | Readable |
|
|||
private_0x0000000004040000 | 0x04040000 | 0x040bffff | Private Memory | Readable, Writable |
|
|||
{3978ea0a-1c7e-4449-8ae1-e1265f039002}.2.ver0x0000000000000003.db | 0x040c0000 | 0x040c0fff | Memory Mapped File | Readable |
|
|||
cversions.2.db | 0x040d0000 | 0x040d3fff | Memory Mapped File | Readable |
|
|||
{4e36ea69-73d1-4458-9d16-50f8e31a69a0}.2.ver0x0000000000000001.db | 0x040e0000 | 0x040e0fff | Memory Mapped File | Readable |
|
|||
private_0x00000000040f0000 | 0x040f0000 | 0x040f0fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000004100000 | 0x04100000 | 0x04100fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000004110000 | 0x04110000 | 0x04110fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000004120000 | 0x04120000 | 0x04120fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000004130000 | 0x04130000 | 0x04131fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000004140000 | 0x04140000 | 0x041bffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000041c0000 | 0x041c0000 | 0x0420ffff | Private Memory | Readable, Writable |
|
|||
thumbcache_sr.db | 0x04210000 | 0x04210fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x0000000004220000 | 0x04220000 | 0x0429ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000042a0000 | 0x042a0000 | 0x042a0fff | Pagefile Backed Memory | Readable |
|
|||
wdmaud.drv.mui | 0x042b0000 | 0x042b0fff | Memory Mapped File | Readable, Writable |
|
|||
mmdevapi.dll.mui | 0x042c0000 | 0x042c0fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x00000000042d0000 | 0x042d0000 | 0x042d1fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000042e0000 | 0x042e0000 | 0x042e1fff | Pagefile Backed Memory | Readable |
|
|||
oleaccrc.dll | 0x042f0000 | 0x042f0fff | Memory Mapped File | Readable |
|
|||
pagefile_0x0000000004300000 | 0x04300000 | 0x04301fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000004310000 | 0x04310000 | 0x04310fff | Pagefile Backed Memory | Readable, Writable |
|
|||
thumbcache_idx.db | 0x04320000 | 0x04320fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x0000000004330000 | 0x04330000 | 0x04362fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000004370000 | 0x04370000 | 0x04370fff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000004380000 | 0x04380000 | 0x04382fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000004390000 | 0x04390000 | 0x0440ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000004410000 | 0x04410000 | 0x04410fff | Private Memory | Readable, Writable |
|
|||
For performance reasons, the remaining 264 entries are omitted.
The remaining entries can be found in flog.txt. |
Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
---|---|---|---|---|---|---|
Modify Memory | #2: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | 0xa28 | address = 0x2dc0000, size = 569344 | 1 |
Fn
|
|
Modify Control Flow | #2: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | 0xa28 | os_tid = 0x568, address = 0x7 | 1 |
Fn
|
|
Modify Control Flow | #2: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | 0xa28 | os_tid = 0x568, address = 0x2dd8ead | 1 |
Fn
|
|
Modify Memory | #5: c:\windows\syswow64\msiexec.exe | 0xa3c | address = 0x9b50000, size = 5120000 | 1 |
Fn
|
|
Modify Memory | #5: c:\windows\syswow64\msiexec.exe | 0xa3c | address = 0x2d10000, size = 466944 | 1 |
Fn
|
|
Modify Control Flow | #5: c:\windows\syswow64\msiexec.exe | 0xa3c | os_tid = 0x568, address = 0xf | 1 |
Fn
|
|
Modify Control Flow | #5: c:\windows\syswow64\msiexec.exe | 0xa3c | os_tid = 0x568, address = 0x2d26e96 | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | C:\Windows\SysWOW64\autofmt.exe | os_pid = 0x0, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE | 1 |
Fn
|
|
Create | C:\Windows\SysWOW64\msiexec.exe | os_pid = 0xa38, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Create | mutex_name = S-1-5-21-3388679-13801793209033 | 1 |
Fn
|
Information | Value |
---|---|
ID | #4 |
File Name | c:\windows\syswow64\autofmt.exe |
Command Line | "C:\Windows\SysWOW64\autofmt.exe" |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:00:57, Reason: Child Process |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:04:24 |
Remarks | No high level activity detected in monitored regions |
Information | Value |
---|---|
PID | 0xa30 |
Parent PID | 0x564 (c:\windows\explorer.exe) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
A34
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000200000 | 0x00200000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|||
autofmt.exe | 0x00b80000 | 0x00c23fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77380000 | 0x77528fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77560000 | 0x776dffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
Information | Value |
---|---|
ID | #5 |
File Name | c:\windows\syswow64\msiexec.exe |
Command Line | "C:\Windows\SysWOW64\msiexec.exe" |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:00:57, Reason: Child Process |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:04:24 |
Information | Value |
---|---|
PID | 0xa38 |
Parent PID | 0x564 (c:\windows\explorer.exe) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
A3C
0x
A40
0x
A78
0x
B00
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000030000 | 0x00030000 | 0x00031fff | Pagefile Backed Memory | Readable, Writable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000060000 | 0x00060000 | 0x00061fff | Pagefile Backed Memory | Readable |
|
|||
msiexec.exe.mui | 0x00070000 | 0x00070fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000090000 | 0x00090000 | 0x000cffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000000d0000 | 0x000d0000 | 0x000f3fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000100000 | 0x00100000 | 0x00100fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000110000 | 0x00110000 | 0x0011ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000110000 | 0x00110000 | 0x00133fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000140000 | 0x00140000 | 0x0014ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000150000 | 0x00150000 | 0x00150fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000150000 | 0x00150000 | 0x00150fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000160000 | 0x00160000 | 0x0019ffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000001a0000 | 0x001a0000 | 0x001c3fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000001d0000 | 0x001d0000 | 0x001d0fff | Pagefile Backed Memory | Readable |
|
|||
oleaccrc.dll | 0x001e0000 | 0x001e0fff | Memory Mapped File | Readable |
|
|||
private_0x00000000001e0000 | 0x001e0000 | 0x001e0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000001f0000 | 0x001f0000 | 0x0026ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000270000 | 0x00270000 | 0x00271fff | Pagefile Backed Memory | Readable |
|
|||
windowsshell.manifest | 0x00280000 | 0x00280fff | Memory Mapped File | Readable |
|
|||
pagefile_0x0000000000280000 | 0x00280000 | 0x00280fff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x0000000000290000 | 0x00290000 | 0x00291fff | Pagefile Backed Memory | Readable |
|
|||
index.dat | 0x002a0000 | 0x002abfff | Memory Mapped File | Readable, Writable |
|
|||
index.dat | 0x002b0000 | 0x002b7fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|||
locale.nls | 0x003c0000 | 0x00426fff | Memory Mapped File | Readable |
|
|||
private_0x0000000000430000 | 0x00430000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000470000 | 0x00470000 | 0x004affff | Private Memory | Readable, Writable |
|
|||
index.dat | 0x004b0000 | 0x004b7fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x00000000004c0000 | 0x004c0000 | 0x004c0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000004f0000 | 0x004f0000 | 0x00677fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000810000 | 0x00810000 | 0x00874fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000880000 | 0x00880000 | 0x008e4fff | Private Memory | Readable, Writable, Executable |
|
|||
pagefile_0x00000000008f0000 | 0x008f0000 | 0x009cefff | Pagefile Backed Memory | Readable |
|
|||
msiexec.exe | 0x009e0000 | 0x009f3fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x00000000009e0000 | 0x009e0000 | 0x009f3fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000a00000 | 0x00a00000 | 0x01dfffff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000001e00000 | 0x01e00000 | 0x01f80fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001e00000 | 0x01e00000 | 0x01efafff | Private Memory | Readable, Writable |
|
|||
index.dat | 0x01f00000 | 0x01f3ffff | Memory Mapped File | Readable, Writable |
|
|||
pagefile_0x0000000001f40000 | 0x01f40000 | 0x01f83fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
private_0x0000000001f90000 | 0x01f90000 | 0x02292fff | Private Memory | Readable, Writable, Executable |
|
|||
pagefile_0x00000000022a0000 | 0x022a0000 | 0x02781fff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000002790000 | 0x02790000 | 0x02984fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000027d0000 | 0x027d0000 | 0x0280ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002810000 | 0x02810000 | 0x0284ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002850000 | 0x02850000 | 0x0292ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000002850000 | 0x02850000 | 0x028c1fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
pagefile_0x0000000002850000 | 0x02850000 | 0x028dafff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
private_0x00000000028a0000 | 0x028a0000 | 0x028dffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002920000 | 0x02920000 | 0x0292ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002940000 | 0x02940000 | 0x0297ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002980000 | 0x02980000 | 0x02a7ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002990000 | 0x02990000 | 0x02b9ffff | Private Memory | Readable, Writable |
|
|||
sortdefault.nls | 0x02ba0000 | 0x02e6efff | Memory Mapped File | Readable |
|
|||
pagefile_0x0000000002e70000 | 0x02e70000 | 0x031b2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000031c0000 | 0x031c0000 | 0x036b1fff | Private Memory | Readable, Writable |
|
|||
uxtheme.dll | 0x738b0000 | 0x7392ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64win.dll | 0x73a70000 | 0x73acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64.dll | 0x73ad0000 | 0x73b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64cpu.dll | 0x73b40000 | 0x73b47fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ieframe.dll | 0x73e80000 | 0x748fffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
windowscodecs.dll | 0x74800000 | 0x748fafff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcr100.dll | 0x74840000 | 0x748fefff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msi.dll | 0x74900000 | 0x74b3ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wsock32.dll | 0x74b80000 | 0x74b86fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
nss3.dll | 0x74b90000 | 0x74d44fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdiplus.dll | 0x74bc0000 | 0x74d4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
version.dll | 0x74d50000 | 0x74d58fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntmarta.dll | 0x74d60000 | 0x74d80fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
profapi.dll | 0x74d90000 | 0x74d9afff | Memory Mapped File | Readable, Writable, Executable |
|
|||
mlang.dll | 0x74da0000 | 0x74dcdfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
comctl32.dll | 0x74dd0000 | 0x74f6dfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
oleacc.dll | 0x74f70000 | 0x74fabfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
winmm.dll | 0x74f70000 | 0x74fa1fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
vaultcli.dll | 0x74fa0000 | 0x74fabfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
cryptbase.dll | 0x750b0000 | 0x750bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sspicli.dll | 0x750c0000 | 0x7511ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
user32.dll | 0x75120000 | 0x7521ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sechost.dll | 0x75240000 | 0x75258fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcrt.dll | 0x75260000 | 0x7530bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernelbase.dll | 0x75320000 | 0x75365fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
psapi.dll | 0x75370000 | 0x75374fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ws2_32.dll | 0x75380000 | 0x753b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
rpcrt4.dll | 0x753c0000 | 0x754affff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdi32.dll | 0x754e0000 | 0x7556ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ole32.dll | 0x75570000 | 0x756cbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
clbcatq.dll | 0x756d0000 | 0x75752fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
shell32.dll | 0x75790000 | 0x763d9fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
oleaut32.dll | 0x763e0000 | 0x7646efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
urlmon.dll | 0x76470000 | 0x765a5fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernel32.dll | 0x765b0000 | 0x766bffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
lpk.dll | 0x76750000 | 0x76759fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
advapi32.dll | 0x76760000 | 0x767fffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
crypt32.dll | 0x768e0000 | 0x769fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msctf.dll | 0x76a00000 | 0x76acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
imm32.dll | 0x76ad0000 | 0x76b2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
usp10.dll | 0x76b30000 | 0x76bccfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
nsi.dll | 0x76bd0000 | 0x76bd5fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wininet.dll | 0x76be0000 | 0x76cd4fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wldap32.dll | 0x76ce0000 | 0x76d24fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
iertutil.dll | 0x76d30000 | 0x76f2afff | Memory Mapped File | Readable, Writable, Executable |
|
|||
shlwapi.dll | 0x77100000 | 0x77156fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000077160000 | 0x77160000 | 0x77259fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000077260000 | 0x77260000 | 0x7737efff | Private Memory | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77380000 | 0x77528fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msasn1.dll | 0x77530000 | 0x7753bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77560000 | 0x776dffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
---|---|---|---|---|---|---|
Modify Memory | #2: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | 0xa28 | address = 0xd0000, size = 147456 | 1 |
Fn
|
|
Modify Memory | #2: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe | 0xa28 | address = 0x9e0000, size = 81920 | 1 |
Fn
|
Filename | File Size | Hash Values | YARA Match | Actions |
---|---|---|---|---|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-log.ini | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.04 KB (40 bytes) |
MD5:
e03f207a7b9cfc4d877ed2ec64be028e
SHA1: 8990d4c5b8a881e0a1593040564a9a6dc5664695 SHA256: b17183098b6e349844a3151456edf62c8e41b2348d2445a610c0ff1e29963067 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.05 KB (52 bytes) |
MD5:
3672ebfa59687d457ddb10f2e7102c2c
SHA1: c5b5cb23a8044e72d8fd2a11da9f9e31875bba12 SHA256: 615a7fb6e9f70b09f6f6432a04976a0c4dd80b5c306ce9b7c739c956532c7844 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.13 KB (134 bytes) |
MD5:
b7a3da82c959d15ee79789cec957a60e
SHA1: 2bd9b7aef5b39760910267a3889aac9596903791 SHA256: 3e631a63bac92f8b974308fa32979d897b81ee2b7817f434610688a24409158c |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.15 KB (152 bytes) |
MD5:
6a2d8fd600948cefea9c615af9607bd5
SHA1: c0905d8beea8bd1f6f7d93f2f06accfdbf1bb926 SHA256: 8a8a84891ecb2032320d1c0de99fdcd94100df10f352d9f96fd1b2433cd4d45b |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.17 KB (174 bytes) |
MD5:
233a53208d340e4cea645966add202b0
SHA1: a4d36a34a7dae50bb02d5084ebec85000296a7bf SHA256: f17e469a6ad909a00b009746e5811e22d824fdc47ec46b1e48a978cd21facf9e |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.19 KB (198 bytes) |
MD5:
60d1c5f03099a3e32a0050b4c97bbef0
SHA1: 758ab13d05b0a9e0526735488aebc01219c9414e SHA256: 5e90a79c7f44e006b995017f333598dc97604b0c766491ee58b78455a80de64f |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.21 KB (218 bytes) |
MD5:
f3f00bc27996cc860965a80e6e27c852
SHA1: 47f6ebba74f29ca1381bbeb650b4580a05db9a26 SHA256: 349086d403f89de8b5367764e430f3cb67be549a9530acf21615107f7450e189 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.24 KB (244 bytes) |
MD5:
387291d8f8cf62962d0a9c88210ce229
SHA1: b8b4f8ca64b14bec960c05400f807e38b84563c3 SHA256: 004e824fb332feca2f6aae0ed679ce332f8e5b7f54ea80beda3bbc169d6b3f80 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.25 KB (260 bytes) |
MD5:
68f8d46ce87d14b7c5b4c52480454508
SHA1: 5e7cf1f4ece04213f9ca286d7d521d74110acde2 SHA256: d55f9ae48dc78005327df61db9ef38e6c7dfff19e115a9c95d2216f4ac4d24ef |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.28 KB (288 bytes) |
MD5:
cb2b5b68fa992705f34929b00152114e
SHA1: 488b34f1faca18fb4197cda0376b851e07245d4b SHA256: 76657280e3f76e9811406039e6bc6274d11fb18f23bda254ac03a4a5052e5115 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.29 KB (294 bytes) |
MD5:
afc677e666c2b22bd89873efa77d1b85
SHA1: fa1605aea591834f8f4a70e2b1cd0a634d34ed02 SHA256: 979a48c1a001aabd397299d849d3d419a77923f7741c3d1e3fcc96fd002051fa |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.31 KB (320 bytes) |
MD5:
5c53b1d7a983d080503dc90492873bd3
SHA1: 15a3880766426885512c2a44a994374474afde21 SHA256: 1c29fbf1abdbbc9dad2c501894642e73ecb2e68c07147a6534b22f865cebaad4 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.36 KB (364 bytes) |
MD5:
3c41fcdae69f4f34de48dc8a9f1f2578
SHA1: d1cd65c9bd2bf9278ecc3c187e0d39bf5e58282d SHA256: 9c171d39ce6458556cf95d981e77ce60c46f35239854d4f7543460b6a9ebbbc9 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.39 KB (396 bytes) |
MD5:
fa663a4348bdb40c1304eda0fdbc2f96
SHA1: 390f3f5c8a711862b0650b7a807e424b8df6ce69 SHA256: 19e559af58b93be54d61a5260d0bf850df87169f56a8ecac1c57f31ad73d68c1 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.41 KB (416 bytes) |
MD5:
4c4e1859c51d30d559d71f4b1f2dc71e
SHA1: 8f7fdb94a1d33cb85a60ccb837229df733238664 SHA256: 8ee29a21c448893b369cd7ca4c15f6b7c08489baf22226501f9223afd18b7c9b |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.41 KB (420 bytes) |
MD5:
a6acf7cd1de9e3a55eced78a5d693f54
SHA1: 223b354b5481e0fa444a809c631787a471081a85 SHA256: 5c8d1c7de953da3e892a320bcd4622a5b3029f0eb62d49ae228c8e16d0deb1d1 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.42 KB (432 bytes) |
MD5:
f6e0d72b37c594e479d083b196c34e74
SHA1: 06f6597d49cf98c03337ee56857fc4844cb9a9d8 SHA256: 1a92628c6fb31e224dbd2b6a921f20c28face152f9ee29892797ef5e5d20760d |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.50 KB (514 bytes) |
MD5:
b5f88e92df9a151bfe714e384b4ee82b
SHA1: 602335adc86b8d317ce5464790090851bda31c2e SHA256: c0e15ec77b7cc67c5b32f7fc9442c104363f10cebdcc7c93dff0bacaf2347aad |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.52 KB (532 bytes) |
MD5:
b0a7a765267a92ca9073293194f8fa04
SHA1: 94841c52d4fbd549453bddee181640033b2bced9 SHA256: f9c1834491ddc17978263d1dc2203e3c56c4072cbbf060808d437b945bb7119d |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.54 KB (554 bytes) |
MD5:
b77ea909bc6ba1bab67fd00f78ddee98
SHA1: 4c2dd01791f70d93b1fda434779f1a07d8633f36 SHA256: dd7f2d1a8b4a1735ac1689dbd8cb47c7351caa516852eff182ecee45609f2810 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.56 KB (578 bytes) |
MD5:
b1949a0cf0a1a31bca934f23a3475a81
SHA1: 7601c447f0c74a1c5f23f836f5812df65c9fa912 SHA256: 6355c163ef6b0d4da7e2d2aed2ad67700ab80d2d23be0240212a06dbe8e82d78 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.58 KB (598 bytes) |
MD5:
5e0a244aae44537c87c0be09d6f73f28
SHA1: 53481b8eef6c6bbba3ba9d9657fba916634b5d6e SHA256: ced0ce1a6dd709918e6bbe0e8203b0d7976a4d42a0d70d5d8e42fe9f11077ec9 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.61 KB (624 bytes) |
MD5:
207cfbe270ccebc28bc1ed379c64cc3f
SHA1: 34e4d78eaffb97cbb94b98e62a0208c21710c19f SHA256: 1d37b75172e154dfe675bff7ac11392aded28970b5909422da13adc78c9523f0 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.63 KB (642 bytes) |
MD5:
b6b66d74f9e3a0efd10fde6bbbbad9e4
SHA1: 50e0b8a80d8d57f9dfb90eeb3a9801faa0dcae60 SHA256: 82356c515e15491d7ed313c5399bca714c2963b846291e98a6271ea6256bf82c |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.65 KB (670 bytes) |
MD5:
fb4a327e5743c5ec43a2c5b00c3257f0
SHA1: df35bb9a9a7be55b9127271d54be04ce15f3fb71 SHA256: 33e24a9503300a5da2ce23d7bb110bdb4a3a1cae383823b2b6709379e519d97b |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.66 KB (676 bytes) |
MD5:
c1de83374368343f829ece5ee257e230
SHA1: dd3033e2ab2ae03f86eb355277c88ec093b1fc4c SHA256: 9ada92c22a174a53d8eef170960b70b318f936fba534c888899ccc4f02bc56e5 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.69 KB (702 bytes) |
MD5:
bc9f5bcde37ce92051ee205e22262430
SHA1: 23fd3466a93c8c295099e2c5d63c2649d81c86db SHA256: ad9734138695371c8c167d40a4902baa8bd83b6cc20d3373887c362af5eb57be |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.73 KB (748 bytes) |
MD5:
e76af655870fbc28e5a45d414fba3648
SHA1: ed46a977ce34757ce614a1e5d734d44abafc7eac SHA256: 0c1e7dc44dbc711926402ba3aef75610adf597d8369abc9b1ad73b5f3716f31b |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.76 KB (780 bytes) |
MD5:
7a861320fbc167bc5f1fa8e832ded70a
SHA1: 310c2ede201aec126502a2d96a25fc66e74fd577 SHA256: 0110666716db6db6e5380f4bbc87fc6547e2843694b556a4a3cd71d8a439e1bb |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.78 KB (800 bytes) |
MD5:
9eb2256b33702234676987d214e88b2e
SHA1: d39905d1acc6292a2c3e8a462d1dfe69584dc195 SHA256: 5da76375758cba487fdaca822002bffd0fd564cb70a564c13f028b2afe5301d5 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.79 KB (804 bytes) |
MD5:
26d5eb07c83c4476d0b85375c2012447
SHA1: 43ac2342a7261601d4df866cc724d20d84ccb13f SHA256: 0bb7f9b2b182106196a1cbf6fb304ccfe7064b11b22eb513ef5e76ceb13791f6 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.80 KB (816 bytes) |
MD5:
bdb2423f1acd37d9d478799b93ef11ea
SHA1: 91eecc293ae0164e7a08dc542ff9baeb84f526b4 SHA256: d89d77c2e14c7aa96fe519e84ba311d88f93dd29e7789a65b796c4f58e59c359 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.88 KB (898 bytes) |
MD5:
ac35467b24f8bd344f4889681d94a5c4
SHA1: a8b9fc6666f7be80173d3739d0cabf8a68b0f8bc SHA256: 6ceb8fc71c3c02b8a575a67e2020f91df4f9203435081c8e5c570be610f83393 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.89 KB (916 bytes) |
MD5:
a366a82e64918a7b9e95256ed23ac3e4
SHA1: 88bbd33f6de0e34d0d496572cd0fe404671540ce SHA256: 098f9a30e2d1f0ffd906f449ab33357e3cd9c4c49f361e46a6be4c760603c1a0 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.92 KB (940 bytes) |
MD5:
6bb5156fe2fb4f08e6559472ef09c1fb
SHA1: f7658e51e6954ec7b7f3c4085035ca09b603992c SHA256: 0d7756b24c7dd2db36d30f9a3a0452d274fbb06ef898336ebbaedaa604f29727 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.94 KB (966 bytes) |
MD5:
b4e556d6ca58e884897fdd1b26c77e2a
SHA1: 0248df8d4e8da9471f7018335af30c0467c1cedc SHA256: 2bff75ffcd02b862bc407ff5324c1ab914a9e011b76152b12e5418d96fc22338 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 0.98 KB (1008 bytes) |
MD5:
5f85bf73e36d0191969f526f5e29b8e1
SHA1: e5219c7693b0b717ea10493abef359101e70f975 SHA256: 9d663f8b419778d8f2f967eeab1745684dda8d801d257013124a0b6502fe901f |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.01 KB (1034 bytes) |
MD5:
7bde472399a8956232e418f66e0ba0b1
SHA1: 82d085e9b10812c3792b0056ed52245eb6739c6c SHA256: 5214e665cfb56d9a552bc953e2b681917a4c11d1779862a78ae1d2abe9ee2f1d |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.03 KB (1054 bytes) |
MD5:
163318534d6b1d8bcfb1920a72285b81
SHA1: 88c0d6ed71e660e65bec0a13637608fffdaeb4c0 SHA256: 89d6281199a2684a1beaa66aa10b25f46c797d9ebc1b87f0551f249455b7adfc |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.04 KB (1066 bytes) |
MD5:
2260878b67f481ea46f1241273651738
SHA1: 31c2c555795a7bff8205d20c25338ac5dd89b8e0 SHA256: f9de24d0f1ae15fde5a1d1c924bf45d43e6462456ac8b48001d0d11d32d3203c |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.08 KB (1108 bytes) |
MD5:
9eb3a64bbb13cbea45a81cd6332d0bfe
SHA1: a96793e00119deb5cb8661a6c3507413b4d40be3 SHA256: 87802711517227b9c1cb30e8f7ce8794c55d4322a30036ce5db5f70b239db0bf |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.11 KB (1132 bytes) |
MD5:
e07cfe8b2393008a6710cd17680c959f
SHA1: 3f0fd14b14385340b96eabec3459b77077756d9c SHA256: b4c39b41a25da83168c2a09ed8ba84b744f440a0e8547b4626b08226b6ba57a1 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.12 KB (1146 bytes) |
MD5:
503839b3093d878830ed5f0e334823d7
SHA1: f2d7407c7d03a7e5a4c2dac68886d9408085d648 SHA256: 6ee28d1a9d7a181811dad5df46f4b02c9648345630ac19a55c4192a2d837d420 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.14 KB (1170 bytes) |
MD5:
72036b3ebe710f325e06ff220bb43c59
SHA1: 7c081d3f144735e8f12931dfe23b5f447d80de5a SHA256: c1cb2838c29020843dad8aea39a48cedcf28052d2228f3d03e8fbd3ce05062eb |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.16 KB (1186 bytes) |
MD5:
264cd08d7cdd248966651c001aa61eee
SHA1: 3decbf370b8ced227747c320c583415d61e95eb6 SHA256: c9aad2253b84631971732cecebe6f9305cd6a626dc1d7c669205e8fe494b11fb |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.18 KB (1206 bytes) |
MD5:
caa38beb1e9bad46a41ff1aad856a733
SHA1: a1ef8d127d33d70ab2baa3587e508b668967f66e SHA256: ffd8b43ce7ec2baa7258d4dbd4ca12bab34e46a34bbcf7bf226ac9b2dd64c0cd |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.20 KB (1224 bytes) |
MD5:
bdcd7b4596d88cedab90c58f2e74cae6
SHA1: 630dbb9816a2d5df74489963c91145edcd86df47 SHA256: 2f93e98fe83dc0a9ed8de8d787495721175ee127a16264b5f384b316c8aee1aa |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.24 KB (1270 bytes) |
MD5:
d79bf7daf62422a53398e06ac8a7d8e5
SHA1: 5de4e3063a91cb2552e32f8d1ee766654f6d5e4f SHA256: f0ae495d9cb2ef2a3cbcabf9a0f452e13215812e3608227fa2956ee36aeab524 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.25 KB (1276 bytes) |
MD5:
3dd9b49dec535ee301713547ad7be1e1
SHA1: a7f6ccc253ee0475b39d0c354f9455d39dafd98d SHA256: fe3b2e04595474276fde441b2c4095f0989ea0ee0b67069a063d7676b5ea329e |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.28 KB (1308 bytes) |
MD5:
8c128e39e06ef1289c6bb638b51aba1d
SHA1: 5fc8bf70e6bbc5d4e34cf4a0c456e925075c16bb SHA256: c9ab6675e78c214a446ee21907e1f3496a44e44e21ce2db363ae094abaa2c7f6 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.29 KB (1324 bytes) |
MD5:
66fe61bfe117baebc77aa9f120f97f8a
SHA1: c12ddc06b5021bc12c07506d749dbf4d9ef1917a SHA256: 8d61f5fe5bdcfbd262ac402ec66c2b484406a577f3f15b5064f569b66d4b1947 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.34 KB (1370 bytes) |
MD5:
ed0395bea390decae30c78fa558b9b43
SHA1: fdb9423347f03bdb626bd47ebe9c0694b0a93ae2 SHA256: 1e5a85b81dab9ba87b75ff41b1b6d1079e5484d3330ce2eb270583e1df34b59d |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.54 KB (1582 bytes) |
MD5:
2e6cde223059f28c5a9cc1119e6ea43d
SHA1: 4d289d7e3809c5d9a3b8b03be36de93b200e6454 SHA256: e6d4d0d9b629d9d5f207aad3b05c28bd5f8a23c456e8a194b5a82d77cc6108d9 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.59 KB (1630 bytes) |
MD5:
5b197608bd0494f85d6ec54cc484cf93
SHA1: e47b88eb4d7db90a152f5f49bbc429943209b555 SHA256: 42ddf176666764888564b5e467c9d3f12729421502c7b44985e3fb2ce240fb50 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.62 KB (1658 bytes) |
MD5:
6e4676a203f0e70f9e1c34224a7c2aa9
SHA1: a29bdce78bcbdf048c78b099f9cd0739a50f66cd SHA256: 98717918c4e1f8b8840f348e7812040b2b98fb15bc4f23d2c13716a1593204e1 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.65 KB (1690 bytes) |
MD5:
556897b9fe89f288fb7c12110180ca8d
SHA1: a72d46c21c23cae9576d9c7f623e7bc5a51911f0 SHA256: 484737c4fe28dfea4ae86bdcb9d5871285412de0b68f941ecfd17611dbd9fa87 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.67 KB (1710 bytes) |
MD5:
667bea4b50c45bcc84d5c840d53a33f1
SHA1: f9b6d8ebdd2e5237e987fe86508e256160a1c2e2 SHA256: b6d0333002bb2136ee27f31546ba98c1645c927cf8dbe2b451672d33aecb0690 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.67 KB (1714 bytes) |
MD5:
7c29a8263896e822d7bb7d04bb55e76c
SHA1: d421c63f54f887f4d4a4cc44f19a9ada57d33344 SHA256: c24bf3db15794b8d7128a79a8c1b789c75c669151432b7ff74ec0753c515be13 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.69 KB (1726 bytes) |
MD5:
a7bca06f87d0dd8d001370bccd9f9cad
SHA1: 606455cacc0ea66f5d4f2dc672e23d28afe627ac SHA256: 2d79c3520827c87da66d53eb657968f147a0b257effe5650a9645ed72f1cf307 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.77 KB (1808 bytes) |
MD5:
a4135832d5416e6fe8954e663a3e767b
SHA1: ac47400c5547d62a57ab921e0bac146493978b93 SHA256: 5261f831f8649ab54cb63e377a47c9a95d728f1ead5b54f9927c7427c13707cb |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.78 KB (1826 bytes) |
MD5:
6d5e5dd9dcfbc80a8d7777786b5bad98
SHA1: 8d601d400256a65ae181fac1d8ab1d8cbd4f580b SHA256: c0a1291a49b66da56a686e9fe6a4e90732ef593f9fcc8f400f51abcf8f6b7363 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.81 KB (1850 bytes) |
MD5:
3e58ed2d1e143a60e5df7865855157ab
SHA1: 5cb550e1f100b95351491c57cf00740d5bdf2f14 SHA256: ca6359af6ce359ce77debaa4cca8bbbab6bfb3c96e000277602a11c9dc87ee2f |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.83 KB (1874 bytes) |
MD5:
5a080f0cca70070f3f93e9aca56b3147
SHA1: 08f591678609efdab2ea163344c2e2cf98449803 SHA256: 38a9379997be8642eb37216f2d9772ab07de4feab45fed89a96cd9029ab90151 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.85 KB (1894 bytes) |
MD5:
a15ee3a70d83b03cc61b9cfb0871dac5
SHA1: 9d6215b9418f3663ded67444222d58370fd3a025 SHA256: 0a2ca877fe2b4e53e49ab5c65033edb01f14fe9ab193855ee55dbcfbf46b056b |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.88 KB (1920 bytes) |
MD5:
8bc0d6c00975e36bfbccb8c94585830d
SHA1: 5f1053d7461f141a23a2df3fcd37eef1ef83691e SHA256: 6238d8b973cd694d0415b528cb465d7477dd14a0070cf8694eb4d9ba64cabf7d |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.90 KB (1944 bytes) |
MD5:
a315cb1d834ba8ba37c17859f744778e
SHA1: 55cf90d4c0f49ae917e3be55fd7c6f951d9c56b0 SHA256: 3e2133964efd8dec7ce34290fdd7138c359e1746c5ac39c87044fe6bdaaa3d8e |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.93 KB (1972 bytes) |
MD5:
e669f6d9204a7fa9042689d8bfa8d693
SHA1: 08be72438fa3608aa27a350edaa9069c13a136ae SHA256: af7d105c04f123d4d91eeb22c81da67f16093388296ed0aa654ee189c73c29c3 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.93 KB (1978 bytes) |
MD5:
a92ea9f1b3902e06c687a7d6beeb4b6f
SHA1: 51b92a33abd11a0f34bc2e082484470285c4aa39 SHA256: 3dbccd71cf9f55d7b311a636fadb40d98fe5688c6afd0b937086b0285bd8997f |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 1.96 KB (2004 bytes) |
MD5:
ef2e526fe62e9018f01cb04b5426eafc
SHA1: bb3c218355ad08c34c34b969d189270fb6acafa0 SHA256: 0ca5933326de32802f1c9683b09b85e0d37f42005aa2a8f79fec8679952bd828 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 2.00 KB (2046 bytes) |
MD5:
272785bce52334c936e6e6b78cd92a41
SHA1: fed0929f869262fcfbae7d15d5ee201453d66da2 SHA256: f6229417eea5dc925e6ee4c7b2939d4d50d1b54f7a156095ddf0a558072213c7 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 2.03 KB (2078 bytes) |
MD5:
51ec8a79a04c336b368fbbbcc4034a12
SHA1: 1ff0c0834d9678e68e268c243bb4d67c2a8b0775 SHA256: 0a54710c94734f2b673b6156ad037084f3ce136f68452ed44eb70975645a6390 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 2.05 KB (2098 bytes) |
MD5:
6bbd5d6b6a7845854288aba5e3d2f8bc
SHA1: 4891eaad02a24012afe9cfeaceb01482d0d4baf3 SHA256: 056407e4de4521ec4628e968361dbf5f8bead5f46f600c480dee96c1c484f860 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 2.05 KB (2102 bytes) |
MD5:
c94ce9d20748a727989a15609267b4f9
SHA1: 1fba20a4d855bead6d68bb2cbe1450450a68d2b1 SHA256: b3913c192892b4b833b605975543875890aa58bf7b2f69f4392237a0f72f7e9d |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini | 2.06 KB (2106 bytes) |
MD5:
8c92f6c90debf182342eec2b8ff0801b
SHA1: e64d9142066ea8d5de7c1d4316eed908e0be7122 SHA256: 97c6e88fb00c281bb08613852fca40b94cf04307c6edf1ea057a328a8710d882 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logri.ini | 0.04 KB (40 bytes) |
MD5:
d63a82e5d81e02e399090af26db0b9cb
SHA1: 91d0014c8f54743bba141fd60c9d963f869d76c9 SHA256: eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrv.ini | 0.04 KB (40 bytes) |
MD5:
ba3b6bc807d4f76794c4b81b09bb9ba5
SHA1: 24cb89501f0212ff3095ecc0aba97dd563718fb1 SHA256: 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logim.jpeg | 49.83 KB (51029 bytes) |
MD5:
a9fdc69c2bcc2e1a034c8a7e912b3dee
SHA1: 857c8fe581265d82e7e52de78a05b1196cdb441a SHA256: 809e453d2a27045d47fdea347eb0acb4428d2d71930339e703627f08330f0b30 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logim.jpeg | 70.46 KB (72146 bytes) |
MD5:
4c65034f3140fb39fd1d1ed6f8ede776
SHA1: 66ef37cd6ce31184715c28d1203db251188fc7ed SHA256: d803b2190b025c55d619d61b4ab44d5f404c8782df1f0dbb5ea4b804119dee53 |
|
Filename | File Size | Hash Values | YARA Match | Actions |
---|---|---|---|---|
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat | 48.00 KB (49152 bytes) |
MD5:
e3e8e4631c985b9514893fe8da368188
SHA1: 5bab217563ea405bbbbaa9bd0038b6e017767f0e SHA256: e43a0e6682d5edb928cce1919f88c3edaf8123ecede708ad61a0df3b9396b3bc |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\index.dat | 32.00 KB (32768 bytes) |
MD5:
52860b79194a2bd3b1e66300587b21cf
SHA1: faa8d7915f6733c93678128d032d26c150eb1550 SHA256: b3e7c1e6e0d6859d21aadf673fc01f33289fb30ce4b39edb6ecaccc0f8ff6f0a |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history\history.ie5\index.dat | 32.00 KB (32768 bytes) |
MD5:
a76886529a94b51741014e36ff7c5ffe
SHA1: 7e4295d7bf288b7f5a21c6ffd611689770941ba8 SHA256: c61c078e7e21f224dc35f3ddb725d0aa07c6178c8da75163205fc5f2ffb38ec3 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\ietldcache\index.dat | 256.00 KB (262144 bytes) |
MD5:
6852149628dae385c68c7a9db7028560
SHA1: c6e02c929ec99f984b04876816024c3a39b88ccb SHA256: 53ae38a5bdbd72f76bf578f6c36e0b54a994003f535dbc1b469c12f3a169e3a4 |
|
Operation | Class | Interface | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|---|
Create | 3C374A40-BAE4-11CF-BF7D-00AA006946EE | AFA0DC11-C313-11D0-831A-00C04FD5AE38 | cls_context = CLSCTX_INPROC_SERVER | 1 |
Fn
|
Operation | Filename | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 3 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\lxqfwvdqlkd.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\lxqfwvdqlkd.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5P5NRG~1\AppData\Local\Temp\lxqfwvdqlkd.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Program Files (x86)\lxqfwvdqlkd.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Program Files (x86)\Common Files\lxqfwvdqlkd.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\ProgramData\lxqfwvdqlkd.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ | 1 |
Fn
|
|
Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ | 1 |
Fn
|
|
Create | \??\C:\Windows\System32\drivers\etc\hosts | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 2 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV | desired_access = FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-log.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 2 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 73 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Opera Software\Opera Stable\Login Data | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 2 |
Fn
|
|
Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended | 3 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Windows\System32\drivers\etc\hosts | type = extended | 2 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | type = extended | 2 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | type = extended | 73 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = extended | 2 |
Fn
|
|
Read | \??\C:\Windows\System32\drivers\etc\hosts | offset = 0, size = 824 | 1 |
Fn
Data
|
|
Read | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | offset = 0, size = 290816 | 1 |
Fn
Data
|
|
Read | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | offset = 0, size = 275568 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 0, size = 40 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 40, size = 12 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 52, size = 82 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 134, size = 18 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 152, size = 22 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 174, size = 24 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 198, size = 20 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 218, size = 26 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 244, size = 16 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 260, size = 28 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 288, size = 6 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 294, size = 26 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 320, size = 44 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 364, size = 32 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 396, size = 20 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 416, size = 4 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 420, size = 12 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 432, size = 82 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 514, size = 18 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 532, size = 22 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 554, size = 24 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 578, size = 20 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 598, size = 26 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 624, size = 18 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 642, size = 28 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 670, size = 6 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 676, size = 26 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 702, size = 46 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 748, size = 32 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 780, size = 20 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 800, size = 4 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 804, size = 12 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 816, size = 82 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 898, size = 18 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 916, size = 24 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 940, size = 26 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 966, size = 42 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1008, size = 26 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1034, size = 20 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1054, size = 12 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1066, size = 42 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1108, size = 24 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1132, size = 14 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1146, size = 24 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1170, size = 16 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1186, size = 20 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1206, size = 18 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1224, size = 46 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1270, size = 6 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1276, size = 32 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1308, size = 16 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1324, size = 46 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1370, size = 212 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1582, size = 48 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1630, size = 28 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1658, size = 32 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1690, size = 20 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1710, size = 4 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1714, size = 12 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1726, size = 82 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1808, size = 18 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1826, size = 24 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1850, size = 24 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1874, size = 20 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1894, size = 26 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1920, size = 24 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1944, size = 28 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1972, size = 6 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 1978, size = 26 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 2004, size = 42 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 2046, size = 32 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 2078, size = 20 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 2098, size = 4 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | offset = 2102, size = 4 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini | offset = 0, size = 40 | 1 |
Fn
Data
|
|
Write | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini | offset = 0, size = 40 | 1 |
Fn
Data
|
Operation | Key | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 1 |
Fn
|
||
Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\05cb6f136411cf4daf1f74e966b0a7dc | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4b62e5f8c092a64ea9b79fd559a5a15e | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\609a848a708f544697003a34105400ef | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\63cba20b08018a458b6edb5d87fb54da | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\828cd3a417cead4ab3a214070dce1c3d | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\88d17fec23cbdd4fb54ad1d34c0dce09 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a533ec91a4f74549ac2130b6908c8aac | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b70c659765f94740b657fee657d05ab4 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\cce6b8ce16bac4458e5e40e3530d6f1d | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dd7f40a823cda64b92e9a96e9e46e406 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | 1 |
Fn
|
||
Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ | 1 |
Fn
|
||
Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main | 1 |
Fn
|
||
Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\ | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 2 |
Fn
|
||
Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ | value_name = CurrentVersion | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main | value_name = Install Directory | 1 |
Fn
|
|
Write Value | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | value_name = autochkDNAL2, data = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr, size = 116, type = REG_SZ | 1 |
Fn
|
|
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ | 19 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\05cb6f136411cf4daf1f74e966b0a7dc | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4b62e5f8c092a64ea9b79fd559a5a15e | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\609a848a708f544697003a34105400ef | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\63cba20b08018a458b6edb5d87fb54da | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\828cd3a417cead4ab3a214070dce1c3d | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\88d17fec23cbdd4fb54ad1d34c0dce09 | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | 4 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a533ec91a4f74549ac2130b6908c8aac | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b70c659765f94740b657fee657d05ab4 | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\cce6b8ce16bac4458e5e40e3530d6f1d | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dd7f40a823cda64b92e9a96e9e46e406 | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} | 1 |
Fn
|
||
Enumerate Keys | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 2 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | C:\Windows\SysWOW64\cmd.exe | os_pid = 0xa44, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE | 1 |
Fn
|
|
Create | C:\Windows\SysWOW64\cmd.exe | os_pid = 0xa58, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE | 1 |
Fn
|
|
Create | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | os_pid = 0xb08, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, show_window = SW_HIDE | 1 |
Fn
|
|
Get Info | c:\windows\explorer.exe | type = PROCESS_WOW64_INFORMATION | 1 |
Fn
|
|
Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION | 1 |
Fn
|
|
Get Info | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = PROCESS_WOW64_INFORMATION | 1 |
Fn
|
|
Get Info | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = PROCESS_BASIC_INFORMATION | 1 |
Fn
|
|
Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION | 2 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Open | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Suspend | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Get Context | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Queue APC | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Set Context | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Resume | c:\windows\explorer.exe | os_tid = 0x568 | 1 |
Fn
|
|
Resume | c:\windows\syswow64\msiexec.exe | os_tid = 0xa3c | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Read | c:\windows\explorer.exe | address = 0x7fffffdf000, size = 64 | 1 |
Fn
Data
|
|
Read | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | address = 0xfffde000, size = 32 | 1 |
Fn
Data
|
|
Read | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | address = 0x1270000, size = 278528 | 1 |
Fn
Data
|
Operation | Module | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Load | crypt32.dll | base_address = 0x0 | 1 |
Fn
|
|
Load | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0xc0000135 | 1 |
Fn
|
|
Load | winsqlite3.dll | base_address = 0xc0000135 | 1 |
Fn
|
|
Load | vaultcli.dll | base_address = 0x0 | 1 |
Fn
|
|
Load | gdiplus.dll | base_address = 0x0 | 1 |
Fn
|
|
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1697632 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_READWRITE, maximum_size = 1696204 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1693904 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1696236 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1696288 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x110000 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_READWRITE, address_out = 0x22a0000 | 1 |
Fn
|
||
Map | process_name = c:\windows\explorer.exe, protection = PAGE_READWRITE, address_out = 0x9b50000 | 1 |
Fn
|
||
Map | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2d10000 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2850000 | 1 |
Fn
|
||
Map | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_READWRITE, address_out = 0x3c0000 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2850000 | 1 |
Fn
|
||
Map | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x70000 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1f40000 | 1 |
Fn
|
||
Map | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1270000 | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Sleep | duration = 1696712 milliseconds (1696.712 seconds) | 1 |
Fn
|
|
Sleep | duration = 1697672 milliseconds (1697.672 seconds) | 2 |
Fn
|
|
Sleep | duration = 1697672 milliseconds (1697.672 seconds) | 1 |
Fn
|
|
Get Info | type = SYSTEM_PROCESS_INFORMATION | 4 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Create | mutex_name = L53886-WGVVJKAFC, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | 1 |
Fn
|
|
Create | mutex_name = 8Q-59UAVA1ZvGWMZ, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Mozilla Firefox, environment = 0 | 1 |
Fn
|
|
Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\, environment = 0 | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Check for Presence | c:\windows\syswow64\msiexec.exe | 1 |
Fn
|
Information | Value |
---|---|
ID | #6 |
File Name | c:\windows\syswow64\cmd.exe |
Command Line | /c copy "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" /V |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:01:02, Reason: Child Process |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:04:19 |
Information | Value |
---|---|
PID | 0xa44 |
Parent PID | 0xa38 (c:\windows\syswow64\msiexec.exe) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
A48
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000000a0000 | 0x000a0000 | 0x000affff | Private Memory | Readable, Writable |
|
|||
private_0x00000000000b0000 | 0x000b0000 | 0x001affff | Private Memory | Readable, Writable |
|
|||
private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | Readable, Writable |
|
|||
private_0x00000000001f0000 | 0x001f0000 | 0x001fffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000250000 | 0x00250000 | 0x002cffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000330000 | 0x00330000 | 0x0042ffff | Private Memory | Readable, Writable |
|
|||
locale.nls | 0x00430000 | 0x00496fff | Memory Mapped File | Readable |
|
|||
private_0x0000000000550000 | 0x00550000 | 0x0055ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000560000 | 0x00560000 | 0x006e7fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000006f0000 | 0x006f0000 | 0x00870fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000880000 | 0x00880000 | 0x01c7ffff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000001c80000 | 0x01c80000 | 0x01fc2fff | Pagefile Backed Memory | Readable |
|
|||
cmd.exe | 0x4a220000 | 0x4a26bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64win.dll | 0x73a70000 | 0x73acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64.dll | 0x73ad0000 | 0x73b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64cpu.dll | 0x73b40000 | 0x73b47fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
winbrand.dll | 0x74fa0000 | 0x74fa6fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
cryptbase.dll | 0x750b0000 | 0x750bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sspicli.dll | 0x750c0000 | 0x7511ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
user32.dll | 0x75120000 | 0x7521ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sechost.dll | 0x75240000 | 0x75258fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcrt.dll | 0x75260000 | 0x7530bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernelbase.dll | 0x75320000 | 0x75365fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
rpcrt4.dll | 0x753c0000 | 0x754affff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdi32.dll | 0x754e0000 | 0x7556ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernel32.dll | 0x765b0000 | 0x766bffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
lpk.dll | 0x76750000 | 0x76759fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
advapi32.dll | 0x76760000 | 0x767fffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msctf.dll | 0x76a00000 | 0x76acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
imm32.dll | 0x76ad0000 | 0x76b2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
usp10.dll | 0x76b30000 | 0x76bccfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000077160000 | 0x77160000 | 0x77259fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000077260000 | 0x77260000 | 0x7737efff | Private Memory | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77380000 | 0x77528fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77560000 | 0x776dffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
Filename | File Size | Hash Values | YARA Match | Actions |
---|---|---|---|---|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 0.00 KB (0 bytes) |
MD5:
d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
|
|
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 284.00 KB (290816 bytes) |
MD5:
f5aceff295707412e7679e7c0f3a797e
SHA1: 89c58b4bc7130630ff093afe1c57614a4b85ddc7 SHA256: ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d |
|
Operation | Filename | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE | 1 |
Fn
|
|
Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ | 1 |
Fn
|
|
Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE | 1 |
Fn
|
|
Get Info | C:\Windows\system32 | type = file_attributes | 1 |
Fn
|
|
Get Info | C:\Windows\System32 | type = file_attributes | 1 |
Fn
|
|
Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | type = file_attributes | 1 |
Fn
|
|
Get Info | STD_INPUT_HANDLE | type = file_type | 1 |
Fn
|
|
Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | type = file_attributes | 2 |
Fn
|
|
Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | type = file_attributes | 1 |
Fn
|
|
Get Info | type = file_type | 2 |
Fn
|
||
Get Info | STD_INPUT_HANDLE | type = size, size_out = 0 | 1 |
Fn
|
|
Get Info | type = size, size_out = 0 | 1 |
Fn
|
||
Get Info | System Paging File | type = file_type | 1 |
Fn
|
|
Get Info | STD_OUTPUT_HANDLE | type = file_type | 1 |
Fn
|
|
Open | STD_OUTPUT_HANDLE | 8 |
Fn
|
||
Open | STD_INPUT_HANDLE | 3 |
Fn
|
||
Open | STD_INPUT_HANDLE | 9 |
Fn
|
||
Open | 10 |
Fn
|
|||
Open | 2 |
Fn
|
|||
Copy | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | 1 |
Fn
|
|
Read | STD_INPUT_HANDLE | size = 512, size_out = 512 | 1 |
Fn
Data
|
|
Read | STD_INPUT_HANDLE | size = 65024, size_out = 65024 | 4 |
Fn
Data
|
|
Read | size = 65024, size_out = 65024 | 4 |
Fn
Data
|
||
Read | STD_INPUT_HANDLE | size = 65024, size_out = 30720 | 1 |
Fn
Data
|
|
Read | size = 30720, size_out = 30720 | 1 |
Fn
Data
|
||
Write | STD_OUTPUT_HANDLE | size = 27 | 1 |
Fn
Data
|
Operation | Key | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | 1 |
Fn
|
||
Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | 1 |
Fn
|
||
Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | 1 |
Fn
|
||
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Get Info | c:\windows\syswow64\cmd.exe | type = PROCESS_PAGE_PRIORITY | 1 |
Fn
|
Operation | Module | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a220000 | 1 |
Fn
|
|
Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x765b0000 | 2 |
Fn
|
|
Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 | 1 |
Fn
|
||
Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765da84f | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x765e3b92 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765c4a5d | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x765da79d | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Get Time | type = System Time, time = 2017-09-20 16:08:22 (UTC) | 1 |
Fn
|
|
Get Time | type = Ticks, time = 92149 | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Get Environment String | 4 |
Fn
Data
|
||
Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ | 1 |
Fn
|
|
Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC | 1 |
Fn
|
|
Get Environment String | name = PROMPT | 1 |
Fn
|
|
Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe | 1 |
Fn
|
|
Get Environment String | name = KEYS | 1 |
Fn
|
|
Set Environment String | name = PROMPT, value = $P$G | 1 |
Fn
|
|
Set Environment String | name = =C:, value = C:\Windows\System32 | 1 |
Fn
|
Information | Value |
---|---|
ID | #7 |
File Name | c:\windows\syswow64\cmd.exe |
Command Line | /c del "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:01:06, Reason: Child Process |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:04:15 |
Information | Value |
---|---|
PID | 0xa58 |
Parent PID | 0xa38 (c:\windows\syswow64\msiexec.exe) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
A5C
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x0000000000020000 | 0x00020000 | 0x0002ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000030000 | 0x00030000 | 0x00036fff | Pagefile Backed Memory | Readable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000070000 | 0x00070000 | 0x00071fff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000080000 | 0x00080000 | 0x00080fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000090000 | 0x00090000 | 0x00090fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000000c0000 | 0x000c0000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000150000 | 0x00150000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|||
locale.nls | 0x00190000 | 0x001f6fff | Memory Mapped File | Readable |
|
|||
private_0x0000000000200000 | 0x00200000 | 0x002fffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000350000 | 0x00350000 | 0x0044ffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000004f0000 | 0x004f0000 | 0x004fffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000500000 | 0x00500000 | 0x00687fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000690000 | 0x00690000 | 0x00810fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000820000 | 0x00820000 | 0x01c1ffff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000001c20000 | 0x01c20000 | 0x01f62fff | Pagefile Backed Memory | Readable |
|
|||
cmd.exe | 0x4a260000 | 0x4a2abfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64win.dll | 0x73a70000 | 0x73acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64.dll | 0x73ad0000 | 0x73b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64cpu.dll | 0x73b40000 | 0x73b47fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
winbrand.dll | 0x74f90000 | 0x74f96fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
cryptbase.dll | 0x750b0000 | 0x750bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sspicli.dll | 0x750c0000 | 0x7511ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
user32.dll | 0x75120000 | 0x7521ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sechost.dll | 0x75240000 | 0x75258fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcrt.dll | 0x75260000 | 0x7530bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernelbase.dll | 0x75320000 | 0x75365fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
rpcrt4.dll | 0x753c0000 | 0x754affff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdi32.dll | 0x754e0000 | 0x7556ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernel32.dll | 0x765b0000 | 0x766bffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
lpk.dll | 0x76750000 | 0x76759fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
advapi32.dll | 0x76760000 | 0x767fffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msctf.dll | 0x76a00000 | 0x76acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
imm32.dll | 0x76ad0000 | 0x76b2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
usp10.dll | 0x76b30000 | 0x76bccfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000077160000 | 0x77160000 | 0x77259fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000077260000 | 0x77260000 | 0x7737efff | Private Memory | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77380000 | 0x77528fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77560000 | 0x776dffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
Operation | Filename | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Get Info | C:\Windows\system32 | type = file_attributes | 1 |
Fn
|
|
Get Info | C:\Windows\System32 | type = file_attributes | 1 |
Fn
|
|
Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | type = file_attributes | 2 |
Fn
|
|
Get Info | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop | type = file_attributes | 1 |
Fn
|
|
Open | STD_OUTPUT_HANDLE | 5 |
Fn
|
||
Open | STD_INPUT_HANDLE | 3 |
Fn
|
||
Delete | C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe | 1 |
Fn
|
Operation | Key | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Open Key | HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System | 1 |
Fn
|
||
Open Key | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | 1 |
Fn
|
||
Open Key | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | 1 |
Fn
|
||
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 0, type = REG_NONE | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor | value_name = AutoRun, data = 64, type = REG_NONE | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DisableUNCCheck, data = 64, type = REG_NONE | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DelayedExpansion, data = 1, type = REG_NONE | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN | 1 |
Fn
|
|
Read Value | HKEY_CURRENT_USER\Software\Microsoft\Command Processor | value_name = AutoRun, data = 9, type = REG_NONE | 1 |
Fn
|
Operation | Module | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Get Handle | c:\windows\syswow64\cmd.exe | base_address = 0x4a260000 | 1 |
Fn
|
|
Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x765b0000 | 2 |
Fn
|
|
Get Filename | process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 | 1 |
Fn
|
||
Get Address | c:\windows\syswow64\kernel32.dll | function = SetThreadUILanguage, address_out = 0x765da84f | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = CopyFileExW, address_out = 0x765e3b92 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = IsDebuggerPresent, address_out = 0x765c4a5d | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = SetConsoleInputExeNameW, address_out = 0x765da79d | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Get Time | type = System Time, time = 2017-09-20 16:08:25 (UTC) | 1 |
Fn
|
|
Get Time | type = Ticks, time = 95644 | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Get Environment String | 4 |
Fn
Data
|
||
Get Environment String | name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ | 1 |
Fn
|
|
Get Environment String | name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC | 1 |
Fn
|
|
Get Environment String | name = PROMPT | 1 |
Fn
|
|
Get Environment String | name = COMSPEC, result_out = C:\Windows\system32\cmd.exe | 1 |
Fn
|
|
Get Environment String | name = KEYS | 1 |
Fn
|
|
Set Environment String | name = PROMPT, value = $P$G | 1 |
Fn
|
|
Set Environment String | name = =C:, value = C:\Windows\System32 | 1 |
Fn
|
Information | Value |
---|---|
ID | #8 |
File Name | c:\program files (x86)\mozilla firefox\firefox.exe |
Command Line | "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:01:22, Reason: Child Process |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:03:59 |
Information | Value |
---|---|
PID | 0xb08 |
Parent PID | 0xa38 (c:\windows\syswow64\msiexec.exe) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
B0C
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000060000 | 0x00060000 | 0x00062fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000070000 | 0x00070000 | 0x000fafff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
locale.nls | 0x00100000 | 0x00166fff | Memory Mapped File | Readable |
|
|||
pagefile_0x0000000000180000 | 0x00180000 | 0x00186fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000190000 | 0x00190000 | 0x00191fff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x00000000001b0000 | 0x001b0000 | 0x001effff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000230000 | 0x00230000 | 0x0023ffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000002c0000 | 0x002c0000 | 0x003bffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000003c0000 | 0x003c0000 | 0x008a1fff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x00000000008b0000 | 0x008b0000 | 0x00a37fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000a80000 | 0x00a80000 | 0x00a8ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000aa0000 | 0x00aa0000 | 0x00b1ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000b20000 | 0x00b20000 | 0x00ca0fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000d10000 | 0x00d10000 | 0x00d4ffff | Private Memory | Readable, Writable |
|
|||
ntdll.dll | 0x00d50000 | 0x00ecffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000000ed0000 | 0x00ed0000 | 0x00fcffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001000000 | 0x01000000 | 0x010fffff | Private Memory | Readable, Writable |
|
|||
firefox.exe | 0x01270000 | 0x012b3fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x0000000001270000 | 0x01270000 | 0x012b3fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
pagefile_0x00000000012c0000 | 0x012c0000 | 0x026bffff | Pagefile Backed Memory | Readable |
|
|||
sortdefault.nls | 0x026c0000 | 0x0298efff | Memory Mapped File | Readable |
|
|||
pagefile_0x0000000002990000 | 0x02990000 | 0x02d82fff | Pagefile Backed Memory | Readable |
|
|||
wow64win.dll | 0x73a70000 | 0x73acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64.dll | 0x73ad0000 | 0x73b0efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64cpu.dll | 0x73b40000 | 0x73b47fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
freebl3.dll | 0x74490000 | 0x744defff | Memory Mapped File | Readable, Writable, Executable |
|
|||
softokn3.dll | 0x744e0000 | 0x74506fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcp100.dll | 0x74510000 | 0x74578fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
nss3.dll | 0x74580000 | 0x74734fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcr100.dll | 0x74740000 | 0x747fdfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
mozglue.dll | 0x74b50000 | 0x74b71fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
winmm.dll | 0x74b80000 | 0x74bb1fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
nssdbm3.dll | 0x74f70000 | 0x74f86fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wsock32.dll | 0x74f90000 | 0x74f96fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
cryptbase.dll | 0x750b0000 | 0x750bbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sspicli.dll | 0x750c0000 | 0x7511ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
user32.dll | 0x75120000 | 0x7521ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sechost.dll | 0x75240000 | 0x75258fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcrt.dll | 0x75260000 | 0x7530bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernelbase.dll | 0x75320000 | 0x75365fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ws2_32.dll | 0x75380000 | 0x753b4fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
rpcrt4.dll | 0x753c0000 | 0x754affff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdi32.dll | 0x754e0000 | 0x7556ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
shell32.dll | 0x75790000 | 0x763d9fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernel32.dll | 0x765b0000 | 0x766bffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
lpk.dll | 0x76750000 | 0x76759fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
advapi32.dll | 0x76760000 | 0x767fffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
crypt32.dll | 0x768e0000 | 0x769fcfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msctf.dll | 0x76a00000 | 0x76acbfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
imm32.dll | 0x76ad0000 | 0x76b2ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
usp10.dll | 0x76b30000 | 0x76bccfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
nsi.dll | 0x76bd0000 | 0x76bd5fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
shlwapi.dll | 0x77100000 | 0x77156fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000077160000 | 0x77160000 | 0x77259fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000077260000 | 0x77260000 | 0x7737efff | Private Memory | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77380000 | 0x77528fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msasn1.dll | 0x77530000 | 0x7753bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77560000 | 0x776dffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
pagefile_0x00000000fffb0000 | 0xfffb0000 | 0xfffd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000fffdb000 | 0xfffdb000 | 0xfffddfff | Private Memory | Readable, Writable |
|
|||
private_0x00000000fffde000 | 0xfffde000 | 0xfffdefff | Private Memory | Readable, Writable |
|
|||
private_0x00000000fffdf000 | 0xfffdf000 | 0xfffdffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000fffe0000 | 0xfffe0000 | 0x7fffffeffff | Private Memory | Readable |
|
Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
---|---|---|---|---|---|---|
Modify Memory | #5: c:\windows\syswow64\msiexec.exe | 0xa3c | address = 0x3c0000, size = 5120000 | 1 |
Fn
|
|
Modify Memory | #5: c:\windows\syswow64\msiexec.exe | 0xa3c | address = 0x70000, size = 569344 | 1 |
Fn
|
|
Modify Memory | #5: c:\windows\syswow64\msiexec.exe | 0xa3c | address = 0x1270000, size = 278528 | 1 |
Fn
|
Operation | Filename | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
Operation | Module | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create Mapping | protection = PAGE_EXECUTE, maximum_size = 0 | 1 |
Fn
|
||
Map | process_name = c:\program files (x86)\mozilla firefox\firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xd50000 | 1 |
Fn
|
Information | Value |
---|---|
ID | #9 |
File Name | c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr |
Command Line | "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" /S |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:01:48, Reason: Autostart |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:03:33 |
Information | Value |
---|---|
PID | 0x53c |
Parent PID | 0x34c (c:\windows\explorer.exe) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
540
0x
658
0x
124
0x
340
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000001a0000 | 0x001a0000 | 0x001affff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000001b0000 | 0x001b0000 | 0x001b6fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000001c0000 | 0x001c0000 | 0x001c1fff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x00000000001d0000 | 0x001d0000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000250000 | 0x00250000 | 0x00251fff | Pagefile Backed Memory | Readable |
|
|||
msctf.dll.mui | 0x00250000 | 0x00250fff | Memory Mapped File | Readable, Writable |
|
|||
pagefile_0x0000000000260000 | 0x00260000 | 0x00261fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000260000 | 0x00260000 | 0x00260fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000270000 | 0x00270000 | 0x00270fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000280000 | 0x00280000 | 0x0037ffff | Private Memory | Readable, Writable |
|
|||
locale.nls | 0x00380000 | 0x003e6fff | Memory Mapped File | Readable |
|
|||
private_0x00000000003f0000 | 0x003f0000 | 0x003f8fff | Private Memory | Readable, Writable, Executable |
|
|||
igfxonux.scr | 0x00400000 | 0x00447fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000450000 | 0x00450000 | 0x005d7fff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000005e0000 | 0x005e0000 | 0x0061ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000620000 | 0x00620000 | 0x00620fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000640000 | 0x00640000 | 0x0064ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000650000 | 0x00650000 | 0x007d0fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000007e0000 | 0x007e0000 | 0x01bdffff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000001be0000 | 0x01be0000 | 0x01c7ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001be0000 | 0x01be0000 | 0x01c1ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001c40000 | 0x01c40000 | 0x01c7ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001c80000 | 0x01c80000 | 0x01c8ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001c90000 | 0x01c90000 | 0x0208ffff | Private Memory | Readable, Writable |
|
|||
sortdefault.nls | 0x02090000 | 0x0235efff | Memory Mapped File | Readable |
|
|||
private_0x0000000002360000 | 0x02360000 | 0x024affff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000002360000 | 0x02360000 | 0x0243efff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000002470000 | 0x02470000 | 0x024affff | Private Memory | Readable, Writable |
|
|||
private_0x00000000024b0000 | 0x024b0000 | 0x0252ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002530000 | 0x02530000 | 0x0256ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002590000 | 0x02590000 | 0x025cffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000025d0000 | 0x025d0000 | 0x026bffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000026d0000 | 0x026d0000 | 0x026dffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000026e0000 | 0x026e0000 | 0x02ad2fff | Pagefile Backed Memory | Readable |
|
|||
staticcache.dat | 0x02ae0000 | 0x0340ffff | Memory Mapped File | Readable |
|
|||
private_0x0000000003410000 | 0x03410000 | 0x0350ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003510000 | 0x03510000 | 0x0750ffff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000007510000 | 0x07510000 | 0x0760ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000007610000 | 0x07610000 | 0x0770ffff | Private Memory | Readable, Writable |
|
|||
msvbvm60.dll | 0x72940000 | 0x72a92fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
dwmapi.dll | 0x72d60000 | 0x72d72fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
uxtheme.dll | 0x737e0000 | 0x7385ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sxs.dll | 0x73990000 | 0x739eefff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64cpu.dll | 0x73a00000 | 0x73a07fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64win.dll | 0x73a10000 | 0x73a6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64.dll | 0x73a70000 | 0x73aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|||
winspool.drv | 0x74f70000 | 0x74fc0fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
cryptbase.dll | 0x74fe0000 | 0x74febfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sspicli.dll | 0x74ff0000 | 0x7504ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
shell32.dll | 0x75080000 | 0x75cc9fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
shlwapi.dll | 0x75cd0000 | 0x75d26fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
oleaut32.dll | 0x760d0000 | 0x7615efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msctf.dll | 0x76160000 | 0x7622bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
advapi32.dll | 0x76260000 | 0x762fffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdi32.dll | 0x76300000 | 0x7638ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
imm32.dll | 0x764d0000 | 0x7652ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernel32.dll | 0x76720000 | 0x7682ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
clbcatq.dll | 0x76830000 | 0x768b2fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
rpcrt4.dll | 0x768f0000 | 0x769dffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ole32.dll | 0x76b00000 | 0x76c5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcrt.dll | 0x76ca0000 | 0x76d4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
lpk.dll | 0x76d50000 | 0x76d59fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernelbase.dll | 0x76e10000 | 0x76e55fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sechost.dll | 0x76e70000 | 0x76e88fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
user32.dll | 0x76f90000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000077090000 | 0x77090000 | 0x771aefff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x00000000771b0000 | 0x771b0000 | 0x772a9fff | Private Memory | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x772b0000 | 0x77458fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77490000 | 0x7760ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
Operation | Filename | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Get Info | STD_INPUT_HANDLE | type = file_type | 1 |
Fn
|
|
Get Info | STD_OUTPUT_HANDLE | type = file_type | 1 |
Fn
|
|
Get Info | STD_ERROR_HANDLE | type = file_type | 1 |
Fn
|
|
Open | STD_INPUT_HANDLE | 1 |
Fn
|
||
Open | STD_OUTPUT_HANDLE | 1 |
Fn
|
||
Open | STD_ERROR_HANDLE | 1 |
Fn
|
Operation | Key | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Open Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors | 2 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | os_pid = 0x338, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Get Context | c:\windows\explorer.exe | os_tid = 0x540 | 1 |
Fn
|
|
Set Context | c:\windows\explorer.exe | os_tid = 0x540 | 1 |
Fn
|
|
Resume | c:\windows\explorer.exe | os_tid = 0x540 | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Allocate | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | address = 0x3510004, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 55664920 | 1 |
Fn
|
|
Write | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | address = 0x400000, size = 512 | 1 |
Fn
Data
|
|
Write | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | address = 0x400000, size = 1 | 1 |
Fn
Data
|
|
Write | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | address = 0x401000, size = 141824 | 1 |
Fn
Data
|
|
Write | C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | address = 0x7efde008, size = 4 | 1 |
Fn
Data
|
Operation | Module | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Load | OLEAUT32.DLL | base_address = 0x760d0000 | 1 |
Fn
|
|
Load | SXS.DLL | base_address = 0x73990000 | 1 |
Fn
|
|
Load | ADVAPI32.DLL | base_address = 0x76260000 | 2 |
Fn
|
|
Load | user32 | base_address = 0x76f90000 | 5 |
Fn
|
|
Load | winspool.drv | base_address = 0x74f70000 | 1 |
Fn
|
|
Load | Msvbvm60.dll | base_address = 0x72940000 | 1 |
Fn
|
|
Load | kernel32 | base_address = 0x76720000 | 18 |
Fn
|
|
Load | advapi32 | base_address = 0x76260000 | 1 |
Fn
|
|
Load | shell32 | base_address = 0x75080000 | 1 |
Fn
|
|
Load | ntdll | base_address = 0x77490000 | 8 |
Fn
|
|
Get Handle | c:\windows\syswow64\kernel32.dll | base_address = 0x76720000 | 2 |
Fn
|
|
Get Handle | c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | base_address = 0x400000 | 1 |
Fn
|
|
Get Handle | c:\windows\syswow64\oleaut32.dll | base_address = 0x760d0000 | 1 |
Fn
|
|
Get Handle | c:\windows\syswow64\ole32.dll | base_address = 0x76b00000 | 1 |
Fn
|
|
Get Handle | c:\windows\syswow64\user32.dll | base_address = 0x76f90000 | 1 |
Fn
|
|
Get Filename | process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr, size = 260 | 3 |
Fn
|
||
Get Filename | process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 | 3 |
Fn
|
||
Get Filename | c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr, size = 260 | 2 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = IsTNT, address_out = 0x0 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = IsProcessorFeaturePresent, address_out = 0x76735235 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = OleLoadPictureEx, address_out = 0x761370a1 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = DispCallFunc, address_out = 0x760e3dcf | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = LoadTypeLibEx, address_out = 0x760e07b7 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = UnRegisterTypeLib, address_out = 0x76101ca9 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = CreateTypeLib2, address_out = 0x760e8e70 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDateFromUdate, address_out = 0x760e7684 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarUdateFromDate, address_out = 0x760ecc98 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = GetAltMonthNames, address_out = 0x7611903a | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNumFromParseNum, address_out = 0x760e6231 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarParseNumFromStr, address_out = 0x760e5fea | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR4, address_out = 0x760f3f94 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromR8, address_out = 0x760f4e9e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromDate, address_out = 0x7611db72 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromI4, address_out = 0x76102a8c | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecFromCy, address_out = 0x7611d737 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarR4FromDec, address_out = 0x7611e015 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromTypeInfo, address_out = 0x7611cc3d | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = GetRecordInfoFromGuids, address_out = 0x7611d1c4 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetRecordInfo, address_out = 0x7611d48c | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetRecordInfo, address_out = 0x7611d4c6 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayGetIID, address_out = 0x7611d509 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArraySetIID, address_out = 0x760ee7bb | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCopyData, address_out = 0x760ee496 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayAllocDescriptorEx, address_out = 0x760eddf1 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = SafeArrayCreateEx, address_out = 0x7611d53f | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormat, address_out = 0x76122055 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatDateTime, address_out = 0x761220ea | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatNumber, address_out = 0x76122151 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatPercent, address_out = 0x761221f5 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFormatCurrency, address_out = 0x76122288 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarWeekdayName, address_out = 0x76122335 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMonthName, address_out = 0x761223d5 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAdd, address_out = 0x760f5934 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAnd, address_out = 0x760f5a98 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCat, address_out = 0x760f59b4 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDiv, address_out = 0x7614e405 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarEqv, address_out = 0x7614ef07 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarIdiv, address_out = 0x7614f00a | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarImp, address_out = 0x7614ef47 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMod, address_out = 0x7614f15e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarMul, address_out = 0x7614dbd4 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarOr, address_out = 0x7614ecfa | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarPow, address_out = 0x7614ea66 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarSub, address_out = 0x7614d332 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarXor, address_out = 0x7614ee2e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarAbs, address_out = 0x7614ca11 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarFix, address_out = 0x7614cc5f | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarInt, address_out = 0x7614cde7 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNeg, address_out = 0x7614c802 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarNot, address_out = 0x7614ec66 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarRound, address_out = 0x7614d155 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCmp, address_out = 0x760eb0dc | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecAdd, address_out = 0x76105f3e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarDecCmp, address_out = 0x760f4fd0 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCat, address_out = 0x760f0d2c | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarCyMulI4, address_out = 0x761059ed | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\oleaut32.dll | function = VarBstrCmp, address_out = 0x760df8b8 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ole32.dll | function = CoCreateInstanceEx, address_out = 0x76b49d4e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ole32.dll | function = CLSIDFromProgIDEx, address_out = 0x76b10782 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\sxs.dll | function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x739d7685 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = GetSystemMetrics, address_out = 0x76fa7d2f | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromWindow, address_out = 0x76fb3150 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromRect, address_out = 0x76fce7a0 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = MonitorFromPoint, address_out = 0x76fb5281 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = EnumDisplayMonitors, address_out = 0x76fb451a | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = GetMonitorInfoA, address_out = 0x76fb4413 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\advapi32.dll | function = CloseEventLog, address_out = 0x762677c3 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\advapi32.dll | function = SetAclInformation, address_out = 0x762a34e3 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = CreateDialogIndirectParamA, address_out = 0x76fbb029 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\winspool.drv | function = DeletePrintProcessorA, address_out = 0x74f78aff | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = CreateWindowExA, address_out = 0x76fad22e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = ShowWindow, address_out = 0x76fb0dfb | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\msvbvm60.dll | function = rtcDoEvents, address_out = 0x72a0e0f7 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = EnumWindows, address_out = 0x76fad1cf | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAlloc, address_out = 0x76731856 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetTickCount, address_out = 0x7673110c | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = Sleep, address_out = 0x767310ff | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = SetErrorMode, address_out = 0x76731b00 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = SetLastError, address_out = 0x767311a9 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualAllocEx, address_out = 0x7674d9b0 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\user32.dll | function = GetCursorPos, address_out = 0x76fb1218 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\advapi32.dll | function = RegOpenKeyExA, address_out = 0x76274907 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = CloseHandle, address_out = 0x76731410 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\shell32.dll | function = ShellExecuteW, address_out = 0x75093c71 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = WriteFile, address_out = 0x76731282 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = CreateFileW, address_out = 0x76733f5c | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = TerminateProcess, address_out = 0x7674d802 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = VirtualProtectEx, address_out = 0x767b45bf | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = CreateProcessW, address_out = 0x7673103d | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetTempPathW, address_out = 0x7674d4dc | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetLongPathNameW, address_out = 0x7673a315 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetFileSize, address_out = 0x7673196e | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = ReadFile, address_out = 0x76733ed3 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetCommandLineW, address_out = 0x76735223 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtAllocateVirtualMemory, address_out = 0x774afab0 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtWriteVirtualMemory, address_out = 0x774afe04 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtTerminateThread, address_out = 0x774b0074 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtOpenEvent, address_out = 0x774afe98 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtUnmapViewOfSection, address_out = 0x774afc70 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtGetContextThread, address_out = 0x774b0c20 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtSetContextThread, address_out = 0x774b1910 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\ntdll.dll | function = NtResumeThread, address_out = 0x774b0058 | 1 |
Fn
|
|
Get Address | c:\windows\syswow64\kernel32.dll | function = GetExitCodeProcess, address_out = 0x7674174d | 1 |
Fn
|
Operation | Window Name | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | class_name = ThunderRT6Main, wndproc_parameter = 0 | 1 |
Fn
|
||
Create | class_name = VBMsoStdCompMgr, wndproc_parameter = 0 | 1 |
Fn
|
||
Create | class_name = VBFocusRT6, wndproc_parameter = 0 | 1 |
Fn
|
||
Create | Southlander | wndproc_parameter = 0 | 1 |
Fn
|
|
Create | Southlander | wndproc_parameter = 0 | 1 |
Fn
|
|
Create | çSÌ¥’ËhєÃ7¯¸X ²B | class_name = STATIC, wndproc_parameter = 0 | 1 |
Fn
|
|
Set Attribute | class_name = VBMsoStdCompMgr, index = 0, new_long = 39395484 | 1 |
Fn
|
||
Set Attribute | Southlander | index = 18446744073709551600, new_long = 114229248 | 1 |
Fn
|
|
Set Attribute | Southlander | index = 18446744073709551596, new_long = 256 | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Get Info | type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Get Cursor | x_out = 1070, y_out = 121 | 598 |
Fn
|
|
Get Cursor | x_out = 15, y_out = 821 | 1 |
Fn
|
|
Sleep | duration = 0 milliseconds (0.000 seconds) | 3 |
Fn
|
|
Sleep | duration = 2000 milliseconds (2.000 seconds) | 1 |
Fn
|
|
Sleep | duration = 1 milliseconds (0.001 seconds) | 598 |
Fn
|
|
Get Time | type = Ticks, time = 14274 | 3 |
Fn
|
|
Get Time | type = Ticks, time = 14320 | 2 |
Fn
|
|
Get Time | type = Ticks, time = 14367 | 4 |
Fn
|
|
Get Time | type = Ticks, time = 21200 | 1 |
Fn
|
|
Get Time | type = Ticks, time = 32339 | 1 |
Fn
|
|
Get Time | type = Ticks, time = 34351 | 1 |
Fn
|
|
Get Info | type = Operating System | 3 |
Fn
|
|
Get Info | type = Operating System | 2 |
Fn
|
|
Get Info | type = Hardware Information | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Create | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Get Environment String | 1 |
Fn
Data
|
Information | Value |
---|---|
ID | #10 |
File Name | c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr |
Command Line | "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" /S |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:02:27, Reason: Child Process |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:02:54 |
Information | Value |
---|---|
PID | 0x338 |
Parent PID | 0x53c (c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
614
0x
610
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000020000 | 0x00020000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x0003dfff | Private Memory | Readable, Writable, Executable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000000050000 | 0x00050000 | 0x0008ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000090000 | 0x00090000 | 0x0018ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000190000 | 0x00190000 | 0x00193fff | Pagefile Backed Memory | Readable |
|
|||
locale.nls | 0x001a0000 | 0x00206fff | Memory Mapped File | Readable |
|
|||
private_0x0000000000210000 | 0x00210000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000210000 | 0x00210000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000250000 | 0x00250000 | 0x0034ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000350000 | 0x00350000 | 0x0035dfff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000360000 | 0x00360000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000370000 | 0x00370000 | 0x00370fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000380000 | 0x00380000 | 0x003fffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000400000 | 0x00400000 | 0x00423fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000430000 | 0x00430000 | 0x005b0fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000430000 | 0x00430000 | 0x00453fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000460000 | 0x00460000 | 0x004e8fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
imm32.dll | 0x004f0000 | 0x0050dfff | Memory Mapped File | Readable |
|
|||
private_0x00000000004f0000 | 0x004f0000 | 0x004f0fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000500000 | 0x00500000 | 0x00523fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000530000 | 0x00530000 | 0x00547fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000610000 | 0x00610000 | 0x0070ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000710000 | 0x00710000 | 0x00a12fff | Private Memory | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000a20000 | 0x00a20000 | 0x00ba7fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000bb0000 | 0x00bb0000 | 0x00d30fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000d40000 | 0x00d40000 | 0x0213ffff | Pagefile Backed Memory | Readable |
|
|||
wow64cpu.dll | 0x73a00000 | 0x73a07fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64win.dll | 0x73a10000 | 0x73a6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64.dll | 0x73a70000 | 0x73aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|||
cryptbase.dll | 0x74fe0000 | 0x74febfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sspicli.dll | 0x74ff0000 | 0x7504ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msctf.dll | 0x76160000 | 0x7622bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
advapi32.dll | 0x76260000 | 0x762fffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdi32.dll | 0x76300000 | 0x7638ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
imm32.dll | 0x764d0000 | 0x7652ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernel32.dll | 0x76720000 | 0x7682ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
rpcrt4.dll | 0x768f0000 | 0x769dffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcrt.dll | 0x76ca0000 | 0x76d4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
lpk.dll | 0x76d50000 | 0x76d59fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernelbase.dll | 0x76e10000 | 0x76e55fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sechost.dll | 0x76e70000 | 0x76e88fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
user32.dll | 0x76f90000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000077090000 | 0x77090000 | 0x771aefff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x00000000771b0000 | 0x771b0000 | 0x772a9fff | Private Memory | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x772b0000 | 0x77458fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77490000 | 0x7760ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
---|---|---|---|---|---|---|
Modify Memory | #9: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 0x540 | address = 0x400000, size = 512 | 1 |
Fn
Data
|
|
Modify Memory | #9: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 0x540 | address = 0x400000, size = 1 | 1 |
Fn
Data
|
|
Modify Memory | #9: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 0x540 | address = 0x401000, size = 141824 | 1 |
Fn
Data
|
|
Modify Memory | #9: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 0x540 | address = 0x7efde008, size = 4 | 1 |
Fn
Data
|
|
Modify Control Flow | #9: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 0x540 | os_tid = 0x614, address = 0x774a01c4 | 1 |
Fn
|
Operation | Filename | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 2 |
Fn
|
|
Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Windows\SysWOW64\cmstp.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended | 2 |
Fn
|
|
Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Windows\SysWOW64\cmstp.exe | type = extended | 1 |
Fn
|
|
Read | \??\C:\Windows\SysWOW64\ntdll.dll | offset = 0, size = 1292096 | 1 |
Fn
|
|
Read | \??\C:\Windows\SysWOW64\cmstp.exe | offset = 0, size = 84992 | 1 |
Fn
Data
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Get Info | c:\windows\explorer.exe | type = PROCESS_WOW64_INFORMATION | 1 |
Fn
|
|
Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION | 1 |
Fn
|
|
Get Info | c:\program files\windows nt\hungry sage sender.exe | type = PROCESS_BASIC_INFORMATION | 1 |
Fn
|
|
Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION | 1 |
Fn
|
|
Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION | 1 |
Fn
|
|
Open | c:\program files\windows nt\hungry sage sender.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Open | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Open | c:\windows\syswow64\cmstp.exe | os_tid = 0x668 | 1 |
Fn
|
|
Suspend | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Get Context | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Queue APC | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Set Context | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Resume | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Resume | c:\windows\syswow64\cmstp.exe | os_tid = 0x668 | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Read | c:\windows\explorer.exe | address = 0x7fffffd4000, size = 64 | 1 |
Fn
Data
|
|
Read | c:\windows\explorer.exe | address = 0x7d99000, size = 680 | 1 |
Fn
Data
|
|
Read | c:\program files\windows nt\hungry sage sender.exe | address = 0x7efde008, size = 4 | 1 |
Fn
Data
|
|
Read | c:\program files\windows nt\hungry sage sender.exe | address = 0x630000, size = 98304 | 1 |
Fn
Data
|
Operation | Module | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Load | advapi32.dll | base_address = 0x0 | 1 |
Fn
|
|
Load | user32.dll | base_address = 0x0 | 1 |
Fn
|
|
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633256 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1631500 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633256 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633272 | 1 |
Fn
|
||
Map | process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, protection = PAGE_EXECUTE_READWRITE, address_out = 0x430000 | 1 |
Fn
|
||
Map | process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, protection = PAGE_EXECUTE_READWRITE, address_out = 0x460000 | 1 |
Fn
|
||
Map | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x7d50000 | 1 |
Fn
|
||
Map | process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, protection = PAGE_EXECUTE_READWRITE, address_out = 0x500000 | 1 |
Fn
|
||
Map | process_name = c:\program files\windows nt\hungry sage sender.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x70000 | 1 |
Fn
|
||
Map | process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, protection = PAGE_EXECUTE_READWRITE, address_out = 0x530000 | 1 |
Fn
|
||
Map | process_name = c:\program files\windows nt\hungry sage sender.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x630000 | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Sleep | duration = 1630732 milliseconds (1630.732 seconds) | 1 |
Fn
|
|
Get Info | type = SYSTEM_PROCESS_INFORMATION | 2 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Set Environment String | name = L53886-W, value = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr, environment = 0 | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Check for Presence | c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 1 |
Fn
|
Information | Value |
---|---|
ID | #11 |
File Name | c:\windows\explorer.exe |
Command Line | C:\Windows\Explorer.EXE |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:02:27, Reason: Injection |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:02:54 |
Information | Value |
---|---|
PID | 0x34c |
Parent PID | 0x2b0 (c:\windows\system32\userinit.exe) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
5E0
0x
748
0x
72C
0x
724
0x
720
0x
718
0x
710
0x
700
0x
6E0
0x
6BC
0x
6B4
0x
5F8
0x
5D8
0x
5C0
0x
5B4
0x
5AC
0x
5A8
0x
564
0x
560
0x
530
0x
52C
0x
528
0x
524
0x
520
0x
514
0x
498
0x
494
0x
490
0x
3B8
0x
138
0x
174
0x
F0
0x
144
0x
158
0x
384
0x
358
0x
768
0x
710
0x
780
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x0000000000020000 | 0x00020000 | 0x00021fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000030000 | 0x00030000 | 0x00033fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000040000 | 0x00040000 | 0x00041fff | Pagefile Backed Memory | Readable |
|
|||
locale.nls | 0x00050000 | 0x000b6fff | Memory Mapped File | Readable |
|
|||
pagefile_0x00000000000c0000 | 0x000c0000 | 0x000c6fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000000d0000 | 0x000d0000 | 0x000d1fff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000000f0000 | 0x000f0000 | 0x000f0fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000100000 | 0x00100000 | 0x0013ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000140000 | 0x00140000 | 0x00140fff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x0000000000150000 | 0x00150000 | 0x00151fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000160000 | 0x00160000 | 0x00160fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000170000 | 0x00170000 | 0x00171fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000180000 | 0x00180000 | 0x00180fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000190000 | 0x00190000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000210000 | 0x00210000 | 0x00227fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000230000 | 0x00230000 | 0x0024bfff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000250000 | 0x00250000 | 0x00250fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000260000 | 0x00260000 | 0x00262fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000270000 | 0x00270000 | 0x0036ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000370000 | 0x00370000 | 0x0046ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000470000 | 0x00470000 | 0x00474fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000480000 | 0x00480000 | 0x004dffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000004e0000 | 0x004e0000 | 0x004effff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000004f0000 | 0x004f0000 | 0x00677fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000680000 | 0x00680000 | 0x00800fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000810000 | 0x00810000 | 0x01c0ffff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000001c10000 | 0x01c10000 | 0x02002fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000002010000 | 0x02010000 | 0x020eefff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000020f0000 | 0x020f0000 | 0x0215bfff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002160000 | 0x02160000 | 0x0218ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002190000 | 0x02190000 | 0x0219ffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000021a0000 | 0x021a0000 | 0x021affff | Private Memory | Readable, Writable |
|
|||
private_0x00000000021b0000 | 0x021b0000 | 0x0222ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002230000 | 0x02230000 | 0x02230fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002240000 | 0x02240000 | 0x022bffff | Private Memory | Readable, Writable |
|
|||
sortdefault.nls | 0x022c0000 | 0x0258efff | Memory Mapped File | Readable |
|
|||
pagefile_0x0000000002590000 | 0x02590000 | 0x02591fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x00000000025a0000 | 0x025a0000 | 0x025a1fff | Pagefile Backed Memory | Readable |
|
|||
comctl32.dll.mui | 0x025b0000 | 0x025b2fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x00000000025c0000 | 0x025c0000 | 0x025c0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000025d0000 | 0x025d0000 | 0x025ebfff | Private Memory | Readable, Writable |
|
|||
private_0x00000000025f0000 | 0x025f0000 | 0x025f0fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002600000 | 0x02600000 | 0x02608fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002610000 | 0x02610000 | 0x02617fff | Private Memory | Readable, Writable |
|
|||
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000011.db | 0x02620000 | 0x0263afff | Memory Mapped File | Readable |
|
|||
pagefile_0x0000000002640000 | 0x02640000 | 0x02640fff | Pagefile Backed Memory | Readable, Writable |
|
|||
cversions.2.db | 0x02650000 | 0x02653fff | Memory Mapped File | Readable |
|
|||
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db | 0x02660000 | 0x0268ffff | Memory Mapped File | Readable |
|
|||
private_0x0000000002690000 | 0x02690000 | 0x0269ffff | Private Memory |
|
||||
private_0x00000000026a0000 | 0x026a0000 | 0x026affff | Private Memory | Readable, Writable |
|
|||
private_0x00000000026b0000 | 0x026b0000 | 0x026bffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000026c0000 | 0x026c0000 | 0x026cffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000026d0000 | 0x026d0000 | 0x026dffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000026e0000 | 0x026e0000 | 0x026effff | Private Memory | Readable, Writable |
|
|||
private_0x00000000026f0000 | 0x026f0000 | 0x026fffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002700000 | 0x02700000 | 0x0270ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002710000 | 0x02710000 | 0x0271ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002720000 | 0x02720000 | 0x0272ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000002730000 | 0x02730000 | 0x02731fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000002740000 | 0x02740000 | 0x02740fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002750000 | 0x02750000 | 0x02750fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002760000 | 0x02760000 | 0x0276ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002770000 | 0x02770000 | 0x0286ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002870000 | 0x02870000 | 0x0296ffff | Private Memory | Readable, Writable |
|
|||
cversions.2.db | 0x02970000 | 0x02973fff | Memory Mapped File | Readable |
|
|||
pagefile_0x0000000002980000 | 0x02980000 | 0x02981fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000002990000 | 0x02990000 | 0x02991fff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000029a0000 | 0x029a0000 | 0x029a3fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000029b0000 | 0x029b0000 | 0x029b1fff | Pagefile Backed Memory | Readable |
|
|||
oleaccrc.dll | 0x029c0000 | 0x029c0fff | Memory Mapped File | Readable |
|
|||
pagefile_0x00000000029d0000 | 0x029d0000 | 0x029d1fff | Pagefile Backed Memory | Readable |
|
|||
bthprops.cpl.mui | 0x029e0000 | 0x029e6fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x00000000029f0000 | 0x029f0000 | 0x029f3fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002a00000 | 0x02a00000 | 0x02a00fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002a10000 | 0x02a10000 | 0x02a10fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002a20000 | 0x02a20000 | 0x02a20fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002a30000 | 0x02a30000 | 0x02b2ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002b30000 | 0x02b30000 | 0x02c2ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002c30000 | 0x02c30000 | 0x02e2ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000002e30000 | 0x02e30000 | 0x03172fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000003180000 | 0x03180000 | 0x03183fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003190000 | 0x03190000 | 0x03190fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000031a0000 | 0x031a0000 | 0x031a0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000031b0000 | 0x031b0000 | 0x031b0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000031c0000 | 0x031c0000 | 0x031c0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000031d0000 | 0x031d0000 | 0x031d0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000031e0000 | 0x031e0000 | 0x0325ffff | Private Memory | Readable, Writable |
|
|||
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db | 0x03260000 | 0x032c5fff | Memory Mapped File | Readable |
|
|||
private_0x00000000032d0000 | 0x032d0000 | 0x032d0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000032e0000 | 0x032e0000 | 0x0335ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003360000 | 0x03360000 | 0x03360fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003370000 | 0x03370000 | 0x03370fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003380000 | 0x03380000 | 0x03380fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003390000 | 0x03390000 | 0x0340ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003410000 | 0x03410000 | 0x0348ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000003490000 | 0x03490000 | 0x03490fff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x00000000034a0000 | 0x034a0000 | 0x034a1fff | Pagefile Backed Memory | Readable |
|
|||
cversions.2.db | 0x034b0000 | 0x034b3fff | Memory Mapped File | Readable |
|
|||
pagefile_0x00000000034c0000 | 0x034c0000 | 0x034c1fff | Pagefile Backed Memory | Readable |
|
|||
{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db | 0x034d0000 | 0x034d0fff | Memory Mapped File | Readable |
|
|||
cversions.2.db | 0x034e0000 | 0x034e3fff | Memory Mapped File | Readable |
|
|||
private_0x00000000034f0000 | 0x034f0000 | 0x034f0fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003500000 | 0x03500000 | 0x03500fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003510000 | 0x03510000 | 0x03510fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003520000 | 0x03520000 | 0x0359ffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000035a0000 | 0x035a0000 | 0x0361ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003630000 | 0x03630000 | 0x036affff | Private Memory | Readable, Writable |
|
|||
private_0x00000000036e0000 | 0x036e0000 | 0x03727fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000003750000 | 0x03750000 | 0x03750fff | Private Memory | Readable, Writable |
|
|||
thumbcache_1024.db | 0x03770000 | 0x03770fff | Memory Mapped File | Readable, Writable |
|
|||
{3978ea0a-1c7e-4449-8ae1-e1265f039002}.2.ver0x0000000000000003.db | 0x03780000 | 0x03780fff | Memory Mapped File | Readable |
|
|||
private_0x0000000003790000 | 0x03790000 | 0x0380ffff | Private Memory | Readable, Writable |
|
|||
staticcache.dat | 0x03810000 | 0x0413ffff | Memory Mapped File | Readable |
|
|||
cversions.2.db | 0x04140000 | 0x04143fff | Memory Mapped File | Readable |
|
|||
{4e36ea69-73d1-4458-9d16-50f8e31a69a0}.2.ver0x0000000000000001.db | 0x04150000 | 0x04150fff | Memory Mapped File | Readable |
|
|||
private_0x0000000004160000 | 0x04160000 | 0x041affff | Private Memory | Readable, Writable |
|
|||
thumbcache_sr.db | 0x04200000 | 0x04200fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x0000000004210000 | 0x04210000 | 0x0428ffff | Private Memory | Readable, Writable |
|
|||
thumbcache_idx.db | 0x04290000 | 0x04290fff | Memory Mapped File | Readable, Writable |
|
|||
pagefile_0x00000000042a0000 | 0x042a0000 | 0x042a0fff | Pagefile Backed Memory | Readable, Writable |
|
|||
thumbcache_1024.db | 0x042b0000 | 0x042b0fff | Memory Mapped File | Readable, Writable |
|
|||
thumbcache_sr.db | 0x042c0000 | 0x042c0fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x00000000042d0000 | 0x042d0000 | 0x0434ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000004350000 | 0x04350000 | 0x04350fff | Pagefile Backed Memory | Readable |
|
|||
wdmaud.drv.mui | 0x04360000 | 0x04360fff | Memory Mapped File | Readable, Writable |
|
|||
mmdevapi.dll.mui | 0x04370000 | 0x04370fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x0000000004380000 | 0x04380000 | 0x04381fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000004390000 | 0x04390000 | 0x0440ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000004410000 | 0x04410000 | 0x04442fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000004450000 | 0x04450000 | 0x04451fff | Pagefile Backed Memory | Readable |
|
|||
thumbcache_idx.db | 0x04460000 | 0x04460fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x0000000004470000 | 0x04470000 | 0x044effff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000044f0000 | 0x044f0000 | 0x044f0fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000004500000 | 0x04500000 | 0x04501fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000004510000 | 0x04510000 | 0x04511fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000004520000 | 0x04520000 | 0x04521fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000004530000 | 0x04530000 | 0x04531fff | Pagefile Backed Memory | Readable |
|
|||
cversions.2.db | 0x04540000 | 0x04543fff | Memory Mapped File | Readable |
|
|||
private_0x0000000004550000 | 0x04550000 | 0x045cffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000045d0000 | 0x045d0000 | 0x045d1fff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000045e0000 | 0x045e0000 | 0x045e0fff | Private Memory | Readable, Writable, Executable |
|
|||
thumbcache_1024.db | 0x045f0000 | 0x045f0fff | Memory Mapped File | Readable, Writable |
|
|||
thumbcache_sr.db | 0x04600000 | 0x04600fff | Memory Mapped File | Readable, Writable |
|
|||
thumbcache_idx.db | 0x04610000 | 0x04610fff | Memory Mapped File | Readable, Writable |
|
|||
pagefile_0x0000000004620000 | 0x04620000 | 0x04621fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000004630000 | 0x04630000 | 0x046affff | Private Memory | Readable, Writable |
|
|||
private_0x00000000046b0000 | 0x046b0000 | 0x046b0fff | Private Memory | Readable, Writable |
|
|||
msctf.dll.mui | 0x046c0000 | 0x046c0fff | Memory Mapped File | Readable, Writable |
|
|||
For performance reasons, the remaining 254 entries are omitted.
The remaining entries can be found in flog.txt. |
Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
---|---|---|---|---|---|---|
Modify Memory | #10: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 0x614 | address = 0x7d50000, size = 561152 | 1 |
Fn
|
|
Modify Control Flow | #10: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 0x614 | os_tid = 0x358, address = 0xfe91c010 | 1 |
Fn
|
|
Modify Control Flow | #10: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 0x614 | os_tid = 0x358, address = 0x7d66ead | 1 |
Fn
|
|
Modify Memory | #13: c:\windows\syswow64\cmstp.exe | 0x668 | address = 0x95c0000, size = 5120000 | 1 |
Fn
|
|
Modify Memory | #13: c:\windows\syswow64\cmstp.exe | 0x668 | address = 0x8220000, size = 479232 | 1 |
Fn
|
|
Modify Control Flow | #13: c:\windows\syswow64\cmstp.exe | 0x668 | os_tid = 0x358, address = 0x0 | 1 |
Fn
|
|
Modify Control Flow | #13: c:\windows\syswow64\cmstp.exe | 0x668 | os_tid = 0x358, address = 0x8239e96 | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | C:\Windows\SysWOW64\rdpclip.exe | os_pid = 0x0, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE | 1 |
Fn
|
|
Create | C:\Windows\SysWOW64\autochk.exe | os_pid = 0x0, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE | 1 |
Fn
|
|
Create | C:\Windows\SysWOW64\cmstp.exe | os_pid = 0x634, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Create | mutex_name = S-1-5-21-3388679-8441793209033 | 1 |
Fn
|
Information | Value |
---|---|
ID | #12 |
File Name | c:\windows\syswow64\autochk.exe |
Command Line | "C:\Windows\SysWOW64\autochk.exe" |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:02:31, Reason: Child Process |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:02:50 |
Remarks | No high level activity detected in monitored regions |
Information | Value |
---|---|
PID | 0x624 |
Parent PID | 0x34c (c:\windows\explorer.exe) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
628
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x00000000000d0000 | 0x000d0000 | 0x0010ffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000001a0000 | 0x001a0000 | 0x001dffff | Private Memory | Readable, Writable |
|
|||
autochk.exe | 0x00ba0000 | 0x00c45fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x772b0000 | 0x77458fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77490000 | 0x7760ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
Information | Value |
---|---|
ID | #13 |
File Name | c:\windows\syswow64\cmstp.exe |
Command Line | "C:\Windows\SysWOW64\cmstp.exe" |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:02:31, Reason: Child Process |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:02:50 |
Information | Value |
---|---|
PID | 0x634 |
Parent PID | 0x34c (c:\windows\explorer.exe) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
668
0x
6D0
0x
6E4
0x
46C
0x
63C
0x
5C8
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
pagefile_0x0000000000020000 | 0x00020000 | 0x00026fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000030000 | 0x00030000 | 0x00031fff | Pagefile Backed Memory | Readable, Writable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000060000 | 0x00060000 | 0x00060fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000070000 | 0x00070000 | 0x00093fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
cmstp.exe.mui | 0x000a0000 | 0x000a4fff | Memory Mapped File | Readable, Writable |
|
|||
private_0x00000000000b0000 | 0x000b0000 | 0x000b0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000000c0000 | 0x000c0000 | 0x000c0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000000d0000 | 0x000d0000 | 0x000dffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000000e0000 | 0x000e0000 | 0x000e0fff | Private Memory | Readable, Writable |
|
|||
private_0x00000000000f0000 | 0x000f0000 | 0x0012ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000130000 | 0x00130000 | 0x00153fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000160000 | 0x00160000 | 0x00160fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000170000 | 0x00170000 | 0x00170fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | Readable, Writable |
|
|||
locale.nls | 0x001c0000 | 0x00226fff | Memory Mapped File | Readable |
|
|||
private_0x0000000000230000 | 0x00230000 | 0x00253fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000260000 | 0x00260000 | 0x002c4fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x00000000002e0000 | 0x002e0000 | 0x0035ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000380000 | 0x00380000 | 0x003bffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000003c0000 | 0x003c0000 | 0x00424fff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x0000000000440000 | 0x00440000 | 0x0047ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000480000 | 0x00480000 | 0x0057ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000580000 | 0x00580000 | 0x005f4fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000580000 | 0x00580000 | 0x00600fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000580000 | 0x00580000 | 0x005c3fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
private_0x00000000005a0000 | 0x005a0000 | 0x005dffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000005c0000 | 0x005c0000 | 0x005fffff | Private Memory | Readable, Writable |
|
|||
cmstp.exe | 0x00630000 | 0x00647fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000630000 | 0x00630000 | 0x00647fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000650000 | 0x00650000 | 0x007d7fff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000007e0000 | 0x007e0000 | 0x007effff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000007f0000 | 0x007f0000 | 0x00970fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000980000 | 0x00980000 | 0x01d7ffff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000001d80000 | 0x01d80000 | 0x01e7afff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001e80000 | 0x01e80000 | 0x01f4ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001eb0000 | 0x01eb0000 | 0x01eeffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001ec0000 | 0x01ec0000 | 0x02040fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000001f10000 | 0x01f10000 | 0x01f4ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000001f50000 | 0x01f50000 | 0x0202efff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000002050000 | 0x02050000 | 0x02352fff | Private Memory | Readable, Writable, Executable |
|
|||
pagefile_0x0000000002360000 | 0x02360000 | 0x02841fff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000002850000 | 0x02850000 | 0x0296ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002850000 | 0x02850000 | 0x0294ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002880000 | 0x02880000 | 0x028bffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002930000 | 0x02930000 | 0x0296ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002960000 | 0x02960000 | 0x0296ffff | Private Memory | Readable, Writable |
|
|||
sortdefault.nls | 0x02970000 | 0x02c3efff | Memory Mapped File | Readable |
|
|||
private_0x0000000002c60000 | 0x02c60000 | 0x02c9ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002cc0000 | 0x02cc0000 | 0x02cfffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002cd0000 | 0x02cd0000 | 0x02d0ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000002d00000 | 0x02d00000 | 0x031f1fff | Private Memory | Readable, Writable |
|
|||
uxtheme.dll | 0x737e0000 | 0x7385ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64cpu.dll | 0x73a00000 | 0x73a07fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64win.dll | 0x73a10000 | 0x73a6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64.dll | 0x73a70000 | 0x73aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|||
windowscodecs.dll | 0x74bc0000 | 0x74cbafff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcr100.dll | 0x74bd0000 | 0x74c8efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
nss3.dll | 0x74c90000 | 0x74e44fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdiplus.dll | 0x74cc0000 | 0x74e4ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wsock32.dll | 0x74e60000 | 0x74e66fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
winmm.dll | 0x74f70000 | 0x74fa1fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
vaultcli.dll | 0x74fa0000 | 0x74fabfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
version.dll | 0x74fb0000 | 0x74fb8fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
cmutil.dll | 0x74fc0000 | 0x74fcdfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
cryptbase.dll | 0x74fe0000 | 0x74febfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sspicli.dll | 0x74ff0000 | 0x7504ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
shell32.dll | 0x75080000 | 0x75cc9fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
shlwapi.dll | 0x75cd0000 | 0x75d26fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
oleaut32.dll | 0x760d0000 | 0x7615efff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msctf.dll | 0x76160000 | 0x7622bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
advapi32.dll | 0x76260000 | 0x762fffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdi32.dll | 0x76300000 | 0x7638ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
imm32.dll | 0x764d0000 | 0x7652ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernel32.dll | 0x76720000 | 0x7682ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
nsi.dll | 0x768c0000 | 0x768c5fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
rpcrt4.dll | 0x768f0000 | 0x769dffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ole32.dll | 0x76b00000 | 0x76c5bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ws2_32.dll | 0x76c60000 | 0x76c94fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcrt.dll | 0x76ca0000 | 0x76d4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
lpk.dll | 0x76d50000 | 0x76d59fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernelbase.dll | 0x76e10000 | 0x76e55fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sechost.dll | 0x76e70000 | 0x76e88fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
user32.dll | 0x76f90000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000077090000 | 0x77090000 | 0x771aefff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x00000000771b0000 | 0x771b0000 | 0x772a9fff | Private Memory | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x772b0000 | 0x77458fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77490000 | 0x7760ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x000000007efaa000 | 0x7efaa000 | 0x7efacfff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efad000 | 0x7efad000 | 0x7efaffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x000000007efb0000 | 0x7efb0000 | 0x7efd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007efd5000 | 0x7efd5000 | 0x7efd7fff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efd8000 | 0x7efd8000 | 0x7efdafff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdb000 | 0x7efdb000 | 0x7efddfff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efde000 | 0x7efde000 | 0x7efdefff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efdf000 | 0x7efdf000 | 0x7efdffff | Private Memory | Readable, Writable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
private_0x000000007fff0000 | 0x7fff0000 | 0x7fffffeffff | Private Memory | Readable |
|
Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
---|---|---|---|---|---|---|
Modify Memory | #10: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 0x614 | address = 0x70000, size = 147456 | 1 |
Fn
|
|
Modify Memory | #10: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr | 0x614 | address = 0x630000, size = 98304 | 1 |
Fn
|
Operation | Filename | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 2 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\igfxonux.scr | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 2 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ | 1 |
Fn
|
|
Create | \??\C:\Windows\System32\drivers\etc\hosts | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 2 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV | desired_access = FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-log.ini | desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 2 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Opera Software\Opera Stable\Login Data | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
|
Create | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 2 |
Fn
|
|
Get Info | \??\C:\Windows\SysWOW64\ntdll.dll | type = extended | 2 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | type = extended | 2 |
Fn
|
|
Get Info | \??\C:\Windows\System32\drivers\etc\hosts | type = extended | 2 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | type = extended | 2 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini | type = extended | 1 |
Fn
|
|
Get Info | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = extended | 2 |
Fn
|
|
Read | \??\C:\Windows\System32\drivers\etc\hosts | offset = 0, size = 824 | 1 |
Fn
Data
|
|
Read | \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr | offset = 0, size = 290816 | 1 |
Fn
Data
|
|
Read | \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | offset = 0, size = 275568 | 1 |
Fn
Data
|
Operation | Key | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 1 |
Fn
|
||
Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | 1 |
Fn
|
||
Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ | 1 |
Fn
|
||
Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main | 1 |
Fn
|
||
Create Key | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\ | 1 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 18 |
Fn
|
||
Create Key | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 14 |
Fn
|
||
Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion | value_name = ProductName | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ | value_name = CurrentVersion | 1 |
Fn
|
|
Read Value | HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main | value_name = Install Directory | 1 |
Fn
|
|
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 1 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 18 |
Fn
|
||
Enumerate Values | HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | 14 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | os_pid = 0x6dc, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, show_window = SW_HIDE | 1 |
Fn
|
|
Get Info | c:\windows\explorer.exe | type = PROCESS_WOW64_INFORMATION | 1 |
Fn
|
|
Get Info | c:\windows\explorer.exe | type = PROCESS_BASIC_INFORMATION | 1 |
Fn
|
|
Get Info | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = PROCESS_WOW64_INFORMATION | 1 |
Fn
|
|
Get Info | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | type = PROCESS_BASIC_INFORMATION | 1 |
Fn
|
|
Open | c:\windows\explorer.exe | desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION | 2 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Open | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Suspend | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Get Context | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Queue APC | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Set Context | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Resume | c:\windows\explorer.exe | os_tid = 0x358 | 1 |
Fn
|
|
Resume | c:\windows\syswow64\cmstp.exe | os_tid = 0x668 | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Read | c:\windows\explorer.exe | address = 0x7fffffd4000, size = 64 | 1 |
Fn
Data
|
|
Read | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | address = 0xfffde000, size = 32 | 1 |
Fn
Data
|
|
Read | C:\Program Files (x86)\Mozilla Firefox\Firefox.exe | address = 0x1190000, size = 278528 | 1 |
Fn
Data
|
Operation | Module | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Load | C:\Program Files (x86)\Mozilla Firefox\nss3.dll | base_address = 0xc0000135 | 1 |
Fn
|
|
Load | winsqlite3.dll | base_address = 0xc0000135 | 1 |
Fn
|
|
Load | vaultcli.dll | base_address = 0x0 | 1 |
Fn
|
|
Load | gdiplus.dll | base_address = 0x0 | 1 |
Fn
|
|
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1829296 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_READWRITE, maximum_size = 1827868 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1825568 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1827900 | 1 |
Fn
|
||
Create Mapping | protection = PAGE_EXECUTE_READWRITE, maximum_size = 1827952 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x130000 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_READWRITE, address_out = 0x2360000 | 1 |
Fn
|
||
Map | process_name = c:\windows\explorer.exe, protection = PAGE_READWRITE, address_out = 0x95c0000 | 1 |
Fn
|
||
Map | process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x8220000 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x580000 | 1 |
Fn
|
||
Map | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_READWRITE, address_out = 0x3e0000 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x580000 | 1 |
Fn
|
||
Map | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x70000 | 1 |
Fn
|
||
Map | process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x580000 | 1 |
Fn
|
||
Map | process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1190000 | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Sleep | duration = 1828376 milliseconds (1828.376 seconds) | 1 |
Fn
|
|
Sleep | duration = 1829336 milliseconds (1829.336 seconds) | 32 |
Fn
|
|
Get Info | type = SYSTEM_PROCESS_INFORMATION | 34 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Create | mutex_name = L53886-WGVVJKAFC, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | 1 |
Fn
|
|
Create | mutex_name = 8Q-59UAVA1ZvGWMZ, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE | 1 |
Fn
|
Operation | Additional Information | Success | Count | Logfile |
---|---|---|---|---|
Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Mozilla Firefox, environment = 0 | 1 |
Fn
|
|
Set Environment String | name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\, environment = 0 | 1 |
Fn
|
Operation | Process | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Check for Presence | c:\windows\syswow64\cmstp.exe | 1 |
Fn
|
Information | Value |
---|---|
ID | #14 |
File Name | c:\program files (x86)\mozilla firefox\firefox.exe |
Command Line | "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" |
Initial Working Directory | C:\Windows\system32\ |
Monitor | Start Time: 00:02:44, Reason: Child Process |
Unmonitor | End Time: 00:05:21, Reason: Terminated by Timeout |
Monitor Duration | 00:02:37 |
Information | Value |
---|---|
PID | 0x6dc |
Parent PID | 0x634 (c:\windows\syswow64\cmstp.exe) |
Is Created or Modified Executable | |
Integrity Level | Medium |
Username | XDUWTFONO\5p5NrGJn0jS HALPmcxz |
Groups |
|
Enabled Privileges | SeChangeNotifyPrivilege |
Thread IDs |
0x
6F8
|
Name | Start VA | End VA | Type | Permissions | Monitored | Dump | YARA Match | Actions |
---|---|---|---|---|---|---|---|---|
private_0x0000000000010000 | 0x00010000 | 0x0002ffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x0000000000010000 | 0x00010000 | 0x0001ffff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000020000 | 0x00020000 | 0x00020fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00031fff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000030000 | 0x00030000 | 0x00030fff | Private Memory | Readable, Writable |
|
|||
apisetschema.dll | 0x00040000 | 0x00040fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x0000000000050000 | 0x00050000 | 0x00053fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000060000 | 0x00060000 | 0x00062fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000070000 | 0x00070000 | 0x000f0fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
locale.nls | 0x00100000 | 0x00166fff | Memory Mapped File | Readable |
|
|||
private_0x0000000000180000 | 0x00180000 | 0x001bffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000001d0000 | 0x001d0000 | 0x0020ffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000240000 | 0x00240000 | 0x0024ffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000002e0000 | 0x002e0000 | 0x003dffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000003e0000 | 0x003e0000 | 0x008c1fff | Pagefile Backed Memory | Readable, Writable |
|
|||
private_0x0000000000950000 | 0x00950000 | 0x009cffff | Private Memory | Readable, Writable |
|
|||
pagefile_0x00000000009d0000 | 0x009d0000 | 0x00b57fff | Pagefile Backed Memory | Readable |
|
|||
pagefile_0x0000000000b60000 | 0x00b60000 | 0x00ce0fff | Pagefile Backed Memory | Readable |
|
|||
private_0x0000000000cf0000 | 0x00cf0000 | 0x00deffff | Private Memory | Readable, Writable |
|
|||
private_0x0000000000e50000 | 0x00e50000 | 0x00e5ffff | Private Memory | Readable, Writable |
|
|||
ntdll.dll | 0x00e60000 | 0x00fdffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
firefox.exe | 0x01190000 | 0x011d3fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
pagefile_0x0000000001190000 | 0x01190000 | 0x011d3fff | Pagefile Backed Memory | Readable, Writable, Executable |
|
|||
pagefile_0x00000000011e0000 | 0x011e0000 | 0x025dffff | Pagefile Backed Memory | Readable |
|
|||
wow64cpu.dll | 0x73a00000 | 0x73a07fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64win.dll | 0x73a10000 | 0x73a6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wow64.dll | 0x73a70000 | 0x73aaefff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcp100.dll | 0x74860000 | 0x748c8fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
mozglue.dll | 0x748d0000 | 0x748f1fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
winmm.dll | 0x74900000 | 0x74931fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
nss3.dll | 0x74940000 | 0x74af4fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcr100.dll | 0x74b00000 | 0x74bbdfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
wsock32.dll | 0x74f90000 | 0x74f96fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
cryptbase.dll | 0x74fe0000 | 0x74febfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sspicli.dll | 0x74ff0000 | 0x7504ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msctf.dll | 0x76160000 | 0x7622bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
advapi32.dll | 0x76260000 | 0x762fffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
gdi32.dll | 0x76300000 | 0x7638ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
imm32.dll | 0x764d0000 | 0x7652ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernel32.dll | 0x76720000 | 0x7682ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
nsi.dll | 0x768c0000 | 0x768c5fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
rpcrt4.dll | 0x768f0000 | 0x769dffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
crypt32.dll | 0x769e0000 | 0x76afcfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ws2_32.dll | 0x76c60000 | 0x76c94fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msvcrt.dll | 0x76ca0000 | 0x76d4bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
lpk.dll | 0x76d50000 | 0x76d59fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
usp10.dll | 0x76d70000 | 0x76e0cfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
kernelbase.dll | 0x76e10000 | 0x76e55fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
msasn1.dll | 0x76e60000 | 0x76e6bfff | Memory Mapped File | Readable, Writable, Executable |
|
|||
sechost.dll | 0x76e70000 | 0x76e88fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
user32.dll | 0x76f90000 | 0x7708ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x0000000077090000 | 0x77090000 | 0x771aefff | Private Memory | Readable, Writable, Executable |
|
|||
private_0x00000000771b0000 | 0x771b0000 | 0x772a9fff | Private Memory | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x772b0000 | 0x77458fff | Memory Mapped File | Readable, Writable, Executable |
|
|||
ntdll.dll | 0x77490000 | 0x7760ffff | Memory Mapped File | Readable, Writable, Executable |
|
|||
private_0x000000007efe0000 | 0x7efe0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
pagefile_0x000000007efe0000 | 0x7efe0000 | 0x7f0dffff | Pagefile Backed Memory | Readable |
|
|||
private_0x000000007f0e0000 | 0x7f0e0000 | 0x7ffdffff | Private Memory | Readable |
|
|||
private_0x000000007ffe0000 | 0x7ffe0000 | 0x7ffeffff | Private Memory | Readable |
|
|||
pagefile_0x00000000fffb0000 | 0xfffb0000 | 0xfffd2fff | Pagefile Backed Memory | Readable |
|
|||
private_0x00000000fffdb000 | 0xfffdb000 | 0xfffddfff | Private Memory | Readable, Writable |
|
|||
private_0x00000000fffde000 | 0xfffde000 | 0xfffdefff | Private Memory | Readable, Writable |
|
|||
private_0x00000000fffdf000 | 0xfffdf000 | 0xfffdffff | Private Memory | Readable, Writable |
|
|||
private_0x00000000fffe0000 | 0xfffe0000 | 0x7fffffeffff | Private Memory | Readable |
|
Injection Type | Source Process | Source Os Thread ID | Injection Info | Success | Count | Logfile |
---|---|---|---|---|---|---|
Modify Memory | #13: c:\windows\syswow64\cmstp.exe | 0x668 | address = 0x3e0000, size = 5120000 | 1 |
Fn
|
|
Modify Memory | #13: c:\windows\syswow64\cmstp.exe | 0x668 | address = 0x70000, size = 528384 | 1 |
Fn
|
|
Modify Memory | #13: c:\windows\syswow64\cmstp.exe | 0x668 | address = 0x1190000, size = 278528 | 1 |
Fn
|
Operation | Filename | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create | \??\C:\Windows\SysWOW64\ntdll.dll | desired_access = FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE | 1 |
Fn
|
Operation | Module | Additional Information | Success | Count | Logfile |
---|---|---|---|---|---|
Create Mapping | protection = PAGE_EXECUTE, maximum_size = 0 | 1 |
Fn
|
||
Map | process_name = c:\program files (x86)\mozilla firefox\firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xe60000 | 1 |
Fn
|
This feature requires an online-connection to the VMRay backend.
An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox
with deactivated setting "security.fileuri.strict_origin_policy".